Help quick please! Rootkit problems!

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,440
I have 3 computers in the shop, all infected with the same nasty nasty rootkit. Combofix picks it up as Rootkit.ZeroAccess

After getting these computers cleaned and finally booting and running mbam etc all three of them have the same issue.

They wont pickup an IP from our network! It just sits there going back and forth and never picks up an IP. I've tried release, renew, uninstall tcpip, new NIC, winsock ... its definetly some weird software problems

Help!
 
Make sure you got it all; you might have missed something... This thread is a good one on ZeroAccess.

If not in that thread, also be sure to check Non-Plug and Play devices in devman to ensure there's nothing in there...
 
I have repaired a few just today. I don't usually recommend anything from Symantec but search Google for fixtdss not tdsskiller run that it should get you back up and running. I then run combo-fix and malwarebytes. the continue with normal cleanup
 
Credit to FoolishTech :
Author of D7, a free PC technician's multi-tool.
www.FoolishIT.com

****************************************

For anyone else following the thread, here’s my removal procedure for now which has been working for me:

1. Fire up D7, click the D7 menu > IFEO Modifier. Find and select the rogue executable(s) in the drop down list. (e.g. 123587654:12987432.exe, but could be others in addition - I'm seeing a new variant this morning that doesn't use ADS...) Hit the CREATE button. Now it won’t be able to execute itself and stop you from standard removal.

2. DO NOT DELETE THE MALWARE YET. SIMPLY REBOOT THE PC. (When the PC reboots you’ll note the malicious EXE is no longer running.)

3. Use TDSSKiller and cure anything it finds. Alternately, there are a few specific tools for this that may be useful to add to your flash drive: I have not yet used them, but note that neither tool does step 7 below, so don’t skip that final step! http://anywhere.webrootcloudav.com/antizeroaccess.exe and http://www.malwarecity.com/community...ds&showfile=34

4. REBOOT AGAIN.

NOTE: I haven't seen this infection in the MBR yet, but who knows, a new variant may come out and infect this... so now would be a good time to FIXMBR. currently this step isn't necessary however.

5. Open D7, goto Tweaks tab > NTFS Junctions. Scan the Windows directory. When found, you should see one junction probably named $NtUninstallKB32069$ or similar. Highlight the directory, click Destroy Junction. When prompted, delete the directory underneath - unless you wish to visually inspect it. Now the malware is really gone.

6. Follow up with the usual scans as if it were a normal infection. Don't forget to delete the random numbers directory containing the ADS in %windir% (e.g. 123587654) if it exists, and the other rogue EXEs you created an IFEO for.

7. Run the Repair Permissions function on D7’s malware or repair tab. This fixes all of the ACL problems caused by the malware, should fix the antivirus (confirm it), and also MSSE installation or any other Installer error 2203’s that would otherwise occur. __________________

 
adam_chevyss said:
Credit to FoolishTech :
Author of D7, a free PC technician's multi-tool.
www.FoolishIT.com

****************************************

For anyone else following the thread, here’s my removal procedure for now which has been working for me:

1. Fire up D7, click the D7 menu > IFEO Modifier. Find and select the rogue executable(s) in the drop down list. (e.g. 123587654:12987432.exe, but could be others in addition - I'm seeing a new variant this morning that doesn't use ADS...) Hit the CREATE button. Now it won’t be able to execute itself and stop you from standard removal.

2. DO NOT DELETE THE MALWARE YET. SIMPLY REBOOT THE PC. (When the PC reboots you’ll note the malicious EXE is no longer running.)

3. Use TDSSKiller and cure anything it finds. Alternately, there are a few specific tools for this that may be useful to add to your flash drive: I have not yet used them, but note that neither tool does step 7 below, so don’t skip that final step! http://anywhere.webrootcloudav.com/antizeroaccess.exe and http://www.malwarecity.com/community...ds&showfile=34

4. REBOOT AGAIN.

NOTE: I haven't seen this infection in the MBR yet, but who knows, a new variant may come out and infect this... so now would be a good time to FIXMBR. currently this step isn't necessary however.

5. Open D7, goto Tweaks tab > NTFS Junctions. Scan the Windows directory. When found, you should see one junction probably named $NtUninstallKB32069$ or similar. Highlight the directory, click Destroy Junction. When prompted, delete the directory underneath - unless you wish to visually inspect it. Now the malware is really gone.

6. Follow up with the usual scans as if it were a normal infection. Don't forget to delete the random numbers directory containing the ADS in %windir% (e.g. 123587654) if it exists, and the other rogue EXEs you created an IFEO for.

7. Run the Repair Permissions function on D7’s malware or repair tab. This fixes all of the ACL problems caused by the malware, should fix the antivirus (confirm it), and also MSSE installation or any other Installer error 2203’s that would otherwise occur. __________________
Click to expand...

Thanks for the heads up. Not aimed at the poster but I hope every user of D7 is donating to support the ongoing development of this great program.
 
Just a little extra info, in some cases the infected system files can't be cleaned or removed by tsdd killer etc.. you can replace those files (while the drive is offline) with the same ones (same OS and clean machine). Especially if the infected .sys is a required file or a used service. You'll still have to make sure you've cleaned all the other malware out as well so they aren't just reinfected. I've used many of the above suggestions and threads to great success, you shouldn't have much of a problem if you follow them.
 
I literally spent all day working on these three computers + 4 others with other various issues + 3 call outs, I'm tired and bummed because the three rootkit's turned into N&P.

:'(
 
Some rootkits pick a semi-random driver to infect. If it's a network driver then this can happen. Often can be solved with SFC, or at least it could in XP, when SFC actually worked and didn't just tell you that it couldn't solve some problems.
 
I've been seeing rootkits or combofix or whatever removing services. If you go into services, you might find that the dhcp client service won't start with a 1075 error because services it depend on are missing.

You can fix it one of two ways, system restore to a prior point. Or, rebuild the services by importing registry keys and fixing any registry/service permission issues. Most commonly, it seems like the "tdx" service is missing. You can find it in hklm/system/current control set/servics/
I just fixed one that the windows firewall service was missing, then the base filtering engine service was missing...and because of that, mcafee firewall wouldn't start.
 
Last edited:
14049752 said:
I've been seeing rootkits or combofix or whatever removing services. If you go into services, you might find that the dhcp client service won't start with a 1075 error because services it depend on are missing.

You can fix it one of two ways, system restore to a prior point. Or, rebuild the services by importing registry keys and fixing any registry/service permission issues. Most commonly, it seems like the "tdx" service is missing. You can find it in hklm/system/current control set/servics/
I just fixed one that the windows firewall service was missing, then the base filtering engine service was missing...and because of that, mcafee firewall wouldn't start.
Click to expand...

I just ran into this. It was a consrv.dll infection. I was able to rid the laptop from all infections, what a fight that was! Now the firewall won't start and missing from the services registry location, along with BFE (base filtering engine)


I hit this thing with everything. D7, tweak.com windows repair, Microsoft fix it. Nothing worked. Tried adding permissions needed for the bfe reg key and got hit by "access denied"

Has anyone figure a way around this part? Having no access to setting permissions has stopped me on my tracks.

Sent from my SGH-T989 using Tapatalk
 
You must log in or register to reply here.

Similar threads

HCHTech
GoDaddy again - Outlook error 7ita9
Replies
3
Views
226
callthatgirl
callthatgirl
HCHTech
Narrowing down a internet issue
Replies
5
Views
569
YeOldeStonecat
YeOldeStonecat
HCHTech
No internet
2
Replies
25
Views
5K
YeOldeStonecat
YeOldeStonecat
HCHTech
Excel slow opening files on network share
Replies
13
Views
9K
HCHTech
HCHTech
Chispaluz
Malware only at work - router infected?
Replies
18
Views
1K
HFultzjr
HFultzjr
Back
Top