Author Topic: Zero access rootkit - afterwards  (Read 6903 times)

Offline Kleidophoros

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Zero access rootkit - afterwards
« on: November 15, 2011, 01:03:15 AM »
Hi people
I need a bit of help; got a nasty zeroaccess rootkit on my desktop, ran tdsskiller, didn't clean.
Tried combofix; it seems Combo fix cleaned the rootkit but broke my internet and didn't give me a log file. But it created a folder in C: named Combofix. When I tried to open it it took me back to My Computer under Combofix.
Rebooted, uninstalled Combo Fix, ran Combofix again (accidently while trying to install recovery console) and got a log this time. Can anyone see if anything is off?
Thank you in advance.

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 728
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #1 on: November 15, 2011, 04:34:29 AM »
Quote
Tried combofix

Frist u should never use combofix without assistance from a expert or a knowledgable person....
 
Your combofix latest log is clean...


Quote
but broke my internet

In that case try this:

1.Click on the Start button.
2.Click on the Settings menu option.
3.Click on the Control Panel option.
4.When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
5.You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
6.You will now see a menu similar to the image below. Simply click on the Repair menu option.

7.Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.
Alternatively, if your network icon also appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair as shown below.

Offline Kleidophoros

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #2 on: November 15, 2011, 05:59:48 AM »

Frist u should never use combofix without assistance from a expert or a knowledgable person....
Sure but I don't see why. Only user input is just a double click to start the program and the occasional mandatory "Yes".
 
Quote
Your combofix latest log is clean...
Thank you.

Quote
but broke my internet

Quote
In that case try this:
I did, it didn't work. Had to fiddle with TCP/IP and Winsock to get interwebz back.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69240
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #3 on: November 15, 2011, 11:13:42 AM »
With combofix, it isn't the lack of a user input that is the problem, but what it does, it is a pretty powerful tool, which takes deletion action from the first run.

With the latest malware some require action in a specific order to successfully remove the infection without damaging other areas. Some move your desktop icons and other elements to other areas. In removing the infection you can lose the references to those locations and it is difficult to get your system back to normal (as you found).

We have already seen instances of this in the viruses and worms forums. This is why essexboy uses analysis tools first in a specific order before starting the removal process, and generally will leave combofix to last if it is needed at all.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Kleidophoros

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #4 on: November 15, 2011, 11:32:24 AM »
Sure, I understand the complications that may arise from using the program; thing is I had already tried a few alternatives and wife was all over me all the time with "OMG MY FILES GONE NOW?!?!" so I had to take action immediately.
If it happens again I will do it the proper way, scout's honour.

Thank you for the replies by the way, don't think I don't appreciate it.

Offline craigb

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8084
  • Gender: Male
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #5 on: November 15, 2011, 11:38:55 AM »
Quote
Tried combofix

Frist u should never use combofix without assistance from a expert or a knowledgable person....
 
Your combofix latest log is clean...


The same goes for people who are analyzing log's, they should also be experts and knowledgable which you true indian are not !
Windows 8.1 Pro X64/ IE 11/ Avast 9.0.2018/ MBAM Premium 2.0.2

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69240
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #6 on: November 15, 2011, 11:40:19 AM »
You're welcome.

Hopefully it won't happen again but should it, this topic is a good start point, http://forum.avast.com/index.php?topic=53253.0.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 728
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #7 on: November 15, 2011, 11:46:06 AM »
The same goes for people who are analyzing log's, they should also be experts and knowledgable which you true indian are not !

I didnt say him to run combofix :o...i just gave him a simpe advice on fixing the net connection....

Offline craigb

  • avast! Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 8084
  • Gender: Male
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #8 on: November 15, 2011, 11:53:36 AM »
The same goes for people who are analyzing log's, they should also be experts and knowledgable which you true indian are not !

I didnt say him to run combofix :o...i just gave him a simpe advice on fixing the net connection....

You need to read my post correctly, i didnt say anything about you telling him to run combofix, i said that you shouldn't be commenting on the logs being safe as you are not an expert.
Windows 8.1 Pro X64/ IE 11/ Avast 9.0.2018/ MBAM Premium 2.0.2

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 728
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #9 on: November 15, 2011, 11:57:02 AM »
Quote
i said that you shouldn't be commenting on the logs being safe as you are not an expert.

Hey! look...combofix log is easy to read...if u dont see the other deletions column in the log that means it didnt find anything...i know about it thats why i commented on it...i never comment when i dont know what it is :P

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69240
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #10 on: November 15, 2011, 12:23:14 PM »
You will understand our concern when someone who we don't know, has just arrived in the forums, promptly jumps in with both feet when it concerns malware removal.

We have seen it before and that persons advice was poor and could have damages a users system and that is all we are concerned about. That person was banned (also from Mumbi) and tried to come back under a different user name and they too were subsequently banned.

So we are on the look out for new and unknown people offering advice which could well harm a users system.

Making comments like "Hey! look...combofix log is easy to read..." doesn't fill us with confidence either, whilst it might be easy to read, it isn't so easy to analyse the other content, just because it didn't have "other deletions column in the log that means it didnt find anything" doesn't mean that the system is clean.

I notice the OPs log shows his Wife is running Eset not avast and avast detects/blocks these zero access/consrv attempts to connect to malicious sites (many such instances in the viruses and worms forum).
« Last Edit: November 15, 2011, 12:26:31 PM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline True Indian

  • Malware Hunter
  • Advanced Poster
  • **
  • Posts: 728
  • Gender: Male
  • A Good Old Indian!
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #11 on: November 15, 2011, 12:32:18 PM »
sorry!..i will keep a note..will not repeat that mistake again :'( ...
« Last Edit: November 15, 2011, 12:39:01 PM by true indian »

Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24971
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #12 on: November 15, 2011, 12:39:01 PM »
You will understand our concern when someone who we don't know...

Not sure, if we don't know him... ;)
XP SP3 - avast! 9.0.2018 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #13 on: November 15, 2011, 07:08:06 PM »
@Kleidophoros did you say that you had lost the files and folders on your computer ?

If so then run this programme

Download RogueKiller to your desktop
 
  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 6 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe  

Please post the contents of the RKreport.txt in your next Reply.

Offline Kleidophoros

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
Re: Zero access rootkit - afterwards
« Reply #14 on: November 16, 2011, 04:49:08 PM »
No i didn't actually lose any files, it was just wife being well..wife.

But I did use the Rougekiller and attached the log.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now