Jump to content

Rootkit.ZeroAccess (PING.exe)


Recommended Posts

Glad to hear that! :)

How is the computer behaving besides this?

Please click Start > All Programs > Accessories, right click Command Prompt and select "run as administrator".

Type netsh winsock reset and press enter.

Restart the computer and let me know how everything is running.

Link to post
Share on other sites

  • Replies 126
  • Created
  • Last Reply

Top Posters In This Topic

Oh, and the other thing that still piqued my interest was that it took my wireless card (rather the icon representing my wireless card) longer to cycle than normal. Since my comp. has been infected, I've noticed that I have the blue circle over my network icon (usually indicating searching for network) a bit longer than it would at startup prior to infection. I know it's minor, but given how ZeroAccess behaves (taking over ip stack), it makes me wary.

Link to post
Share on other sites

Did you do the winsock reset? That should fix the tcpip stack and remove ZA from there. To be sure, could you rerun combofix (even if it doesn't finish) to see if the warning still pops up?

Before being sure the infection is in fact gone I would leave the wireless issue on hold as it would be speculation to say what is causing it at the moment (malware or otherwise).

Link to post
Share on other sites

First off, regarding the wireless 'issue'. I'm not at all concerned about it. Only raised it b/c you asked how the computer was running. For me, it's a flying pink elephant (potential symptom). I have no problem with flying pink elephants as long as ZeroAccess isn't on my computer. But as long as I see flying pink elephants, I'm going to make extra-sure we've killed ZeroAccess. If we have, and there's still flying pink elephants, I'm really not too worried about it. Short version: I'm not trying to fix, nor do I care about the wireless issue, other than it may indicate remaining infection.

I ran the winsock reset. Rebooted into NM. Ran combofix. Detected ZeroAccess. Got further than it did previously. Got to a dialog where it said something to the effect of, "Rootkit is detected. Be patient. This may take some moments." Scan seemed to run for a bit longer, and then it hung just like it did previously (Windows & the combofix window wouldn't respond.) Tried the same in SM, and same thing happened (got further than previous, but still hung).

Link to post
Share on other sites

Started Combofix in SM with nombr switch. It ran. As of post #57, it ran. Detected rootkit activity so it needed to reboot. Rebooted into NM to make sure whatever reg key/script Combofix used to run on boot would actually run. It did. Started running right after I logged in before desktop loaded. Ran all the way through and gave me a log which is attached. Note: While generating the log, I received two error dialogs. One from pev.exe and another from pev.3xe. Screen shot didn't work, but they described the winsxs\pendingrenames (I know those were both directory names in the full path, but I don't remember the full path) directory being corrupt, and suggesting that I run chkdsk. I have not run chkdsk.

ComboFix.txt

Link to post
Share on other sites

Hi, at least that is progress and cleaned up the last ZA remnants. :)

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


NetSvcs::
rxmssync

Driver::
rxmssync

DDS::
uInternet Settings,ProxyOverride = *.local;<local>

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Defogger ran fine. Same problem as before though with regards to the drag and drop. Crashed in NM when I let it run after dragging and dropping (looked like it was just running normally). I'm guessing that's possibly due to not using /nombr. In safe mode, I didn't let it get to the point of crashing, but it looked like it was scanning normally rather than using the script. Not sure why Win7 x86 doesn't like the drag & drop with ComboFix.

Link to post
Share on other sites

It's probably going to be late tonight before I get a chance to run MBAM. Only remaining problems are the lost drivers which I'm confident I can address myself (now that I feel comfortable hopping back on the internet). Comodo was good about stopping at least some of the rootkit's activity, and thus serves as a decent (although imperfect) warning sign for me should the rootkit pop back up.

Posting now just because I wanted to thank you for sticking with this for a week. You've certainly saved me a likely re-install out of frustration, and possibly a reformat. I can't thank you enough.

Except the MBAM log within 12 hours. Thank you again.

Link to post
Share on other sites

Okay. So 16 hours later here's where things stand.

  1. Ran mbam with 8-day old defs (before I put comp on internet) and it came up clean. Log attached.
  2. Hopped online and downloaded new defs for MBAM. Also scoped out the damage.
  3. Comodo Firewall and AVG Free 2012 were both busted. Uninstalled both so I can reinstall. (although have not reinstalled yet)
  4. WLAN is non-functional but ethernet port is. Wireless card driver is running normally. Trying to fix this led me to the steps below, but later, I isolated this to the WLAN Auto Config service. Service won't start due to dependency issues (Code 1039 I believe). Tried to manually start all the dependencies and all services that I could spot were started. Didn't find them all though... some are only in the registry? Bottom line, WLAN is still down.
  5. The steps that (4) led me to were chkdsk and sfc. Both of which gave me issues while trying to run within windows. Chkdsk would not auto-start on reboot no matter how minimal a start I gave it in safe mode. sfc crashed early due to problems that could only be addressed by chkdsk I believe. As such, I ran both from the shell off of my Win7 Pro x86 CD. Chkdsk did A LOT of work. SFC (/scannow /offwindir=... /offbootdir=...) did a bit too, but indicated there were unresolved problems remaining. Booted back into Windows, but still had WLAN issue.
  6. Touchpad and keyboard are still down. No driver for keyboard (not surprisingly) on Dell's site. Reinstalled Touchpad driver to no avail.
  7. Sound card is down as well. (Sigmatel 9205 - note, this is made by IDT, and there's no Win7 drivers for my card that allow Mic to work. IDT has some drivers for other chips in their 92xx line that worked I believe, although I made the move to Win7 a year ago so I can't recall exactly. I tried both the Sigmatel & IDT drivers but they would not install saying they couldn't find the card I believe.)
  8. System is generally running slow. I'm not even worrying about this right now. I'm half assuming that it's due to Win7 trying to chew through all the broken drivers/services, some of which I may not have even seen symptoms of yet.

First off, I apologize if step 5 causes problems b/c it's out of sync with your normal troubleshooting system. I was assuming, and I believe I still can, resolve the issues above. Unfortunately, I haven't fixed these specific issues before, and it looks like they run just a hair deeper than I'm used to (e.g. I don't think I've messed around in the branch of the registry that includes service startup settings until now, and I changed the values of the HKLM\SYSTEM\(CurrentControlSet & ControlSet002)\services\ndisuio key Start to 2 when they were 3 - I understand 2 to be auto-start for that service). As such, I'm posting here if you have any tips, or if you care to see this through to completion. I'd understand backing out now, as the threat is gone. If you do want to pick up some or all of the issues above, I'll take a back-seat on anything else to let you address them your way.

I feel like ZeroAccess got its tentacles in as deep as it good, not for self-preservation, but to make a mess if you did get it out. I've accepted that if I don't reinstall, it's quite possible that I could continue seeing problems from this for months even after addressing the ones above.

As of right now, my comp is running a full MBAM scan with the new defs, although based on the duration of the earlier scan, it will likely not complete before I head to sleep. As such, feel free to take your time.

I welcome your assistance if you're still game and it's not too much trouble. It will certainly be trouble for me, and if it would be trouble for you too, you've already helped more than enough. Thank you.

P.S. I'm not suggesting following any instructions from this thread, but the problem from this thread looks similar in case that raises any ideas for you. http://forums.majorgeeks.com/showthread.php?t=249655

mbam-log-2012-02-15 (13-29-34).txt

Link to post
Share on other sites

We checked for the i8042prt.sys file, but possibly something touched the driver.

OTL

-----

We need to run an OTL Custom Scan

  1. Please reopen otlicon.png on your desktop.
  2. Click the NONE button.
  3. Copy and Paste the following code into the customscanfix.png textbox.
    hklm\system\currentcontrolset\services\i8042prt


  4. Push runscan.png
  5. A report will open. Copy and Paste that report in your next reply.

ZeroAccess infects a few files (the amount depending on the version) and by doing that can corrupt quite a few applications. The only fix for that is reinstalling the affected programs.

As for the disk check, if that fixed a lot of issues then you may want to investigate the state of your harddrive. The first thing I would do is to make sure you have a backup of all important data, just in case the disk goes bad.

Link to post
Share on other sites

I should've specified. Surface scan is clean. It was things like orphaned files for the most part. Given the number of hard shutdowns (powered off in the middle of complete non-responsiveness from combofix/windows), I was expecting chkdsk to throw a fit. Had to be at least 20 shutdowns like that between the work I did before hitting this forum, and failed combofixes here. Also, ubuntu has shown no issues, which, unless it was bad sectors which would be isolated to a specific partition, I'm assuming I'd see issues if it was an I/O problem. (Hardware troubleshooting is a bit more my cup of tea.) Even before this, all my important stuff syncs daily (at the least) if not instantly, so I'm feeling okay. Just thought I should mention the chkdsk findings for your reference, as it might affect your diagnostic steps.

I'll run OTL tomorrow morning, and post that report plus the updated MBAM report. Thank you again. So much.

Link to post
Share on other sites

Here's the logs. Looks like MBAM just killed one of the backup copies we made of an infected file. Let me know where to go from here.

OTL.txt


OTL logfile created on: 2/16/2012 5:40:23 AM - Run 6
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\edshead\Desktop\fixes
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.50 Gb Total Physical Memory | 2.36 Gb Available Physical Memory | 67.46% Memory free
6.99 Gb Paging File | 5.69 Gb Available in Paging File | 81.32% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 410.15 Gb Total Space | 149.80 Gb Free Space | 36.52% Space Free | Partition Type: NTFS
Drive D: | 1.86 Gb Total Space | 0.78 Gb Free Space | 42.27% Space Free | Partition Type: FAT32
Drive E: | 3.48 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 970.13 Mb Total Space | 886.09 Mb Free Space | 91.34% Space Free | Partition Type: FAT

Computer Name: DERENOPHOCIM | User Name: edshead | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< hklm\system\currentcontrolset\services\i8042prt >[/color]
"Start" = 3
"Type" = 1
"ErrorControl" = 1
"ImagePath" = system32\DRIVERS\i8042prt.sys -- [2009/07/13 15:11:24 | 000,080,896 | ---- | M] (Microsoft Corporation)
"DisplayName" = i8042 Keyboard and PS/2 Mouse Port Driver
"Group" = Keyboard Port
"DriverPackageId" = keyboard.inf_x86_neutral_0c4a1880f2aa5a72
"Tag" = 6

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\i8042prt\Parameters]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\i8042prt\Enum]
< End of report >

MBAM log:


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.16.01
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
edshead :: DERENOPHOCIM [administrator]
Protection: Disabled
2/16/2012 12:09:09 AM
mbam-log-2012-02-16 (00-09-09).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 719072
Time elapsed: 4 hour(s), 16 minute(s), 15 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\System32\gusvc.vir (RootKit.0Access.H) -> Quarantined and deleted successfully.
(end)

Link to post
Share on other sites

Please press Windows key + R, type devmgmt.msc and press enter. Right click both keyboard and mouse controllers (the ones that do not work, if you are not sure, list what is there) and select Uninstall. Restart the computer and the devices should be reinstalled on reboot. Let me know if that solved the issue.

Link to post
Share on other sites

Problem devices are "Standard PS/2 Keyboard" and "Dell Touchpad." Uninstalled both. Touchpad gave me the option of removing driver software and I selected that option, as it's the same software I installed yesterday and I have that for re-install, if needed. No dice. After restart, same situation with both devices providing the following error: "Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)" As I mentioned before, sfc said it couldn't fix some files. Pure speculation (except that Windows is trying to install Microsoft generic device drivers), but I'm wondering if some of the files it could repair are related to this.

Btw, I tried to get the log file from sfc for reference, but after doing a 'dir /s | find "{today's date}" ' I couldn't find a file that fit the bill. I think it might've tossed it based on running off of the boot CD. It did error at the end indicating it couldn't write to event logs.

Second btw, ran sfc off of the win7 CD b/c I was there. As mentioned before, the error on sfc indicated it couldn't run due to file system errors. Since those errors have now been repaired, I'm wondering if I can run sfc from within Windows. Just an idea.

Regarding error messages in device manager: The only other device with an error is 'High Definition Audio Controller' and it gives the same Code 39 error as above. For whenever I/we get around to the sound card issue.

Link to post
Share on other sites

DDS ran for an hour in normal mode, hung at the same old spot (same spot it hung in before disinfection, back when combofix was hanging as well). Hard reboot and I haven't had a chance to try in safe mode (but when it was hanging in that spot before, I believe SM didn't help). If safe mode works, I'll post the log. If safe mode doesn't work, do you have a preferred alternative method of retrieving event viewer errors, or can I just pull it up, filter, and export?

P.S. SFC from Win7 CD couldn't write to event viewer logs either, so might be some issues there. Still, I believe I had event viewer up looking (briefly) for the same stuff we're looking for now and the application ran fine, and System log was viewable.

Link to post
Share on other sites

Sorry, I completely forgot about that, rerun OTL instead, click the NONE button, change the value under Extra Registry to "use safelist" and click Run Scan. Post me extra.txt

As for the SFC error that is normal. windows cannot write to the event viewer from the recovery environment as it is not running there. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.