Jump to content


Photo
- - - - -

RootKit ZeroAccess + Sidefef.B

RootKit ZeroAccess Trojan

  • This topic is locked This topic is locked
47 replies to this topic

#1 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 24 February 2012 - 04:28 PM

Hello,

I've detected infection and try to remove it with different tools :
  • Malwarebytes
  • CCleaner
  • Hijackthis
  • SuperAntispyware
  • SpyBot
  • BitDefender Rescue cd
  • Kaspersky Virus Removal Tool
  • Kaspersky Resource Kit (boot cd)
  • Windows Security Essentials
I've cleaned different type of infections :
  • Trojan HorseCrypt.AQLW
  • Trojan Dropper.Win32/Sirefef.B
  • Trojan Download.Win32/Obdov.H
Since, my Windows Firewall and my local area connection won't work.

ComboFix alert me that I was infected by RootKit ZeroAccess.

In attach, the logs of dds and HiJackThis

Attached Files



#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 25 February 2012 - 12:27 PM

Hello and :welcome:

Can you please post me also the combofix log? It can be found at c:\combofix.txt

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 26 February 2012 - 12:03 PM

Hi Elise,

Here are the logs as requested

Attached Files



#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 26 February 2012 - 12:35 PM

Hello again, still quite some work to do here. :)

Please download http://download.blee.../RestoreBFE.exe
Double click on the downloaded file. It should only take a few seconds to run.
When complete, it will say .. "Done! Please check if BFE service is running now"

Please download and run this file (this will restore the other missing service): http://download.blee...es/7/MpsSvc.reg

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the NONE button.
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 26 February 2012 - 02:06 PM

Damned ! I hate shit like that :angry:

Here is the follow up :
  • RestoreBFE : Error! This tool does not apply to you
  • MpsSvc : Keys & values successfully added to the registry
  • OTL : see attached

Regards,

Attached Files

  • Attached File  OTL.Txt   4.15KB   21 downloads


#6 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 26 February 2012 - 02:35 PM

Can you please rerun combofix (update if asked) and post me the new log?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#7 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 26 February 2012 - 03:10 PM

I rerun combofix but nothing happens :unsure:
Is it normal ?

#8 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 26 February 2012 - 03:43 PM

What do you mean, it doesn't start at all? In that case, delete the copy and download a new one.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#9 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 03:32 AM

Bad news so ...

I've download a new copy of Combofix, same reaction !

I agree to the disclaimer, Combofix install itself and ... nothing.
No blue window of Combofix

#10 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 27 February 2012 - 03:55 AM

Can you try to run it from safe mdoe?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#11 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 04:25 AM

Still the same :(

Maybe uninstalling combofix ? or just rename the folder C:\ComboFix ?

#12 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 27 February 2012 - 06:48 AM

How are things running at this point? Please rerun DDS and post me the new log.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#13 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 07:10 AM

Well, I've found on internet a workaround for ComboFix.
I renamed ComboFix.exe in Combo_Fix.exe and that worked.

As resquested, I've rerun also DDS.

At this point, still not internet connection.

Attached Files



#14 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 27 February 2012 - 11:35 AM

Hi again,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
MIA::
c:\windows\system32\drivers\netbt.sys
c:\windows\system32\drivers\tdx.sys
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#15 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 03:08 PM

are we on the good way ?

Attached Files



#16 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 27 February 2012 - 04:01 PM

Unfortunately we need to replace two missing files. No copies seem present. Can you do the following and then rerun combofix and post me the new log?

Click Start > All Programs > Accessories, right click Command Prompt and select "run as administrator".

Type sfc /scannow and press enter. Let the system file checker run unhindered.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#17 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 28 February 2012 - 02:58 AM

Windows Resource Protection couldn't perform the requested operation.
Same message at 25% of process, in normal mode and in safe mode.

#18 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 28 February 2012 - 03:26 AM

Do you have another computer with Windows 7 32 bit on it that you could use to manually copy the files over?
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#19 pinpouet

pinpouet

    New Member

  • Members
  • Pip
  • 26 posts

Posted 28 February 2012 - 04:42 AM

Yes, I've !

#20 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 28 February 2012 - 07:50 AM

Please navigate to the following files, right click them and select Copy. Then go to an usb drive, right click in an empty space and select Paste.
c:\windows\system32\drivers\netbt.sys
c:\windows\system32\drivers\tdx.sys

Now on the problem computer, insert the usb drive, select the files and right click > Copy. Navigate to c:\windows\system32\drivers and right click in an empty space > click Paste.

After that rerun combofix and post me the new log.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image






Also tagged with one or more of these keywords: RootKit ZeroAccess Trojan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users