help with win32:zeroot-b

[davj13]

Hi, I need help with this rootkit, please.
Avast scan at startup did not detect it. Only AswMBR found it.
I've also made a rootkit scan with spybot2 (which i installed just for a scan and then uninstalled it) and didn't find zeroot-b, but it did alert me of a MBR-physicaldrive0.

Here are the logs of Hijackthis, Adwcleaner, Mbam and aswMBR.

Thank you very much for your kind help.

[mikaelrask]

hey and welcome to the forum. plaese attach the otl scan log too from this guide.

http://forum.avast.com/index.php?topic=53253.0

[davj13]

here are the OTL and TDSSKiller logs.

Thanks again

[davj13]

Hey here are the logs of spybot and superantispyware, don't know if they can be of any use.

Wish you a Merry Christmas in the meanwhile!

[Pondus]

Hey here are the logs of spybot and superantispyware, don't know if they can be of any use.

SpyBoot...... absolutely nada

Cons
 Extremely poor detection of malware. Extremely poor removal of detected malware. Even worse removal of rootkits in particular. Many user interface elements significantly awkward.

Bottom Line
Spybot was one of the first antispyware tools ever. It's been dormant for a while. Now Spybot - Search & Destroy 2.0 promises to destroy "spyware, malware, adware and other malicious software." In testing, it proved almost 100 percent ineffective.

http://www.pcmag.com/article2/0,2817,2412372,00.asp




Malware experts are notified...be patient

[essexboy]

No sign of zero access there , I see that you have run combofix.. Could you attach that log

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O2 - BHO: (no name) - {1C67BFBC-BB54-4EE2-A3E8-0AA6EFEE5715}A3E8-0AA6EFEE5715} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\ShellBrowser: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[davj13]

Hi!

Pondus: I uninstalled spybot right after the scans, but i noticed that the quick-scan for rootkits alerted me of MBRphysicaldrive0 and another K something which looks like a windows update. Since I didn't see signs of these in the other logs i decide to upload these too

Essexboy, I'll try with yr code in OTL and past the log ASAP. Regarding Combofix, it runs smoothly through the various level but doesn't reboot system at the end, it says deleting TEMP folder but after that doesn't do anything. It does not hang though. And, most importantly, it creates a logfile which just redirects to My Computer, even if I rename it in *.txt! Any ideas why? This happened even when i changed combofix name and run it again.

[davj13]

Thank you Essexboy
Here are the Otl logs (the one after the fix and the one after a fresh quick scan).
The pc still boots slowly and the windows sound is distorted. Everything slows down and the CPU usage is often at 100%, but I'm still able to write from here.

[essexboy]

Lets try this next

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[davj13]

Here is the new TDSSKiller log.

Merry XMas

[essexboy]

Looks like it is repair time

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished

[davj13]

Thankx essexboy, I have dled the tool and run it as in your instructions. The system file check didn't ask me for the windows xp cd though. I also did the start repairs and restarted, but it doesn't look much better and the windows sounds is still distorted.
Next step?

[essexboy]

OK I feel that the aswMBR is a false positive

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[davj13]

After completing stage 50 ComboFix Says:

Deleting Folders:

c:\Documents and Settings\All Users\Datos de programa\TEMP

and just stays there forever without doing nothing, it's not frozen, but it does not do any action nor boot the pc and does not create a log, just a shortcut in c:\ named Combofix, which points to My PC.

[essexboy]

OK could you re-run combofix from safe mode please