pinpouet

RootKit ZeroAccess + Sidefef.B

48 posts in this topic

Hello,

I've detected infection and try to remove it with different tools :

  • Malwarebytes
  • CCleaner
  • Hijackthis
  • SuperAntispyware
  • SpyBot
  • BitDefender Rescue cd
  • Kaspersky Virus Removal Tool
  • Kaspersky Resource Kit (boot cd)
  • Windows Security Essentials

I've cleaned different type of infections :

  • Trojan HorseCrypt.AQLW
  • Trojan Dropper.Win32/Sirefef.B
  • Trojan Download.Win32/Obdov.H

Since, my Windows Firewall and my local area connection won't work.

ComboFix alert me that I was infected by RootKit ZeroAccess.

In attach, the logs of dds and HiJackThis

Attach.txt

DDS.txt

hijackthis.log

Share this post


Link to post
Share on other sites

Hello and :welcome:

Can you please post me also the combofix log? It can be found at c:\combofix.txt

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Share this post


Link to post
Share on other sites

Hello again, still quite some work to do here. :)

Please download http://download.bleepingcomputer.com/sUBs/MiniFixes/RestoreBFE.exe

Double click on the downloaded file. It should only take a few seconds to run.

When complete, it will say .. "Done! Please check if BFE service is running now"

Please download and run this file (this will restore the other missing service): http://download.bleepingcomputer.com/win-services/7/MpsSvc.reg

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the NONE button.

[*]Copy and Paste the following code into the customscanfix.png textbox.

netsvcs

[*]Push runscan.png

[*]A report will open. Copy and Paste that report in your next reply.

Share this post


Link to post
Share on other sites

Damned ! I hate stuff like that :angry:

Here is the follow up :

  • RestoreBFE : Error! This tool does not apply to you
  • MpsSvc : Keys & values successfully added to the registry
  • OTL : see attached

Regards,

OTL.Txt

Share this post


Link to post
Share on other sites

Can you please rerun combofix (update if asked) and post me the new log?

Share this post


Link to post
Share on other sites

What do you mean, it doesn't start at all? In that case, delete the copy and download a new one.

Share this post


Link to post
Share on other sites

Bad news so ...

I've download a new copy of Combofix, same reaction !

I agree to the disclaimer, Combofix install itself and ... nothing.

No blue window of Combofix

Share this post


Link to post
Share on other sites

Still the same :(

Maybe uninstalling combofix ? or just rename the folder C:\ComboFix ?

Share this post


Link to post
Share on other sites

How are things running at this point? Please rerun DDS and post me the new log.

Share this post


Link to post
Share on other sites

Hi again,

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


MIA::
c:\windows\system32\drivers\netbt.sys
c:\windows\system32\drivers\tdx.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

Unfortunately we need to replace two missing files. No copies seem present. Can you do the following and then rerun combofix and post me the new log?

Click Start > All Programs > Accessories, right click Command Prompt and select "run as administrator".

Type sfc /scannow and press enter. Let the system file checker run unhindered.

Share this post


Link to post
Share on other sites

Windows Resource Protection couldn't perform the requested operation.

Same message at 25% of process, in normal mode and in safe mode.

Share this post


Link to post
Share on other sites

Do you have another computer with Windows 7 32 bit on it that you could use to manually copy the files over?

Share this post


Link to post
Share on other sites

Please navigate to the following files, right click them and select Copy. Then go to an usb drive, right click in an empty space and select Paste.

c:\windows\system32\drivers\netbt.sys

c:\windows\system32\drivers\tdx.sys

Now on the problem computer, insert the usb drive, select the files and right click > Copy. Navigate to c:\windows\system32\drivers and right click in an empty space > click Paste.

After that rerun combofix and post me the new log.

Share this post


Link to post
Share on other sites

How are things running at this point?

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Share this post


Link to post
Share on other sites

As indicate in the log in attach, the computer receive an IP address from DHCP and could connect on Internet.

But no "Local Area Connection", i'm still unable to connect on different map network drive.

Other thing, explorer.exe stop working sometimes, it restart and stop working again.

Share this post


Link to post
Share on other sites
But no "Local Area Connection", i'm still unable to connect on different map network drive.
LAN shows as connected in the log. Can you normally browse the internet, but not access the network drives, or can't you even browse normally (google and such)?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.