Jump to content

ZeroAccess infection


Recommended Posts

Hi,

 

I have a ZeroAccess infection. I have done all the steps mentioned below, but I still think that it is there.

 

Could anybody help please.

 

John Paul S.

 

-------------------------------------------------------------

 

####################################################################################################
###                                   Removing viral infection                                   ###
####################################################################################################

====================================================================================================
00. Infections found
====================================================================================================

 1. With ComboFix
    - Trojan.Sirefef.YS in Desktop.ini
    - Rootkit.ZeroAcess inserted into tcp/ip stack (= Message by ComboFix)
                
 2. With RKill
    * ALERT: ZEROACCESS rootkit symptoms found!
    * C:\WINDOWS\assembly\GAC\Desktop.ini [ZA File]
    * ALERT: ZEROACCESS Reparse Point/Junction found!
        * C:\WINDOWS\$NtUninstallKB65459$\1241927679 => c:\windows\system32\config [File]
        
 3. After running the antimalwares mentioned below, ComboFix & RKILL are not showing anything now.
    Especially, C:\WINDOWS\assembly\GAC\Desktop.ini has been deleted as to C:\WINDOWS\$NtUninstallKB65459$\1241927679
    
 4. Remaining problem :
    - Not sure if everything is clean since some weard cookies are added in my "Cookies" directory
      even if there is no browser opened; this happen especillay when the network cable is plugged
      I have the impression that the Rootkit.ZeroAcess is still inserted into tcp/ip stack even if
      CombixFix is not reporting it anymore
                        
====================================================================================================
01. Current computer configuration
====================================================================================================

01. Dell laptop D630 - 4 GB RAM
02. Windows XP SP3 not up to date because I think it is better to solve my viral infection first

====================================================================================================
02. Preparatory work done
====================================================================================================

01. Uninstallation of antivirus (otherwise will interfere with ComboFix)
    - Used uninstall / official remover (AvgRemover to be chosen according to version installed)

02. Uninstallation of Online Armor Firewall

03. Removed unnecessary programs from Windows startup
    
04. Complementary checking
    - Copy all virus cleaning programs to disk D:\
    - Shut down computer & Disconnect all other external drives
    - Reboot & check that antivirus & firewall are uninstalled

05. Start computer safe mode or normal depending of the removal program
    - With network functionalities
    - Set screen to max possible

====================================================================================================    
03. Unlocking environment done
====================================================================================================
01. Unhide program
    = Unhide all Windows files, especially those hiden by virus

02. Defogger = Unlock virtual DVD & CD units
    - Stop CD & DVD emulation software = Perturbing antivirus
    - Will reboot the computer (Safe Mode)
    - Re-enable after done!!!!
    
03. RKill = To kill all viral processes ==> After each reboot !!!!!!!!!!!!!!!!
    - Renamed to iexplore to avoid it be stopped by malicious programs
    - Run RKill
    - Problems found (mentioned above)

04. FixExec = To repair ".Exec" + ".Com3" link

05. Farbar Tools
    01. GrantPerms = To grant permission to locked files
    02. Farbar Service Scanner
    03. MiniToolBox

====================================================================================================
04. Core Scanning Tools Used
====================================================================================================    
00. Cleaning Tools = To be used when file with virus is found and cannot be easily deleted

    01. VT Hash Check = Check file authenticity & Can also delete file before reboot if needed
    02. BlitzBlank    = Delete Files before Windows Boot in case needed

01. Microsoft Safety Scanner
    - Used for 1st detection only
    - Not used after

02. Kaspersky TDSSKiller
    - Download and rename as : iexplore.exe
    - Change parameters : Select "detect TDLFS file system"
    - Run scan
    
03. ComboFix
    - Made sure that no antivirus + Firewall are running
    - Made sure that running in safe mode without networking
    - ComboFix will sent info what was detected then ask for reboot => Accept, and if does not stop, force it (press power button) & restart in safe mode (F8)
    - ComboFix started again automatically before Windows starts:
        - Displayed completed stages (1,2...50)
        - Deleted files that are corrupted
    - ComboFix will ask to reboot itself the computer - Do not reboot manually the computer !!!!!
    - ComboFix will then generate a report in c:\ComboFix.txt
    - Rescan again with ComboFix until same report file

04. RogueKiller = Safe Mode + Network connection
    - Run RKill
    - Run RogueKiller
    
    http://www.adlice.com/zeroaccess-removal-with-roguekiller/ = Website sent as result containing a web malware!

05. MalwareBytes Chameleon = In Normal Mode ; does not work in Safe Mode even with Networking
    - Run svhost.exe
    - Perform a Quick scan & Delete all malwares found
    - Perform a Full  Scan & Delete all malwares found

06. HitmanPro
    - In Normal Mode
    - Malware found and deleted
07. MalwareByte Anti-Rootkit
08. AdwCleaner
09. Junkware Removal
10. Eset Online Scanner
11. Emsisoft Emergency Kit
12. Farbar Recovery Scan Tool (Safe Mode)
13. SuperAntiSpyware
    - Found cookies and deleted them

====================================================================================================
04. Complementary checks done
====================================================================================================

01. OTL
02. HijackThis
03. Short-cut Cleaner

=====================================================
05. Completion
=====================================================
    - Re-run main "Unlocking environment"
    - Re-run all "Core"
            - Re-enable CD & DVD emulation software with Defogger!!!!
    - Delete all malware program quarantine folders
    - Uninstall all malware programs
    - Remove all cookies: C:\Documents & Settings\(all accounts)\Cookies

Link to post
Share on other sites

  • Root Admin

As you have already posted for this on the Bleepingcomputer site I'll go ahead and close this topic. Many of the same helpers work different sites and posting the same to different sites simply wastes the limited resources. Please stick with Bleepingcomputer and they will get you fixed up.

http://www.bleepingcomputer.com/forums/t/530247/zeroaccess-infection/

Thank you

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.