ZeroAccess Rootkit

xephyria · Oct 2, 2011

Hi Umbra, I don't have another computer here, I can try that when I go to work tomorrow.

xephyria · Oct 3, 2011

Hi Jack, I just saw your reply this morning. I tried the fix in OTL twice in safe mode but once I clicked on Run Fix and left it there for almost 2 hours, it wasn't responding.

I installed KRD on my USB from another computer and it is still scanning my laptop at the moment.

win7holic · Oct 3, 2011

after scan with KRD, if you still worry about malicious file on your PC, then start windows :safemode with networking.
then, download and scan with malwarebytes and hitman pro.
good luck for you.

Deleted member 178 · Oct 3, 2011

win7holic said:
after scan with KRD, if you still worry about malicious file on your PC, then start windows :safemode with networking.
then, download and scan with malwarebytes and hitman pro.

normally he should be ok with all that.

Jack · Oct 3, 2011

xephyria said:
Hi Jack, I just saw your reply this morning. I tried the fix in OTL twice in safe mode but once I clicked on Run Fix and left it there for almost 2 hours, it wasn't responding.

Did you rename the OTL .exe to iExplorer.exe before running it?
Here is the code :

Code:

:OTL
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7C60CD6A-A8B0-4CAC-9C11-C4EBF776D116}: DhcpNameServer = 10.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9A30652C-DA78-4742-80DC-9F48B0C2DF81}: DhcpNameServer = 10.176.66.71 10.188.66.103
[2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/02 00:26:13 | 000,000,000 | ---- | M] () -- C:\Windows\207992514
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2011/10/01 21:01:37 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\RegCure Startup.job
[2011/09/24 03:00:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\RegCure.job
:Services
:Reg
:Files
:Commands
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]

Kaspersky should detect this rootkit ......don;t forget to post the log of the scan after it will finish

.

xephyria · Oct 3, 2011

yea i renamed it to iexplorer.exe, but it still froze.

anyway, i tried KRD, it took about 5 hours to scan but I think it might have gotten rid of that nasty bug. I reinstalled Hitman pro, it worked this time and nothing was detected. malwarebyte's anti-malware cleared the scan too. AVG 2012 detected 10 hooks I think and I got rid of that. TDSSKiller also did not detect anything. I am downloading Dr. Web's cureit at the moment, and I will post the log once it's done

Deleted member 178 · Oct 3, 2011

good i think you removed it. if HMP and MBAM detect nothing and are not killed, means you succeed.

xephyria · Oct 4, 2011

I guess my laptop is clean now, express scan from cureit did not detect anything. The complete scan has been running for 10.5hrs and judging by the loading bar, it will probably take another 30hrs!! :dash1: so I think I won't be posting the log.

Thanks everyone for your help! I will come back again if I need help

Deleted member 178 · Oct 4, 2011

no problem, you can read the many security topics on this forum to how secure tour system and never have this kind of issues.

SaltyOldDog · Mar 15, 2012

I think your only hope is to re-try the Kaspersky Rescue Disk (KRD) route. Ask a friend\workmate\family member to download the software for you and, as Win7holic suggested, put it on a bootable usb by following the instructions at http://support.kaspersky.com/faq/?qid=208282163. Insert the bootable USB drive, make sure the Boot Sequence in your BIOS is set to boot from a USB device before the hard disk and run KRD. Since this route avoids any use of your infected operating system, you should be able to run the scan and get rid of the malware. However, see the warning I posted at 04:39 pm today.

Good luck.

SaltyOldDog · Mar 15, 2012

Oops. Replied to the wrong (too early) message. Sorry.

malwarekiller · Apr 5, 2012

To learn more about how to protect yourself while on the internet read a little guide How did I get infected in the first place ?

Keep safe

Search

ZeroAccess Rootkit

xephyria

New Member

xephyria

New Member

win7holic

New Member

Deleted member 178

Jack

Administrator

xephyria

New Member

Deleted member 178

xephyria

New Member

Deleted member 178

SaltyOldDog

New Member

SaltyOldDog

New Member

malwarekiller

New Member

Similar threads