Jump to content


Photo
- - - - -

Rootkit.ZeroAccess (PING.exe)

ZeroAccess Rootkit Ping PING.exe ip stack

  • This topic is locked This topic is locked
126 replies to this topic

#1 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 08 February 2012 - 02:56 AM

So ComboFix tells me I have Rootkit.ZeroAccess, and further research tells me that this may not be good. In 15 years of working with computers professionally, this is the worst one I've seen, although part of that may be of my own doing.

First off, I know I'm supposed to have logs from DDS. Wish it were that easy. DDS hangs both in normal (tested 10 mins) and safe mode (tested 30 mins). This is the same as ComboFix, which I tested up to an hour and a half in safe mode where it hangs right after alerting me to the Rootkit. (This symptom continues even after everything below.) As a result of no DDS logs, I apologize for the long post but I wanted to provide all potentially relevant information.

Note, before getting to the above steps, I got a clean scan on AVG, Spybot Search & Destroy, and TDSSKiller. Also, I've run Malwarebytes Anti-Malware Pro (trial) which picked up the infection, told me to reboot to clean, and got clean scan after those steps. I still had symptom of PING.exe running in the background and Comodo Firewall was picking up a lot of activity on it.

While going through all these steps, things have been going downhill. When I said DDS & ComboFix hang, cursor remains blinking, but Windows is non-responsive. The DDS & ComboFix windows will not close, although the close button animates to respond to the click. I can get one action in explorer (e.g. attempt to run something on the start menu, ctl-alt-del splash screen and click task manager, use a menu on a system tray icon, click shutdown off the start menu) but although the action seems to complete (e.g. start menu closes after I hit shutdown) the action never takes place. Explorer is then unresponsive to further actions although the mouse is active. This occurs in both normal and safe modes.

As such, I've had probably a dozen hard shutdowns in the past 24 hours. Although the HDD indicator light is inactive, listening carefully to the drive itself, the drive sounds active. I've lost the keyboard and mouse drivers (I've been running on a USB keyboard/mouse instead of built-in keyboard and touchpad), audio driver, and experienced a 0x0a blue screen related to a USB drive I inserted to transfer new diagnostic tools. While trying to fix keyboard/mouse drivers, ran startup repair off of a Win7 Ultimate x86 CD and that picked up some problems (and repaired them). Additionally I've had a few random crashes (literal freeze where mouse freezes as well). Another note: It seems the Windows crashes occur more frequently when I've disabled the wlan card via an external switch on the laptop - not sure if this is coincidence or causal correlation. Seems like corruption, or possibly even newly bad sectors, but I've been mainly focused on this

Regarding my setup: Basic System specs are at the bottom of the post. The system is configured to dual-boot Win7 on an NTFS partition and Ubuntu 11.10 on an ext4 partition. I can use Ubuntu without difficulty, of course, despite the Windows mess. I believe Ubuntu could mount the NTFS partition and that could be used for troubleshooting. Additionally, I have a spare hard drive with a clean install of Win7 Ultimate which I could drop in the laptop and run the problem drive externally.

Because it seems like every troubleshooting step I try that results in a hang and hard shutdown actually sets me back further, I'm done with trial & (certain) error. I apologize for asking for help after creating such a mess. I feel that I should only take steps guided by someone with experience in order to reduce further collateral damage. As such, I haven't taken steps like generating at HJT log in order to avoid another hang/hard shutdown if HJT is unhelpful. I noted the ubuntu-NTFS-mount or run-drive-externally options if it's better to repair first, heal infection later instead of visa versa. I do also have a system restore dated 1/30 available, although the infection only occurred on 2/6 @ 2:30pm PST so I was hoping not to lose a week of system changes unless necessary.

Since my handwriting is horrible and thus I can't get by without a laptop for note-taking for law school, I will have the system with me 24/7. At school, I'd be reduced to transferring utilities from within ubuntu to the Windows partition/USB drive. (Don't want to put Windows on the internet due to infection.) Note: Mouse/Keyboard drivers are corrupted right now on Windows (ubuntu's fine), so I have no way to operate Windows unless I'm near a box where I can borrow keyboard/mouse. At home I have a separate desktop (with keyboard and mouse) so no problem there.

Again, I apologize since I think I've made this more of a mess than needs to be. I thank you in advance for leading me out of the woods.

-Ed
Layperson's Tech Guru
Tech Guru's worst nightmare

Basic System Specs:
Win7 Home Premium SP1 x86
Dell XPS M1530, 2.4Ghz Core 2, 4gb RAM

#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 09 February 2012 - 04:43 AM

Hello and :welcome:

Using Ubuntu, can you look for the following file on your Windows partition?

\Windows\system32\drivers\i8042prt.sys


regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 09 February 2012 - 07:04 AM

Thanks for reaching out!

i8042prt.sys does exist. File info:
80,896 bytes
Modified: 7/13/09 4:11:24 PM PDT
Accessed: 2/7/12 6:02:06 PM PST
Permissions last changed: 2/7/12 6:16:19 PM PST

Interestingly, there's also a file named i8042prt.svs. Again, don't dabble in this area too much, but I can't recall seeing .svs files hanging around normally, so I thought I'd toss out the info on this as well, although I apologize if it's a red herring.

i8042prt.svs
80,896 bytes
Modified: 7/13/09 4:11:24 PM PDT
Accessed: 2/7/12 12:21:06 PM PST
Permissions last changed: 2/7/12 6:02:06 PM PST

If you need any further info, just let me know! Thanks in advance!

#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 10 February 2012 - 04:03 PM

Can you upload that file to http:\\www.virustotal.com and post me the link to the scan results?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 10 February 2012 - 04:09 PM

There ya go!
https://www.virustot...52d79/analysis/

#6 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 10 February 2012 - 04:16 PM

I had hoped this would have been the problem so we could make working in windows a little easier for you, but that doesn't seem to be the case, so the following scan will need to be run from within Windows.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#7 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 10 February 2012 - 08:32 PM

Just like in the second paragraph of my original post, DDS.scr hung. After your post, I redownloaded dds.scr in ubuntu to the desktop in Windows. Rebooted into Windows (normal mode). Started a scan at approximately 1:43pm PST. Reached the point shown in the attached image within a minute or two. Sat there with blinking cursor for the next 3 hours before I did a hard reset, as Windows was unresponsive.

Let me know where I should go from here.

Attached Files



#8 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 February 2012 - 02:58 AM

Please run OTL instead.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#9 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 11 February 2012 - 04:07 AM

Here's the logs. Thanks in advance!

(Post Too Long error. Added as attached.)

Attached Files



#10 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 February 2012 - 04:30 AM

It looks like you also ran combofix. Can you please post me the log at c:\combofix.txt?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#11 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 11 February 2012 - 04:36 AM

Combofix started, but combofix did not complete (similar to DDS which did not complete, and per my original post, it froze shortly after identifying the threat). I could not locate C:\combofix.txt. Attached you'll find the output from 'ls -l' on C:\ (run from within ubuntu).

Attached Files

  • Attached File  c_ls.txt   3.92KB   13 downloads


#12 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 February 2012 - 04:41 AM

Please press Windows key + R, type combofix /nombr and press enter. Let me know if it finishes like that.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#13 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 11 February 2012 - 04:46 AM

If you insist, I'll run it that way again, but that's how I ran it the first three or four times. All with the /nombr flag.

There was one other flag used as well. I just tried to find a link to the instructions I had used, but unfortunately bleepingcomputer.com is down, which is I believe where I found the instructions. I was attempting this as it seemed that others had been able to use the /nombr flag successfully for a ZeroAccess infection. Unfortunately, I guess I'm not that lucky.

Again, if you insist, I will run the scan again. Still, since no changes have been made to my computer since that scan, I think we're looking at another hard reboot in the future. If you suggest I scan, please let me know at what point you believe it is frozen (half hour, hour, five hours) so I can reboot at that point.

Sorry this one is so tough. Thanks for helping me out.

#14 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 February 2012 - 04:55 AM

Leave it for about half an hour (try it also from safe mode) with the /nombr switch.

If it doesn't run that way, just post back here.

BC should be back up (was backup time), but please do not copy switches or scripts from other posts; these instructions are usually created specifically for the user they are posted to.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#15 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 11 February 2012 - 08:21 PM

Normal mode - 4 hours 36 mins. Rebooted
Safe mode - 40 mins. Rebooted.

Got it. Won't copy other switches/scripts. As mentioned in original post, just taking your direction here and nothing else. The copy from the BC post was prior to my initial post here. I did check the BC post though and confirmed the only prior step I took related to combofix used the same switch that you suggested. I understand that to fix my computer I may have to repeat some steps, which is why I happily just put the 5h 16m into this step.

I'll cut any further extraneous unhelpful information (since it's extraneous and unhelpful), and I'd just really like to avoid the re-format if possible. Thanks for sticking w/ me and my thick-skulled-ness.

#16 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 12 February 2012 - 03:31 AM

Lets see if the following scan will reveal the infected part(s) so we can fix it manually.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#17 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 12 February 2012 - 03:59 AM

The scan completed and I restarted my system per these instructions. Log file is attached.

Note: The scan detected one malicious object and one suspicious object. The malicious object defaulted to Cure, so I left it alone. The suspicious object defaulted to Skip. When I explored the options in the drop-down menu, Cure was not an option. As such, I left it at the default of Skip.

Attached Files



#18 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 12 February 2012 - 04:16 AM

You can indeed skip the generic/forged detection. Can you please rerun TDSSkiller and let me know if the other driver is still detected?

Also, how is your computer running at this point.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#19 edshead

edshead

    Regular Member

  • Honorary Members
  • PipPip
  • 66 posts

Posted 12 February 2012 - 04:32 AM

Both issues still remain with TDSSKiller. New log attached.

As has been the case since I started this thread, I continue to run from ubuntu (except when executing trouble-shooting steps that you provide). For example, I downloaded TDSSKiller in ubuntu to my Win7 partition, renamed it from within ubuntu, and rebooted into Win7 to run TDSSKiller. When I am in Windows, the system seems unchanged from when I began this thread in that my on-board keyboard & touchpad and my sound card (don't know if I mentioned this before, but this driver was also knocked out prior to initially posting here) remain non-functional. As the system is still infected, I've used the external switch to disable my Wireless card so that the virus/rootkit cannot communicate with anyone on the internet. Short version: it's still the same.

Awaiting further instruction.

P.S. I received your most recent PM regarding the notification fix. I'll stick to posting here.

Attached Files



#20 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 12 February 2012 - 04:39 AM

The ubuntu access actually makes a manual fix easier. :)

OTL
-----
We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Click the NONE button.
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.

Next, rerun TDSSkiller, but do not fix anything (just post me the log so I can see which driver is infected; if you cure it, another driver will be infected, at this point I need only to know which one is infected at this point).
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users