Help remove zeroaccess rootkit

[Fiery]

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to step 2 and allow it to run Disc check by clicking Do It

Go to step 3 and allow it to run SFC

Go to start repairs tab select advanced mode and click start.

Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks

• Reset File Permissions
  Register System Files
  Repair WMI
  Remove Policies Set By Infections

then click Start

Then run Farbar's Service Scanner again and post the log.

See if you are able to connect to the internet after. If you can, goto
www.virustotal.com and upload:

C:\WINDOWS\system32\wbem\wbemess.dll
C:\WINDOWS\system32\wbem\fastprox.dll

After each analysis, you will be taken to a results page. Please copy and paste the URL/link of that page in your next reply.


Then, download a new copy of TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[Papirus]

OK, these were the steps that I did (all in Windows Normal Mode):
1. Run Windows Repair (all 3 steps)....but I forget to close the antivirus, norton ghost and hitman pro services.
2. Run FSS and network still not working. Here is the log. [attachment=3013]
3. Run Windows Repair again for step 3 (repair) and this time I close the above services to avoid conflicts.
4. Run FSS and network still not working. Here is the log. [attachment=3014]
5. Run TDSSKiller and here is the log.
[attachment=3016] (load module checked)
[attachment=3015] (scan log)

Then I run the OTL mode again to scan the wbemess.dll and fastprox.dll in www.virustotal.com. None of them show any sign of virus.

Then I run McAfee Root Kit Remover in OTL mode. Interestingly, it says that it found zeroaccess rootkit in the CD. Here is the log.
[attachment=3017].
I upload the shell32.dll from the CD to virustotal.com and it does not find any virus.

Is this a false positive error from McAfee Rootkit Remover? Is there a way for someone or McAfee to check the Rootkit Remover tool?

Also, I can restore my computer in 20 minutes using the backup data that I have and therefore fix the network problems. However, all other steps that we did will be gone and zeroaccess issue will pop up again (even though I am not sure if this is really an issue or not). Do you have any thought on this?

Thanks.

 

[Fiery]

Hi,

well that's odd... There's no way the CD has an infection... Is the X drive your CD drive? How many operating systems do you have on the PC? The logs show that you have many partitions.

Also, when did you lose internet? Was it after running comodo or one of my instructions?

Please download MiniToolBox save it to your desktop and run it.

Place a check in the following boxes:

• Flush DNS
  Report IE Proxy Settings
  Reset IE Proxy Settings
  Report FF Proxy Settings
  Reset FF Proxy Settings
  List content of Hosts
  List IP configuration
  List Winsock Entries
  List last 10 Event Viewer log
  List Installed Programs
  List Devices
  List Users, Partitions and Memory size.
  List Minidump Files

Close your browsers and click Go. Post the Result.txt located in the same directory as the tool.

Your C-drive looks clean from the logs.. Does McAfee Root Kit Remover still say C:\WINDOWS\system32\wbem\wbemess.dll & C:\WINDOWS\system32\wbem\fastprox.dll are infected?

 

[Papirus]

Hi,

Well, I create the CD from the infected/corrupted desktop so I am not sure if in the process it infected those files before it got written to the CD. I am not familiar with how the Reatogo CD is created and I am just guessing for the possibilities.

I have 3 Hard Drives and all are partitioned. The X is for the CD. I am confused myself why only McAfee recognize the virus but not the other antivirus.

In regards to the network issues, the internet connection was lost even when I was still running the Comodo scan. However, I am not sure what had caused it. The Comodo found many issues during the scan but mostly on files reside in other drive (not C) except for sysbar.exe in C:\windows folder.

Today, I run the Minitoolbox from Windows Normal mode and attached the log file here. [attachment=3022]

Then I run the McAfee rootkit remover one more time and to my surprise there is NO more virus found. BTW. I did not run McAfee rootkit remover in Windows Normal mode yesterday but I run it in OTL windows mode. It looks like the Windows repair (Tweaking) fixed the problems by replacing those infected files (or rewriting the registries). Do you have any explanation to this solution?

Also, I tried to create another boot CD but this time I did it from a clean computer. After rebooting the system, I run the McAfee rootkit remover in OTL mode and it found zeroaccess malware on Shell32.dll and shdocvw.dll files on i386\system32 folders.

So at this time, the only problem I have is the internet connection or network driver problem (including firewall, socket, etc.)

If I run the backup restore and run the windows repair tool again, will it solve the virus and internet connection problem? Could you please advise?

MANY thanks for your help.....but still need help on the internet part though

 

[Fiery]

Hi,

The Shell32.dll and shdocvw.dll detection are false positives since OTLPE is a clean program. If it is coming from the X drive then you have nothing to worry about.

Don't run the rootkit remover in OTLPE as it may not scan the PC properly. If you ran it in normal mode and no infection was found, then that is good.

I'm not too sure what caused you to lose internet. I went back to check the fixes I gave you and none of them should have affected your internet, unless the malware made a modification to your system files. However, ServiceRepair and windows repair should have fixed it. Nonetheless, let's try something else.

Goto Start > Run > type cmd. In the command prompt, type tracert google.com >trace.txt then press Enter. Wait for a minute or two. Then goto the directory that is shown on the command prompt. It should be something like: C:\... and find trace.txt and post it here.

Next,
Run the Complete Internet Repair utility.
<ol><li>Download <a title="External link" href="http://www.datum-forensics.com/down/comintrep.exe" rel="nofollow external" rel="nofollow">Complete Internet Repair utility</a> to your desktop</li>
<li>Unzip all the files to their own folder on the desktop</li>
<li>Within the folder double click <>CIntRep</></li>
<li>Select the following items,then press the GO button.
<ul><li>Reset Interent Protocol (TCP/IP)</li>
<li>Repair Winsock (Reset Catalog)</li>
<li>Renew Internet Connection</li>
<li>Flush DNS Resolver Cache</li>
<li>Reset Windows Firewall Configuration</li>
<li>Reset the default hosts fie</li></ul>
</li>
</ol>

 

[Papirus]

Hi,

OK, I run the tracert using full url www.google.com but it cannot resolve the hostname as shown in the output here. [attachment=3028]

I download the Complete Internet Repair from this site:
http://datumza.com/downloads/ and select the CIR v1.3.1.115 (32Bit).

I run it with the options you mentioned checked and reboot the system but it still does not have the Network connectivity....really puzzling....

Thanks.

 

[Fiery]

Hi,

Are you using any firewalls? Disable all of them and see if you are able to access the internet. Please do a fresh FRST scan in OTLPE so I can see the state of your PC

If the FRST log doesn't show anything, as a last resort.. we can restore the backup you made to get internet back and will remove the malware again.

 

[Papirus]

Hi,

I am not using any firewall and in fact the firewall is messed up too (I cannot enable or disable it).

OK, let me try to restore the backup and I will run the service repair and windows repair after that.....I will reply back after that.

I am hoping that the restore system does not overwrite the wbemes.dll and fastprox.dll if it found existing one. But let's see what will happen.

Thanks.

 

[Papirus]

Fiery, it looks like I have cleaned up the rootkit by running the service repair and windows repair (tweaking).

After the restore, the rootkit shows up again and the internet still did not work. However, the network got fixed after I run the service repair tool. Then I run the windows repair to replace the infected files.

To be on the safe site, I run Comodo (some malwares found and cleaned), Hitman Pro (in progress), MalwareBytes (in progress), Ad-Aware (in progress), TDSSKiller (no rootkit found), McAfee Rootkit Remover (no zero access rootkit found), Norton FixZeroAccess (no rootkit found).

Do you have any recommendation on what tool I should use to accurately verify/check the MBR?

Many thanks again for your persistence and I really appreciate your help.

 

[Fiery]

That's good to hear! Let me know how things go. If you want me to verify your MBR:

1. Download aswmbr.exe from the below link:
   aswMBR DOWNLOAD LINK <em>(This link will automatically download aswMBR on your computer)</em>
2. Double click the aswMBR.exe to run it.
   
3. Click the [Scan] button to start scan
   
   
4. On completion of the scan click [Save log], save it to your desktop and post in your next reply.
   
   

<hr>

Should you wish to run an extra anti-rookit tool for assurance:

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[Papirus]

OK, I did the following steps to check the MBR and other Rootkit problems:

1. Run aswMBR while Adaware and MalwareByte were also running. It found suspicious tpkd.sys file as shown in the log here. [attachment=3064]
2. Upload the tpkd.sys file into Virus Total web site and re-analyze the file. No virus is found as shown in the review page here. [attachment=3065]
3. Run MBAR and it could not open the folder due to encryption problems. I suspect it was caused by locking issues with other antivirus programs.
4. Ad-aware completed the full scan and found one malware in the system (but it is not tpkd.sys file). I cleaned the malware. However, MalwareByte become hung while SBAMsvc.exe is taking over the CPU usage. The PC system became so slow and all CPU usage went to the system idle now after a while.
5. I run McAfee rootkit remover but no virus found. However, the system was really slow like when I first found the zeroaccess rootkit in the system. System shutdown took about 5 minutes to complete....really slow.


6. The next day, I run MBAR again but this time I closed all programs including Ad-aware real time protection. One malware is found as shown here. [attachment=3066] and [attachment=3067]
7. Cleaned the malware (including created restore point prior to the cleaning).
8. Reboot the PC.
9. Then I run aswMBR again (Adaware is disabled). This time it does not show any potential malware as shown in the log here. [attachment=3068]

I have also completed running MalwareByte quick scan with no virus found. I am running the full scan now.

BTW. When I run Comodo full scan with Ad-aware real time protection running in the background, Comodo tagged both Adaware.exe and SBAMsvc.exe as malware. Is this a real malware or false positive finding?

Thanks.

 

[Fiery]

Hi,

The high CPU usage and slow computer is most likely due to Adaware. This program is ineffective and I would suggest you to uninstall it. Are you currently using Comodo antivirus or comodo internet security? Adaware has antivirus / antimalware engine included, so using comodo along with Adaware will cause system errors, lower stability and cause system conflicts. Having more than 1 antivirus is hazardous for your system.

The TPkd.sys detection is nothing to worry about. The malwarebytes detection unhides certain start menu items, not necessarily malicious.

Please uninstall Ad-aware and run the following scan:


Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• Re-enable your antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Papirus]

Hi,

I messed up the scan run and I need to rerun it again. It found 10 threats so far but then the windows disappear for some reasons and I could not find the log.

By the way, I have uninstalled ad-aware. After uninstall it, the system performance gets much better now (but not as fast as when I just restore the system....it may be because of the left over registries).

At this time I only use Comode Cleaning Essential (CCE) and MalwareByte to scan the virus/malware. I also leave the Hitman Pro schedule intact. Do you have any recommendation on good internet security tool that I should install (I would prefer a free one since I don't plan to use this pc to surf the web).

OK, I will post the log file from ESET NOD32 tomorrow.

Thanks.

 

[Fiery]

Hi,

Did you check C:\Program Files\EsetOnlineScanner\log.txt to see if there is a log?

I recommend any of these: avast! 7 Home Edition, Avira AntiVir Personal, Microsoft Security Essentials

Install any one of them for now, we will set up your system to maximize protection once we are done with the removal process.

Fiery

 

[Papirus]

Hi,

Yesterday's run only generate a log file showing it started the process.
At any rate, here is the log file from today's run. [attachment=3083]

It seems to me that it is a false positive finding; nevertheless I can delete those files to make sure it is free from malwares.

By the way, I am wondering if there are any specific reasons that you do not recommend CIS (Comode Internet Security) for this system. From the paper, it looks like CIS is more robust than Avast as it provides a real time protection (sandbox).

Thanks.

 

[Fiery]

Hi,

Those are false positive so nothing to worry about. And it seems your PC is now clean!

CIS would be the first security suite I would recommend. However, the program requires frequent user interaction and the popups are very technical and may be difficult to understand. If you think you have enough PC knowledge and would like to give it a try, I highly recommend it (uninstall your antivirus first before installing CIS).

If you are still unsure, post a thread here. and our community will give you advice and feedback on your security setup based on your system and knowledge.

Below is my "spiel" on how to stay protected

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one

For Vista
Create a restore point
Delete all but the most recent restore point

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

---

Keep your system updated

• Keeping your programs (especially Adobe and Java products) updated is essential. Update Checker will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

• avast! 7 Home Edition - Don't use it with Online Armor
• Avira AntiVir Personal
• Microsoft Security Essentials

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker.

• Online Armor
• Comodo Firewall - If you are a advance user

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites
• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

 

[Papirus]

Fiery,

Awesome, this is a very informative and useful "spiel" .
I will use them to further buff up my system security.

Take care.

 

[Fiery]

Your welcome

Take care as well!