Help remove zeroaccess rootkit

[Fiery]

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to step 2 and allow it to run Disc check by clicking Do It

Go to step 3 and allow it to run SFC

Go to start repairs tab select advanced mode and click start.

Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks

Reset File Permissions
Register System Files
Repair WMI
Remove Policies Set By Infections

then click Start

Then run Farbar's Service Scanner again and post the log.

See if you are able to connect to the internet after. If you can, goto
http://www.virustotal.com and upload:

C:\WINDOWS\system32\wbem\wbemess.dll
C:\WINDOWS\system32\wbem\fastprox.dll

After each analysis, you will be taken to a results page. Please copy and paste the URL/link of that page in your next reply.


Then, download a new copy of TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
• click Start scan .
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

[Papirus]

OK, these were the steps that I did (all in Windows Normal Mode):
1. Run Windows Repair (all 3 steps)....but I forget to close the antivirus, norton ghost and hitman pro services.
2. Run FSS and network still not working. Here is the log.
  FSS 2013-01-01.txt (Size: 2.89 KB / Downloads: 24)
3. Run Windows Repair again for step 3 (repair) and this time I close the above services to avoid conflicts.
4. Run FSS and network still not working. Here is the log.
  FSS 2013-01-01b.txt (Size: 2.89 KB / Downloads: 29)
5. Run TDSSKiller and here is the log.

  TDSSKiller.Set Load Module.log.txt (Size: 9.38 KB / Downloads: 27) (load module checked)

  TDSSKiller.Scan_log.txt (Size: 208.83 KB / Downloads: 20) (scan log)

Then I run the OTL mode again to scan the wbemess.dll and fastprox.dll in http://www.virustotal.com. None of them show any sign of virus.

Then I run McAfee Root Kit Remover in OTL mode. Interestingly, it says that it found zeroaccess rootkit in the CD. Here is the log.

  RootkitRemover20130101223836.txt (Size: 700 bytes / Downloads: 37) .
I upload the shell32.dll from the CD to virustotal.com and it does not find any virus.

Is this a false positive error from McAfee Rootkit Remover? Is there a way for someone or McAfee to check the Rootkit Remover tool?

Also, I can restore my computer in 20 minutes using the backup data that I have and therefore fix the network problems. However, all other steps that we did will be gone and zeroaccess issue will pop up again (even though I am not sure if this is really an issue or not). Do you have any thought on this?

Thanks.

[Fiery]

Hi,

well that's odd... There's no way the CD has an infection... Is the X drive your CD drive? How many operating systems do you have on the PC? The logs show that you have many partitions.

Also, when did you lose internet? Was it after running comodo or one of my instructions?

Please download MiniToolBox save it to your desktop and run it.

Place a check in the following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Close your browsers and click Go. Post the Result.txt located in the same directory as the tool.

Your C-drive looks clean from the logs.. Does McAfee Root Kit Remover still say C:\WINDOWS\system32\wbem\wbemess.dll & C:\WINDOWS\system32\wbem\fastprox.dll are infected?

[Papirus]

Hi,

Well, I create the CD from the infected/corrupted desktop so I am not sure if in the process it infected those files before it got written to the CD. I am not familiar with how the Reatogo CD is created and I am just guessing for the possibilities.

I have 3 Hard Drives and all are partitioned. The X is for the CD. I am confused myself why only McAfee recognize the virus but not the other antivirus.

In regards to the network issues, the internet connection was lost even when I was still running the Comodo scan. However, I am not sure what had caused it. The Comodo found many issues during the scan but mostly on files reside in other drive (not C) except for sysbar.exe in C:\windows folder.

Today, I run the Minitoolbox from Windows Normal mode and attached the log file here.
  Result 2013-01-02.txt (Size: 14.21 KB / Downloads: 28)

Then I run the McAfee rootkit remover one more time and to my surprise there is NO more virus found. BTW. I did not run McAfee rootkit remover in Windows Normal mode yesterday but I run it in OTL windows mode. It looks like the Windows repair (Tweaking) fixed the problems by replacing those infected files (or rewriting the registries). Do you have any explanation to this solution?

Also, I tried to create another boot CD but this time I did it from a clean computer. After rebooting the system, I run the McAfee rootkit remover in OTL mode and it found zeroaccess malware on Shell32.dll and shdocvw.dll files on i386\system32 folders.

So at this time, the only problem I have is the internet connection or network driver problem (including firewall, socket, etc.)

If I run the backup restore and run the windows repair tool again, will it solve the virus and internet connection problem? Could you please advise?

MANY thanks for your help.....but still need help on the internet part though

[Fiery]

Hi,

The Shell32.dll and shdocvw.dll detection are false positives since OTLPE is a clean program. If it is coming from the X drive then you have nothing to worry about.

Don't run the rootkit remover in OTLPE as it may not scan the PC properly. If you ran it in normal mode and no infection was found, then that is good.

I'm not too sure what caused you to lose internet. I went back to check the fixes I gave you and none of them should have affected your internet, unless the malware made a modification to your system files. However, ServiceRepair and windows repair should have fixed it. Nonetheless, let's try something else.

Goto Start > Run > type cmd. In the command prompt, type tracert google.com >trace.txt then press Enter. Wait for a minute or two. Then goto the directory that is shown on the command prompt. It should be something like: C:\... and find trace.txt and post it here.

Next,
Run the Complete Internet Repair utility.

1. Download Complete Internet Repair utility to your desktop
2. Unzip all the files to their own folder on the desktop
3. Within the folder double click CIntRep
4. Select the following items,then press the GO button.
   
   • Reset Interent Protocol (TCP/IP)
   • Repair Winsock (Reset Catalog)
   • Renew Internet Connection
   • Flush DNS Resolver Cache
   • Reset Windows Firewall Configuration
   • Reset the default hosts fie

[Papirus]

Hi,

OK, I run the tracert using full url http://www.google.com but it cannot resolve the hostname as shown in the output here.
  tracert.txt (Size: 55 bytes / Downloads: 20)

I download the Complete Internet Repair from this site:
http://datumza.com/downloads/ and select the CIR v1.3.1.115 (32Bit).

I run it with the options you mentioned checked and reboot the system but it still does not have the Network connectivity....really puzzling....

Thanks.

[Fiery]

Hi,

Are you using any firewalls? Disable all of them and see if you are able to access the internet. Please do a fresh FRST scan in OTLPE so I can see the state of your PC

If the FRST log doesn't show anything, as a last resort.. we can restore the backup you made to get internet back and will remove the malware again.

[Papirus]

Hi,

I am not using any firewall and in fact the firewall is messed up too (I cannot enable or disable it).

OK, let me try to restore the backup and I will run the service repair and windows repair after that.....I will reply back after that.

I am hoping that the restore system does not overwrite the wbemes.dll and fastprox.dll if it found existing one. But let's see what will happen.

Thanks.

[Papirus]

Fiery, it looks like I have cleaned up the rootkit by running the service repair and windows repair (tweaking).

After the restore, the rootkit shows up again and the internet still did not work. However, the network got fixed after I run the service repair tool. Then I run the windows repair to replace the infected files.

To be on the safe site, I run Comodo (some malwares found and cleaned), Hitman Pro (in progress), MalwareBytes (in progress), Ad-Aware (in progress), TDSSKiller (no rootkit found), McAfee Rootkit Remover (no zero access rootkit found), Norton FixZeroAccess (no rootkit found).

Do you have any recommendation on what tool I should use to accurately verify/check the MBR?

Many thanks again for your persistence and I really appreciate your help.

[Fiery]

That's good to hear! Let me know how things go. If you want me to verify your MBR:

1. Download aswmbr.exe from the below link:
   aswMBR DOWNLOAD LINK (This link will automatically download aswMBR on your computer)
2. Double click the aswMBR.exe to run it.
3. Click the [Scan] button to start scan
   
4. On completion of the scan click [Save log], save it to your desktop and post in your next reply.
   

---

Should you wish to run an extra anti-rookit tool for assurance:

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)