Help remove zeroaccess rootkit

Papirus · Dec 25, 2012

My Windows XP SP3 system got infected by zeroaccess rootkit.
I found it when I run Mcafee Rootkit Remover tool as shown below (after restart the rootkit is back again):

Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]
McAfee Labs.

Windows build 5.1.2600 x86 Service Pack 3
Checking for updates ...

Now Scanning...
Malware Found --> ZeroAccess trojan detected!!!
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af
9c1}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( deleted )
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F
57F}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted
after restart )
ZeroAccess trojan was cleaned successfully!

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:
1. Perform full scan with McAfee VirusScan product after reboot.

Press any key to exit.
===============================================================================

However, when I run TDSSKiller, Sophos Anti Virus, Symatec FixZeroAccess, McAfee Stinger, Gridsoft Trojan Killer, Trend Micro antivirus, Malwarebyte, they all show no virus or rootkit found in the system.

I believe my system is infected because everytime I tried to delete C:\WINDOWS\system32\wbem\wbemess.dll manually, it is always come back within 2 seconds or so (after I refresh the windows explorer).

I even restore the C drive (Windows system) using my old recovery file and Symantec Ghost, but the rootkit is still there (shown by McAfee Rootkit Remover tool above).

Can someone please help me to fix this problem? Many thanks in advance.

Below is the Combofix log file and HijackThis log file (or see attached):

HijackThis:
===========
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:58:49 PM, on 12/24/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Utilities\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WiziWYG XP Startup.lnk = C:\Program Files\Praxisoft\WiziWYG XP\WiziWYGXP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Norton Ghost - Unknown owner - D:\Program\Ghost10\Agent\VProSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 5203 bytes

ComboFix:
==========
ComboFix 12-12-25.01 - Sam 12/24/2012 22:48:16.2.1 - x86
Running from: j:\zip\Spyware\ComboFix.exe
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 )))))))))))))))))))))))))))))))
.
.
2012-12-25 06:40 . 2012-12-25 06:43 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Google
2012-12-25 06:40 . 2012-12-25 06:42 -------- d-----w- c:\program files\Google
2012-12-25 04:39 . 2012-12-25 06:11 14664 ----a-w- c:\windows\stinger.sys
2012-12-25 04:38 . 2012-12-25 04:38 159608 ----a-w- c:\windows\system32\mfevtps.exe.a40b.deleteme
2012-12-25 04:37 . 2012-12-25 06:21 -------- d-----w- c:\program files\stinger
2012-12-25 04:28 . 2012-12-25 04:28 -------- d-s---w- c:\documents and settings\Sam\UserData
2012-12-25 04:16 . 2012-12-25 04:29 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2012-12-25 04:04 . 2012-12-25 04:04 -------- d-----w- c:\documents and settings\Sam\Application Data\FixZeroAccess
2012-12-25 04:04 . 2012-12-25 04:04 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTSMMSG"="LTSMMSG.exe" [2002-03-29 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-13 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"nwiz"="nwiz.exe" [2006-08-12 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
.
c:\documents and settings\Sam\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Task Manager.lnk - c:\windows\system32\taskmgr.exe [2002-4-24 135680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-4-25 40960]
WiziWYG XP Startup.lnk - c:\program files\Praxisoft\WiziWYG XP\WiziWYGXP.exe [2008-12-28 6029369]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Billminder.lnk - d:\program\Quicken\billmind.exe [2002-7-30 36864]
Microsoft Office.lnk - d:\program\Microsoft Office\Office10\OSA.EXE [N/A]
Quicken Scheduled Updates.lnk - d:\program\Quicken\bagent.exe [2002-7-30 53248]
Quicken Startup.lnk - d:\program\Quicken\QWDLLS.EXE [2002-7-30 36864]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=hex(7a8):
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 mrtRate;mrtRate; [x]
R3 MFE_RR;MFE_RR;c:\docume~1\Sam\LOCALS~1\Temp\mfe_rr.sys [x]
R3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\Drivers\SMBE.SYS [x]
R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x]
S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [x]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [x]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]
.
2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]
.
2008-12-29 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
.
2008-12-29 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
.
2008-12-29 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - d:\program\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-24 22:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-12-24 22:57:26
ComboFix-quarantined-files.txt 2012-12-25 06:57
ComboFix2.txt 2012-12-25 06:33
.
Pre-Run: 12,297,408,512 bytes free
Post-Run: 12,289,560,576 bytes free
.
- - End Of File - - 75F87112989DC3D61691AFD3592A7CA0

Fiery · Dec 25, 2012

Hi welcome to MT!

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Search.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download & SAVE to your Desktop RogueKiller or from here

Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+

Papirus · Dec 25, 2012

I have run both AdwCleaner and RogueKiller.
I have attached both log files in this reply.

Thanks.

Fiery · Dec 25, 2012

Do a scan with adwCleaner and RogueKiller again but this time, click delete. Post both logs after.

Then download a new copy of combofix and run it. Make sure your antivirus is off and install the recovery console when it prompts you to.

Papirus · Dec 25, 2012

OK, these were the steps that I did to follow the instructions:
0. Disable Antivirus
1. Search using ADWCleaner [attachment=2941]
2. Select Delete in ADWCleaner after the search is completed [attachment=2942].
3. Reboot (it asked for a reboot)
4. Scan using RogueKilller
5. Select Delete in RogueKiller after the scan is completed [attachment=2944]
6. Download Combofix from BleepingComputer:
http://www.bleepingcomputer.com/download/combofix/
7. Run Combofix
8. Install Recovery [attachment=2943]
9. Reboot
10. Run McAfee Rootkit remover and it somehow stills shows it is infected:

Windows build 5.1.2600 x86 Service Pack 3
Checking for updates ...

Now Scanning...
Malware Found --> ZeroAccess trojan detected!!!
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af
9c1}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted a
fter restart )
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F
57F}\InprocServer32 ( fixed )
--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted
after restart )
ZeroAccess trojan was cleaned successfully!

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:
1. Perform full scan with McAfee VirusScan product after reboot.

==================================================

I have attached all the log files from those steps above.

Thanks.

Fiery · Dec 25, 2012

Let see if we can remove it in a separate environment from Windows.

Please print these instruction out so that you know what you are doing

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Download List Parts and save it to the flash drive also.
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Wait for the CD to detect your hardware and load the operating system
Your system should now display a Reatogo desktop
Note : as you are running from CD it is not exactly speedy
Insert the USB with FRST
Locate the flash drive with FRST and double click
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Next click List Parts and then click Scan
It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

Fiery · Dec 25, 2012

Also note that asking help on multiple sites will hinder and delay the removal process. Please choose to stick with one site in order to make it more efficient.

Thanks

Papirus · Dec 26, 2012

Fiery said:
Also note that asking help on multiple sites will hinder and delay the removal process. Please choose to stick with one site in order to make it more efficient.

Thanks

Yup thanks for the reminder, the other request is dormant now. I submitted it then realize that the other forum does not want me to use hijackthis or combofix log. So I figure that my thread will be deleted because I do not follow the forum rule.

OK, I got the scan log file from those tools:
1. Reboot from CD and run REATOGO O/S
2. Scan (without Fix) the system using FarBar recovery scan tool [attachment=2948]
3. Scan the hard drive partitions using List Part tool [attachment=2949]

Should I use the Fix option in FarBar?

Thanks.

Fiery · Dec 26, 2012

Hi there, we will be using the Fix option but first we have to create a script.

On a different computer, Open notepad and copy & paste the following:

ShortcutTarget: Task Manager.lnk -> C:\I386\SYSTEM32\taskmgr.exe (No File)
Tcpip\Parameters: [DhcpNameServer] 68.94.156.1 68.94.157.1
2008-12-28 20:19 - 2008-12-28 20:19 - 00000000 __AHD C:\Documents and Settings\Sam\Local Settings\Application Data\ktuMujuZGe
2008-12-28 20:19 - 2008-12-28 20:19 - 00000000 ___HD C:\Documents and Settings\Sam\Local Settings\Application Data\snzWc8mxIS51Rep
2008-12-28 01:50 - 2008-12-28 19:05 - 00021896 ____A C:\Documents and Settings\Sam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

and save it as fixlist.txt onto your flash drive. Boot to OTLPE again, plug in your flash drive, open FRST and click Fix. Please post the log that it creates.

Next, on the main REATOGO Desktop locate a program call OTL or OTLPE

Double-click it and OTL will start. Under Custon Scan/ Fixes copy and paste the following:

/md5start
services.exe
/md5stop

Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

Papirus · Dec 27, 2012

OK, I have done the following steps:

1. Reboot using OTLPE
2. Run FRST and select Fix (no scan this time) - [attachment=2958]
3. Close FRST
4. Run OTLPE from desktop
5. Select "Yes" to "Do you wish to load remote user profile for scanning?" question.
6. Highlight "Sam" profile
7. Check the "Automatically Load All Remaining Users?" option.
8. Click "OK" button
9. Paste the following text inside the custom scans/fixes textfield:
/md5start
services.exe
/md5stop
10. Check the "Use Safelist" under Extra Registry area
11. There is no option to select "Scan all users" so nothing is done here. Also the File Age drop down is defaulted to 30 days.
12. Click "Run Scan" button and generate the scan output as listed below:
[attachment=2959]
[attachment=2960]

Thanks.

Fiery · Dec 27, 2012

Hi,

Open OTL in OTLPE again. Under custom scan/fixes, copy and paste the following:

Code:

:OTL
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2008/12/28 02:51:46 | 000,000,050 | ---- | C] () -- C:\WINDOWS\qwimp.ini
@Alternate Data Stream - 1222 bytes -> C:\Documents and Settings\Sam\Cookies:QoSnn4svZRg0sohAo8188UBZpx4
@Alternate Data Stream - 1215 bytes -> C:\Documents and Settings\All Users\Application Data\DRM:QbNt0gB8Ra30H67Cd
@Alternate Data Stream - 1206 bytes -> C:\Program Files\Common Files\MSN:52qkdIvvrQxpOwOXeG

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Post the log afterwards.

After, download HitmanPro
<ol>
<li>This step can be performed in <>Normal Mode</> ,so please <>download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/downloads" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li><>Double click on the previously downloaded file</> to start the HitmanPro installation.
<img title="HitmanPro Installer" src="http://malwaretips.com/images/removalguide/hpro1.png" alt="[Image: hitmanpro-icon.png]" width="54" height="58" border="0" />
<>IF</> you are experiencing problems while trying to starting HitmanPro, you can use the "<em>Force Breach</em>" mode.To start this program in Force Breach mode,<> hold down the left CTRL-key when you start HitmanPro</> and all non-essential processes are terminated, including the malware process. (<a href="http://www.youtube.com/watch?feature=player_embedded&v=m6eRWTv2STk" target="_blank">How to start HitmanPro in Force Breach mode - Video</a>)</li>
<li>Click on <>Next </>to install HitmanPro on your system.
<img title="HitmanPro installation process" src="http://malwaretips.com/images/removalguide/hpro2.png" alt="[Image: installing-hitmanpro.png]" width="532" height="421" border="0" /></li>
<li>The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on <>Next </>to start a system scan.
<img title="HitmanPro setup options" src="http://malwaretips.com/images/removalguide/hpro3.png" alt="[Image: hitmanpro-setup-options.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
<img title="HitmanPro scanning for Win 8 Security System" src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanpro-scanning.png]" width="532" height="421" border="0" /></li>
<li>Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</>.
<img title="HitmanPro Win 8 Security System scan results" src="http://malwaretips.com/images/removalguide/hpro5.png" alt="[Image: hitmanpro-scan-results.png]" width="532" height="421" border="0" /></li>
<li>Click <>Activate free license </>to start the free 30 days trial and remove the malicious files.
<img title="Activate HitmanPro free license to remove detected infections" src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanpro-activation.png]" width="532" height="421" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.</li>
</ol>

Papirus · Dec 28, 2012

Hi,

I am not sure where I should run the Hitman Pro. I assume it should be within OTLPE environment too. By the way do you mean Normal Mode is that I can run it in the standard Windows environment (with rootkit running)?

At any rate, I have the first log file that I got using "Run Fix" option in OTLPE and the code that you had provided [attachment=2977].

I tried to run in OTLPE but I guess it only scans the CD instead of the C drive. So I run it again in regular Window environment with rootkit running and it does not find anything (just tracking cookies).

I have attached the log here. [attachment=2978]

Thanks.

Fiery · Dec 28, 2012

Yes, window normal mode is the standard windows environment

Papirus · Dec 29, 2012

I forget to mention that McAfee rootkit remover tool still finds the zero access after I run hitman pro. This is really a nasty virus I have ever found.

Fiery · Dec 29, 2012

Hi,

In the future, make a new post rather than edit your original so i get a notification

Boot to OTLPE and open OTLPE again. Under custom scan, copy and paste the following

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
DRIVES
CREATERESTOREPOINT
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Application Data\*.
%USERPROFILE%\Local Settings\*.*
%USERPROFILE%\Local Settings\temp\*.exe
%USERPROFILE%\Local Settings\Temporary Internet Files\*.exe
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%AllUsersProfile%\Application Data\*.
%AllUsersProfile%\Application Data\Local Settings\*.*
%AllUsersProfile%\Application Data\Local Settings\Temp\*.exe
%ALLUSERSPROFILE%\Documents\My Music\*.exe
%ALLUSERSPROFILE%\Documents\My Pictures\*.exe
%ALLUSERSPROFILE%\Documents\My Videos\*.exe
%ALLUSERSPROFILE%\Documents\*.exe
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%CommonProgramFiles%\ComObjects*.*
%PROGRAMFILES%\*.*
%PROGRAMFILES%\*.
%systemroot%\system32\config\systemprofile\*.*
%systemroot%\system32\config\systemprofile\Application Data\*.*
%systemroot%\system32\config\systemprofile\\Local Settings\*.*
%systemroot%\system32\config\systemprofile\\Local Settings\Application Data\*.*
%systemroot%\system32\config\systemprofile\\Local Settings\Temp\*.exe
%systemroot%\system32\config\systemprofile\\Local Settings\Temporary Internet Files\*.exe
C:\Documents and Settings\LocalService\Application Data\*.*
C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
C:\Documents and Settings\LocalService\Local Settings\temp\*.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\*.exe
C:\Documents and Settings\LocalService\Local Settings\*.*
C:\Documents and Settings\LocalService\*.*
C:\Documents and Settings\NetworkService\Application Data\*.*
C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
C:\Documents and Settings\NetworkService\Local Settings\temp\*.exe
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\*.exe
C:\Documents and Settings\NetworkService\Local Settings\*.*
C:\Documents and Settings\NetworkService\*.*
%windir%\temp\*.exe
%windir%\*.
%windir%\installer\*.
%windir%\system32\*.
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /rp /s
%systemroot%\assembly\tmp\*.* /S /MD5
%systemroot%\assembly\temp\*.* /S /MD5
%systemroot%\assembly\GAC\*.ini
%systemroot%\assembly\GAC_32\*.ini
%SystemRoot%\assembly\GAC_MSIL\*.ini
wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
HKEY_CURRENT_USER\Software\MSOLoad /s
fastprox.dll
wbemess.dll
/md5start
eventlog.dll
fastprox.dll
wbemess.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
consrv.dll
services.exe
svchost.exe
explorer.exe
userinit.exe
winlogon.exe
smss.exe
lsass.exe
atapi.sys
iaStor.sys
serial.sys
disk.sys
volsnap.sys
redbook.sys
i8042prt.sys
afd.sys
netbt.sys
tcpip.sys
ipsec.sys
hlp.dat
str.sys
crexv.ocx
asr_nsta.dll
/md5stop

Click the Scan All Users checkbox.
Change Standard Registry to All
Check the boxes beside LOP Check and Purity Check
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.

Papirus · Dec 29, 2012

OK.

I still get confused when you say "Click the Scan All Users checkbox" in OTLPE. There is no such option in OTLPE version that I have.

I have to select "Yes" on "Do you wish to load remote user profile for scanning?" question. Then I highlighted "Sam" profile on the next popup window. Then check the "Automatically Load All Remaining Users?" option and click OK.

After that steps I get to the main windows and all other options you mentioned are available on that window. Could you let me know if I do it incorrectly by doing the above steps?

At any rate, I have run the scan again in OTLP using OTLPE, and using the custom scan script you have provided. Below are the OTL and Extra log files. [attachment=2983] [attachment=2984]

I also have another problem now. The zeroaccess rootkit disable my network drive now. I cannot connect to the internet now. I think it happens because I run the computer too long (I was running the Comodo Cleaning Essential when it disable the network).

Could you also help on enabling the network? It said that it cannot get the IP address even though it has it. I use ipconfig /renew but it fails. I am at lost on how to recover the network part.

Thanks.

Fiery · Dec 29, 2012

Hi,

Sorry about the instructions. The steps you took were correct. Your logs are not showing any malware, which is odd.

Open OTLPE. Under custom scan/fixes, copy and paste the following:

:OTL
ActiveX: {E81659DF-28E1-4C60-B4B9-00A4BC5FA76D} - Q316059
[2002/04/24 13:32:17 | 000,311,912 | ---- | C] () -- C:\WINDOWS\Q320174.exe
[2002/04/24 13:32:14 | 002,931,304 | ---- | C] () -- C:\WINDOWS\Q317277.exe
[2002/04/24 13:32:13 | 000,621,672 | ---- | C] () -- C:\WINDOWS\Q316134.exe
[2002/04/24 13:32:11 | 000,487,016 | ---- | C] () -- C:\WINDOWS\Q315403.EXE
[2002/04/24 13:32:10 | 000,599,144 | ---- | C] () -- C:\WINDOWS\Q315000.EXE
[2002/04/24 13:32:10 | 000,234,088 | ---- | C] () -- C:\WINDOWS\Q314147.exe
[2002/04/24 13:32:09 | 000,605,288 | ---- | C] () -- C:\WINDOWS\Q312368.EXE
[2002/04/24 13:32:09 | 000,329,320 | ---- | C] () -- C:\WINDOWS\Q312131.exe
[2002/04/24 13:32:08 | 000,290,920 | ---- | C] () -- C:\WINDOWS\Q311889.EXE
[2002/04/24 13:32:06 | 002,039,400 | ---- | C] () -- C:\WINDOWS\Q309521.exe
[2002/04/24 13:32:06 | 000,474,728 | ---- | C] () -- C:\WINDOWS\Q308677.EXE
[2002/04/24 13:32:06 | 000,162,920 | ---- | C] () -- C:\WINDOWS\Q309056.exe
[2002/04/24 13:32:05 | 000,359,016 | ---- | C] () -- C:\WINDOWS\Q308402.EXE
[2002/04/24 13:32:05 | 000,188,520 | ---- | C] () -- C:\WINDOWS\Q307274.exe
[2002/04/24 13:32:05 | 000,159,336 | ---- | C] () -- C:\WINDOWS\Q307271.exe
[2002/04/24 13:32:04 | 000,240,232 | ---- | C] () -- C:\WINDOWS\Q306583.exe

:Files
C:\Documents and Settings\Sam\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Post the log afterwards.

Next, run FRST again. Make sure all the boxes are checked before you click scan.

After, please download Farbar Service Scanner and run it in the standard windows environment.

Check all the boxes.
Press Scan.
It will create a log FSS.txt in the same directory the tool is run.
Please copy and paste the log to your reply.

Papirus · Dec 30, 2012

Hi,

Thanks for the confirmation.

In regards to the network problem, I think I might caused the problems too...I run the autorun from Comodo and unchecked all entries with no file found problems. May be I should checked them all back? However the OLTPE fix showed missing network system files missing instead....I am not sure now.

At any rate, I have run the fix tool using OTLPE and using the script you had provided in OTL env. I have attached the log here.[attachment=2991]

Then I run the FRST again in OTLPE (and within OTL env) and here is the log. [attachment=2988]

Then I run the FSS in OTLPE (and within OTL env) and here is the log --- just for double check purposes. [attachment=2989]

Lastly I run the FSS in Windows normal mode and here is the log. [attachment=2990]

One quick note, I can connect to internet inside the OTL (I guess it has the networks system file setup correctly there).

Thanks.

Fiery · Dec 30, 2012

Hi,

Please download ServicesRepair and save it to your desktop.

Double-click ServicesRepair.exe
If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.

Then, delete the fixlist.txt on your flash drive and make a new one.

Open notepad and copy & paste the following:

HKLM\...\Run: [nwiz] nwiz.exe /install [x]
3 MFE_RR; \??\C:\DOCUME~1\Sam\LOCALS~1\Temp\mfe_rr.sys [x]

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

=============================
Open OTLPE. Under custom scan/fixes, copy and paste the following:

:OTL
O4 - Startup: C:\Documents and Settings\Sam\Start Menu\Programs\Startup\Task Manager.lnk = X:\I386\SYSTEM32\TASKMGR.EXE (Microsoft Corporation)
[2008/12/28 20:19:34 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\DRM

Then click Run Fix. Post the log afterwards.
=============================
Please download a fresh copy of Combofix from here and run it.

Papirus · Jan 1, 2013

OK, here is what I did:
1. Run ServiceRepair in Windows Normal mode.
2. Run Fix using FRST in OTL mode and here is the log. [attachment=2993]
3. Run Fix using OTLPE in OTL mode and here is the log. [attachment=2994]
4. Finally I run the ComboFix again in Windows Normal mode and here is the log. [attachment=2995]

Network is still not working at this time.

Thanks.

Help remove zeroaccess rootkit

New Member

Level 1

New Member

Level 1

New Member

Level 1

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Level 1

New Member

Similar threads