Avast WEBforum

Other => Viruses and worms => Topic started by: Kleidophoros on November 15, 2011, 03:03:15 AM

Title: Zero access rootkit - afterwards
Post by: Kleidophoros on November 15, 2011, 03:03:15 AM
Hi people
I need a bit of help; got a nasty zeroaccess rootkit on my desktop, ran tdsskiller, didn't clean.
Tried combofix; it seems Combo fix cleaned the rootkit but broke my internet and didn't give me a log file. But it created a folder in C: named Combofix. When I tried to open it it took me back to My Computer under Combofix.
Rebooted, uninstalled Combo Fix, ran Combofix again (accidently while trying to install recovery console) and got a log this time. Can anyone see if anything is off?
Thank you in advance.
Title: Re: Zero access rootkit - afterwards
Post by: true indian on November 15, 2011, 06:34:29 AM
Quote
Tried combofix

Frist u should never use combofix without assistance from a expert or a knowledgable person....
 
Your combofix latest log is clean...


Quote
but broke my internet

In that case try this:

1.Click on the Start button.
2.Click on the Settings menu option.
3.Click on the Control Panel option.
4.When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
5.You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
6.You will now see a menu similar to the image below. Simply click on the Repair menu option.
(http://www.bleepstatic.com/combofix/en/repair.jpg)
7.Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.
Alternatively, if your network icon also appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair as shown below.
(http://www.bleepstatic.com/combofix/en/tray-repair.jpg)
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 15, 2011, 07:59:48 AM

Frist u should never use combofix without assistance from a expert or a knowledgable person....
Sure but I don't see why. Only user input is just a double click to start the program and the occasional mandatory "Yes".
 
Quote
Your combofix latest log is clean...
Thank you.

Quote
but broke my internet

Quote
In that case try this:
I did, it didn't work. Had to fiddle with TCP/IP and Winsock to get interwebz back.
Title: Re: Zero access rootkit - afterwards
Post by: DavidR on November 15, 2011, 01:13:42 PM
With combofix, it isn't the lack of a user input that is the problem, but what it does, it is a pretty powerful tool, which takes deletion action from the first run.

With the latest malware some require action in a specific order to successfully remove the infection without damaging other areas. Some move your desktop icons and other elements to other areas. In removing the infection you can lose the references to those locations and it is difficult to get your system back to normal (as you found).

We have already seen instances of this in the viruses and worms forums. This is why essexboy uses analysis tools first in a specific order before starting the removal process, and generally will leave combofix to last if it is needed at all.
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 15, 2011, 01:32:24 PM
Sure, I understand the complications that may arise from using the program; thing is I had already tried a few alternatives and wife was all over me all the time with "OMG MY FILES GONE NOW?!?!" so I had to take action immediately.
If it happens again I will do it the proper way, scout's honour.

Thank you for the replies by the way, don't think I don't appreciate it.
Title: Re: Zero access rootkit - afterwards
Post by: CraigB on November 15, 2011, 01:38:55 PM
Quote
Tried combofix

Frist u should never use combofix without assistance from a expert or a knowledgable person....
 
Your combofix latest log is clean...


The same goes for people who are analyzing log's, they should also be experts and knowledgable which you true indian are not !
Title: Re: Zero access rootkit - afterwards
Post by: DavidR on November 15, 2011, 01:40:19 PM
You're welcome.

Hopefully it won't happen again but should it, this topic is a good start point, http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0).
Title: Re: Zero access rootkit - afterwards
Post by: true indian on November 15, 2011, 01:46:06 PM
The same goes for people who are analyzing log's, they should also be experts and knowledgable which you true indian are not !

I didnt say him to run combofix :o...i just gave him a simpe advice on fixing the net connection....
Title: Re: Zero access rootkit - afterwards
Post by: CraigB on November 15, 2011, 01:53:36 PM
The same goes for people who are analyzing log's, they should also be experts and knowledgable which you true indian are not !

I didnt say him to run combofix :o...i just gave him a simpe advice on fixing the net connection....

You need to read my post correctly, i didnt say anything about you telling him to run combofix, i said that you shouldn't be commenting on the logs being safe as you are not an expert.
Title: Re: Zero access rootkit - afterwards
Post by: true indian on November 15, 2011, 01:57:02 PM
Quote
i said that you shouldn't be commenting on the logs being safe as you are not an expert.

Hey! look...combofix log is easy to read...if u dont see the other deletions column in the log that means it didnt find anything...i know about it thats why i commented on it...i never comment when i dont know what it is :P
Title: Re: Zero access rootkit - afterwards
Post by: DavidR on November 15, 2011, 02:23:14 PM
You will understand our concern when someone who we don't know, has just arrived in the forums, promptly jumps in with both feet when it concerns malware removal.

We have seen it before and that persons advice was poor and could have damages a users system and that is all we are concerned about. That person was banned (also from Mumbi) and tried to come back under a different user name and they too were subsequently banned.

So we are on the look out for new and unknown people offering advice which could well harm a users system.

Making comments like "Hey! look...combofix log is easy to read..." doesn't fill us with confidence either, whilst it might be easy to read, it isn't so easy to analyse the other content, just because it didn't have "other deletions column in the log that means it didnt find anything" doesn't mean that the system is clean.

I notice the OPs log shows his Wife is running Eset not avast and avast detects/blocks these zero access/consrv attempts to connect to malicious sites (many such instances in the viruses and worms forum).
Title: Re: Zero access rootkit - afterwards
Post by: true indian on November 15, 2011, 02:32:18 PM
sorry!..i will keep a note..will not repeat that mistake again :'( ...
Title: Re: Zero access rootkit - afterwards
Post by: Asyn on November 15, 2011, 02:39:01 PM
You will understand our concern when someone who we don't know...

Not sure, if we don't know him... ;)
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 15, 2011, 09:08:06 PM
@Kleidophoros did you say that you had lost the files and folders on your computer ?

If so then run this programme

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop
 

Please post the contents of the RKreport.txt in your next Reply.
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 16, 2011, 06:49:08 PM
No i didn't actually lose any files, it was just wife being well..wife.

But I did use the Rougekiller and attached the log.
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 16, 2011, 10:01:36 PM
Rogue killer found a few - are you experiencing any other problems ?  There may be remnants which I can check for if you wish


RogueKiller V6.1.8 [11/14/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Burak Yolacan [Admin rights]
Mode: Shortcuts HJfix -- Date : 11/16/2011 19:28:03

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 13 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 60 / Fail 0

My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 740 / Fail 0
Backup: [NOT FOUND]

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[G:] \Device\HarddiskVolume5 -- 0x3 --> Restored
[I:] \Device\CdRom0 -- 0x5 --> Skipped
[K:] \Device\HarddiskVolume6 -- 0x3 --> Restored


¤¤¤ Infection :  ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt


Scan check


Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT

Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 16, 2011, 10:40:34 PM
Both logs attached.

Something I noticed today; I don't really know hot to explain this but it was like pc was hiccuping every 30 seconds or so for about half a second. mouse pointer coming to a halt, screen freezing if I am playing a game/watching a movie. I checked the task manager, nothing funny in processes but I noticed one core of cpu had no load but the other core had some 15% load all the time. It went away after I rebooted the pc. Come to think of it I believe I experienced the same thing some months ago too.

Also I didn't disable the antivirus and eset decided to delete part of my steam library..

Code: [Select]
16.11.2011 23:32:00 Real-time file system protection file C:\Program Files\Steam\steamapps\common\amnesia the dark descent\Launcher.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:32:00 Real-time file system protection file C:\Program Files\Steam\steamapps\common\penumbra overture\redist\Penumbra.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:32:00 Real-time file system protection file C:\Program Files\Steam\steamapps\common\penumbra black plague\redist\Requiem.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:31:59 Real-time file system protection file C:\Program Files\Steam\steamapps\common\penumbra black plague\redist\Penumbra.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
16.11.2011 23:31:59 Real-time file system protection file C:\Program Files\Steam\steamapps\common\oddworld abes exoddus\Exoddus.exe probably unknown CRYPT.WIN32 virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to run the file by the application: C:\Documents and Settings\Burak Yolacan\Desktop\OTL.exe.
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 16, 2011, 10:48:21 PM
You are still infected

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
THEN

Please allow combofix to install the recovery console

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1  (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 16, 2011, 11:14:32 PM
Both logs attached.

I don't notice anything funny with the operation of the pc.
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 16, 2011, 11:24:08 PM
http://www.threatexpert.com/files/winsys2.exe.html - It is a trojan downloader just getting ready to start again

If you are still happy with the system tomorrow let me know and I will remove my tools  ;D
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 16, 2011, 11:26:42 PM
If we can clean it now I would love to, don't wanna risk it once more.

Also, do you know what this is?
Code: [Select]
[Path][Folder name][File name][Extension][Size]
C:\Documents and Settings\Burak Yolacan\Local Settings\Application Data\BaCkDoOr_SyStEm\s_selector.exe_Url_nbjkdc30iatxpcrp4knjbgtyr1sy2exs0 Byte
C:\Documents and Settings\Burak Yolacan\Local Settings\Application Data\BaCkDoOr_SyStEm\s_selector.exe_Url_nbjkdc30iatxpcrp4knjbgtyr1sy2exs\2.1.0.00 Byte
C:\Documents and Settings\Burak Yolacan\Local Settings\Application Data\BaCkDoOr_SyStEm\s_selector.exe_Url_nbjkdc30iatxpcrp4knjbgtyr1sy2exs\2.1.0.0\user.configconfig372 Byte

Total number of folders = 2
Total number of files  = 1
Sum of file sizes = 372 Byte
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 16, 2011, 11:32:48 PM
Don't recognise the format - Should be OK to delete them

I feel you are clean now but I would like to wait a bit just to be sure
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 16, 2011, 11:37:55 PM
I see 2 winsys2.exes on the pc; system32\reinstallbackups\0003\driverfiles and OTL\movedfiles

I will probably not be able to notice it for a while if this thing acts up again; not the main pc and I don't use it much. any programs to scan the pc, say tomorrow or day after, to see if everything's okay?
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 16, 2011, 11:38:57 PM
Aye and I will also remove the quarantined files
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 16, 2011, 11:41:36 PM
Uhm sorry but what..?
Nevermind, thank you for the help.
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 17, 2011, 07:54:31 PM
Sorry for the double post but I need to post an update.

First, got rid of nod32 and installed avast free.
Pc keeps freezing; 5 times now, forcing me to hard reset.
Winrar is acting funny; double clicking an archive runs winrar.exe but can't see the UI. if I double click again I get another winrar.exe; I saw as much as 10 in first attempt to open archive. riht click-extract here extracts the archive but still can't see the UI.
avast is set to scan documents when opening and writing. autosandbox is on but set to ask and didn't ask anything yet.

Also I get a window (C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled) with a shortcut to adobegammaloader.exe inside at startup; its just annoying.
Any help?
Title: Re: Zero access rootkit - afterwards
Post by: DavidR on November 17, 2011, 08:34:09 PM
How did you get rid of nod32 ?

There is also a removal tool you might want to try:
ESET/NOD32 Uninstall Tool - http://kb.eset.com/esetkb/index?page=content&id=SOLN2116 (http://kb.eset.com/esetkb/index?page=content&id=SOLN2116) Make sure you choose the correct uninstaller for your ESET product and your OS (32bit or 64bit version), right click on the link and select Save As or Save File (As depending on your browser), save it to your desktop.

Also see http://thewebatom.net/uninstallers/security-software/ (http://thewebatom.net/uninstallers/security-software/), this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.
Title: Re: Zero access rootkit - afterwards
Post by: Kleidophoros on November 17, 2011, 08:41:48 PM
You didn't check that page for a while did you? There is no uninstaller, just Uninstall-delete a few left over folders.
Ooh it's buried down there under manual uninstall..
Lİnk to eset uninstaller: http://kb.eset.com/esetkb/index?page=content&id=SOLN2289

Second link has the program so I am gonna run it now.

Edit1: Okay uninstalled it completely. Winrar still acting funny, gonna reinstall I guess. Gonna see if pc still freezes too.

Edit2: Winrar back to normal after reinstall. gotta wait for freezes.
Title: Re: Zero access rootkit - afterwards
Post by: essexboy on November 17, 2011, 09:31:38 PM
As I say once you are happy let me know and I will remove the tools cleanly