Jump to content

RootKit ZeroAccess + Sidefef.B


Recommended Posts

Hello,

I've detected infection and try to remove it with different tools :

  • Malwarebytes
  • CCleaner
  • Hijackthis
  • SuperAntispyware
  • SpyBot
  • BitDefender Rescue cd
  • Kaspersky Virus Removal Tool
  • Kaspersky Resource Kit (boot cd)
  • Windows Security Essentials

I've cleaned different type of infections :

  • Trojan HorseCrypt.AQLW
  • Trojan Dropper.Win32/Sirefef.B
  • Trojan Download.Win32/Obdov.H

Since, my Windows Firewall and my local area connection won't work.

ComboFix alert me that I was infected by RootKit ZeroAccess.

In attach, the logs of dds and HiJackThis

Attach.txt

DDS.txt

hijackthis.log

Link to post
Share on other sites

Hello and :welcome:

Can you please post me also the combofix log? It can be found at c:\combofix.txt

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Link to post
Share on other sites

Hello again, still quite some work to do here. :)

Please download http://download.bleepingcomputer.com/sUBs/MiniFixes/RestoreBFE.exe

Double click on the downloaded file. It should only take a few seconds to run.

When complete, it will say .. "Done! Please check if BFE service is running now"

Please download and run this file (this will restore the other missing service): http://download.bleepingcomputer.com/win-services/7/MpsSvc.reg

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlicon.png icon on your desktop.

[*]Click the NONE button.

[*]Copy and Paste the following code into the customscanfix.png textbox.

netsvcs

[*]Push runscan.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Hi again,

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


MIA::
c:\windows\system32\drivers\netbt.sys
c:\windows\system32\drivers\tdx.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Unfortunately we need to replace two missing files. No copies seem present. Can you do the following and then rerun combofix and post me the new log?

Click Start > All Programs > Accessories, right click Command Prompt and select "run as administrator".

Type sfc /scannow and press enter. Let the system file checker run unhindered.

Link to post
Share on other sites

Please navigate to the following files, right click them and select Copy. Then go to an usb drive, right click in an empty space and select Paste.

c:\windows\system32\drivers\netbt.sys

c:\windows\system32\drivers\tdx.sys

Now on the problem computer, insert the usb drive, select the files and right click > Copy. Navigate to c:\windows\system32\drivers and right click in an empty space > click Paste.

After that rerun combofix and post me the new log.

Link to post
Share on other sites

How are things running at this point?

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

Link to post
Share on other sites

As indicate in the log in attach, the computer receive an IP address from DHCP and could connect on Internet.

But no "Local Area Connection", i'm still unable to connect on different map network drive.

Other thing, explorer.exe stop working sometimes, it restart and stop working again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.