edshead

Rootkit.ZeroAccess (PING.exe)

127 posts in this topic

So ComboFix tells me I have Rootkit.ZeroAccess, and further research tells me that this may not be good. In 15 years of working with computers professionally, this is the worst one I've seen, although part of that may be of my own doing.

First off, I know I'm supposed to have logs from DDS. Wish it were that easy. DDS hangs both in normal (tested 10 mins) and safe mode (tested 30 mins). This is the same as ComboFix, which I tested up to an hour and a half in safe mode where it hangs right after alerting me to the Rootkit. (This symptom continues even after everything below.) As a result of no DDS logs, I apologize for the long post but I wanted to provide all potentially relevant information.

Note, before getting to the above steps, I got a clean scan on AVG, Spybot Search & Destroy, and TDSSKiller. Also, I've run Malwarebytes Anti-Malware Pro (trial) which picked up the infection, told me to reboot to clean, and got clean scan after those steps. I still had symptom of PING.exe running in the background and Comodo Firewall was picking up a lot of activity on it.

While going through all these steps, things have been going downhill. When I said DDS & ComboFix hang, cursor remains blinking, but Windows is non-responsive. The DDS & ComboFix windows will not close, although the close button animates to respond to the click. I can get one action in explorer (e.g. attempt to run something on the start menu, ctl-alt-del splash screen and click task manager, use a menu on a system tray icon, click shutdown off the start menu) but although the action seems to complete (e.g. start menu closes after I hit shutdown) the action never takes place. Explorer is then unresponsive to further actions although the mouse is active. This occurs in both normal and safe modes.

As such, I've had probably a dozen hard shutdowns in the past 24 hours. Although the HDD indicator light is inactive, listening carefully to the drive itself, the drive sounds active. I've lost the keyboard and mouse drivers (I've been running on a USB keyboard/mouse instead of built-in keyboard and touchpad), audio driver, and experienced a 0x0a blue screen related to a USB drive I inserted to transfer new diagnostic tools. While trying to fix keyboard/mouse drivers, ran startup repair off of a Win7 Ultimate x86 CD and that picked up some problems (and repaired them). Additionally I've had a few random crashes (literal freeze where mouse freezes as well). Another note: It seems the Windows crashes occur more frequently when I've disabled the wlan card via an external switch on the laptop - not sure if this is coincidence or causal correlation. Seems like corruption, or possibly even newly bad sectors, but I've been mainly focused on this

Regarding my setup: Basic System specs are at the bottom of the post. The system is configured to dual-boot Win7 on an NTFS partition and Ubuntu 11.10 on an ext4 partition. I can use Ubuntu without difficulty, of course, despite the Windows mess. I believe Ubuntu could mount the NTFS partition and that could be used for troubleshooting. Additionally, I have a spare hard drive with a clean install of Win7 Ultimate which I could drop in the laptop and run the problem drive externally.

Because it seems like every troubleshooting step I try that results in a hang and hard shutdown actually sets me back further, I'm done with trial & (certain) error. I apologize for asking for help after creating such a mess. I feel that I should only take steps guided by someone with experience in order to reduce further collateral damage. As such, I haven't taken steps like generating at HJT log in order to avoid another hang/hard shutdown if HJT is unhelpful. I noted the ubuntu-NTFS-mount or run-drive-externally options if it's better to repair first, heal infection later instead of visa versa. I do also have a system restore dated 1/30 available, although the infection only occurred on 2/6 @ 2:30pm PST so I was hoping not to lose a week of system changes unless necessary.

Since my handwriting is horrible and thus I can't get by without a laptop for note-taking for law school, I will have the system with me 24/7. At school, I'd be reduced to transferring utilities from within ubuntu to the Windows partition/USB drive. (Don't want to put Windows on the internet due to infection.) Note: Mouse/Keyboard drivers are corrupted right now on Windows (ubuntu's fine), so I have no way to operate Windows unless I'm near a box where I can borrow keyboard/mouse. At home I have a separate desktop (with keyboard and mouse) so no problem there.

Again, I apologize since I think I've made this more of a mess than needs to be. I thank you in advance for leading me out of the woods.

-Ed

Layperson's Tech Guru

Tech Guru's worst nightmare

Basic System Specs:

Win7 Home Premium SP1 x86

Dell XPS M1530, 2.4Ghz Core 2, 4gb RAM

Share this post


Link to post
Share on other sites

Hello and :welcome:

Using Ubuntu, can you look for the following file on your Windows partition?

\Windows\system32\drivers\i8042prt.sys

Share this post


Link to post
Share on other sites

Thanks for reaching out!

i8042prt.sys does exist. File info:

80,896 bytes

Modified: 7/13/09 4:11:24 PM PDT

Accessed: 2/7/12 6:02:06 PM PST

Permissions last changed: 2/7/12 6:16:19 PM PST

Interestingly, there's also a file named i8042prt.svs. Again, don't dabble in this area too much, but I can't recall seeing .svs files hanging around normally, so I thought I'd toss out the info on this as well, although I apologize if it's a red herring.

i8042prt.svs

80,896 bytes

Modified: 7/13/09 4:11:24 PM PDT

Accessed: 2/7/12 12:21:06 PM PST

Permissions last changed: 2/7/12 6:02:06 PM PST

If you need any further info, just let me know! Thanks in advance!

Share this post


Link to post
Share on other sites

Can you upload that file to http:\\www.virustotal.com and post me the link to the scan results?

Share this post


Link to post
Share on other sites

I had hoped this would have been the problem so we could make working in windows a little easier for you, but that doesn't seem to be the case, so the following scan will need to be run from within Windows.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Share this post


Link to post
Share on other sites

Just like in the second paragraph of my original post, DDS.scr hung. After your post, I redownloaded dds.scr in ubuntu to the desktop in Windows. Rebooted into Windows (normal mode). Started a scan at approximately 1:43pm PST. Reached the point shown in the attached image within a minute or two. Sat there with blinking cursor for the next 3 hours before I did a hard reset, as Windows was unresponsive.

Let me know where I should go from here.

post-108052-0-13577900-1328923955.jpg

Share this post


Link to post
Share on other sites

Please run OTL instead.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscan.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Share this post


Link to post
Share on other sites

It looks like you also ran combofix. Can you please post me the log at c:\combofix.txt?

Share this post


Link to post
Share on other sites

Combofix started, but combofix did not complete (similar to DDS which did not complete, and per my original post, it froze shortly after identifying the threat). I could not locate C:\combofix.txt. Attached you'll find the output from 'ls -l' on C:\ (run from within ubuntu).

c_ls.txt

Share this post


Link to post
Share on other sites

Please press Windows key + R, type combofix /nombr and press enter. Let me know if it finishes like that.

Share this post


Link to post
Share on other sites

If you insist, I'll run it that way again, but that's how I ran it the first three or four times. All with the /nombr flag.

There was one other flag used as well. I just tried to find a link to the instructions I had used, but unfortunately bleepingcomputer.com is down, which is I believe where I found the instructions. I was attempting this as it seemed that others had been able to use the /nombr flag successfully for a ZeroAccess infection. Unfortunately, I guess I'm not that lucky.

Again, if you insist, I will run the scan again. Still, since no changes have been made to my computer since that scan, I think we're looking at another hard reboot in the future. If you suggest I scan, please let me know at what point you believe it is frozen (half hour, hour, five hours) so I can reboot at that point.

Sorry this one is so tough. Thanks for helping me out.

Share this post


Link to post
Share on other sites

Leave it for about half an hour (try it also from safe mode) with the /nombr switch.

If it doesn't run that way, just post back here.

BC should be back up (was backup time), but please do not copy switches or scripts from other posts; these instructions are usually created specifically for the user they are posted to.

Share this post


Link to post
Share on other sites

Normal mode - 4 hours 36 mins. Rebooted

Safe mode - 40 mins. Rebooted.

Got it. Won't copy other switches/scripts. As mentioned in original post, just taking your direction here and nothing else. The copy from the BC post was prior to my initial post here. I did check the BC post though and confirmed the only prior step I took related to combofix used the same switch that you suggested. I understand that to fix my computer I may have to repeat some steps, which is why I happily just put the 5h 16m into this step.

I'll cut any further extraneous unhelpful information (since it's extraneous and unhelpful), and I'd just really like to avoid the re-format if possible. Thanks for sticking w/ me and my thick-skulled-ness.

Share this post


Link to post
Share on other sites

Lets see if the following scan will reveal the infected part(s) so we can fix it manually.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Share this post


Link to post
Share on other sites

The scan completed and I restarted my system per these instructions. Log file is attached.

Note: The scan detected one malicious object and one suspicious object. The malicious object defaulted to Cure, so I left it alone. The suspicious object defaulted to Skip. When I explored the options in the drop-down menu, Cure was not an option. As such, I left it at the default of Skip.

TDSSKiller.2.7.11.0_12.02.2012_00.43.45_log.txt

Share this post


Link to post
Share on other sites

You can indeed skip the generic/forged detection. Can you please rerun TDSSkiller and let me know if the other driver is still detected?

Also, how is your computer running at this point.

Share this post


Link to post
Share on other sites

Both issues still remain with TDSSKiller. New log attached.

As has been the case since I started this thread, I continue to run from ubuntu (except when executing trouble-shooting steps that you provide). For example, I downloaded TDSSKiller in ubuntu to my Win7 partition, renamed it from within ubuntu, and rebooted into Win7 to run TDSSKiller. When I am in Windows, the system seems unchanged from when I began this thread in that my on-board keyboard & touchpad and my sound card (don't know if I mentioned this before, but this driver was also knocked out prior to initially posting here) remain non-functional. As the system is still infected, I've used the external switch to disable my Wireless card so that the virus/rootkit cannot communicate with anyone on the internet. Short version: it's still the same.

Awaiting further instruction.

P.S. I received your most recent PM regarding the notification fix. I'll stick to posting here.

TDSSKiller.2.7.11.0_12.02.2012_01.20.41_log.txt

Share this post


Link to post
Share on other sites

The ubuntu access actually makes a manual fix easier. :)

OTL

-----

We need to run an OTL Custom Scan

  1. Please reopen otlicon.png on your desktop.
  2. Click the NONE button.
  3. Copy and Paste the following code into the customscanfix.png textbox.
    netsvcs


  4. Push runscan.png
  5. A report will open. Copy and Paste that report in your next reply.

Next, rerun TDSSkiller, but do not fix anything (just post me the log so I can see which driver is infected; if you cure it, another driver will be infected, at this point I need only to know which one is infected at this point).

Share this post


Link to post
Share on other sites

OTL log:


OTL logfile created on: 2/12/2012 1:45:13 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\edshead\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.50 Gb Total Physical Memory | 2.45 Gb Available Physical Memory | 69.91% Memory free
6.99 Gb Paging File | 5.80 Gb Available in Paging File | 82.98% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 410.15 Gb Total Space | 152.91 Gb Free Space | 37.28% Space Free | Partition Type: NTFS
Drive F: | 970.13 Mb Total Space | 886.09 Mb Free Space | 91.34% Space Free | Partition Type: FAT

Computer Name: DERENOPHOCIM | User Name: edshead | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: rxmssync - C:\Windows\System32\gusvc.dll (Oak Technology Inc.)
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
< End of report >

TDSSKiller scan results attached. (Skipped on both detections.)

TDSSKiller.2.7.11.0_12.02.2012_01.48.11_log.txt

Share this post


Link to post
Share on other sites

Nice, that shows the involved files. :)

Because the infected driver is responsible for internet connection we need to find a replacement copy first.

For that reason, rerun OTL, click NONE and copy/paste the following text into the "custom scan/fix" field. Click Run Scan and post me the resulting log.

/md5start
tdx.sys
/md5stop

Share this post


Link to post
Share on other sites

First off, no rush on the reply to this one as it's close to 3am here and I think I'm going to get some sleep. Thank you for your continued help, Elise. I greatly appreciate it.

Here's the results of the most recent OTL scan:


OTL logfile created on: 2/12/2012 2:30:53 AM - Run 3
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\edshead\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.50 Gb Total Physical Memory | 2.66 Gb Available Physical Memory | 75.93% Memory free
6.99 Gb Paging File | 6.18 Gb Available in Paging File | 88.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 410.15 Gb Total Space | 152.91 Gb Free Space | 37.28% Space Free | Partition Type: NTFS

Computer Name: DERENOPHOCIM | User Name: edshead | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

[color=#E56717]========== Custom Scans ==========[/color]



[color=#A23BEC]< MD5 for: TDX.SYS >[/color]
[2009/04/10 20:45:58 | 000,072,192 | ---- | M] (Microsoft Corporation) MD5=76B06EB8A01FC8624D699E7045303E54 -- C:\Temp\sandbox\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[2009/04/10 20:45:58 | 000,072,192 | ---- | M] (Microsoft Corporation) MD5=76B06EB8A01FC8624D699E7045303E54 -- C:\Temp\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys
[2010/11/20 13:29:07 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=B459575348C20E8121D6039DA063C704 -- C:\Windows\System32\drivers\tdx.sys
[2010/11/20 13:29:07 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=B459575348C20E8121D6039DA063C704 -- C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
< End of report >

Share this post


Link to post
Share on other sites

No problem at all, its almost 1 PM here, so I'll be around. :) Just reply back when ready.

Can you please upload the following file to http://www.virustotal.com and link me to the scan results (if the file is already analysed, please re-analyse).

C:\Temp\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.