Solved

Zero Access infection

Posted on 2013-01-05
11
877 Views
Last Modified: 2013-11-22
This workstation is running Win 7 Pro sp1. Automatic Update wasdisabled so I checked services.msc and discovered the services were missing. I have installed latest versions of rkill, rogue killer, tdsskiller, and malwarebytes. Rogue killer and rkill both report zero access root kit. tdsskiller found no infection. while booted to normal desktop using administrator user account I ran rkill and then ran Malware bytes which stopped responding in the middle of the scan. log files are attached. I have not deleted any files or registry entries yet.
RKreport-1--S-01052013-02d1015.txt
Rkill.txt
0
Comment
Question by:rettif9
  • 5
  • 4
  • 2
11 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 38747089
Root kit viruses are very difficult to remove completely (or even remove at all). You have sufficient problem here to warrant backing up, formatting and then doing a fresh install of Windows. Then get a good, paid, commercial antivirus.

..... Thinkpads_User
0
 
LVL 7

Author Comment

by:rettif9
ID: 38747103
@ Thinkpads_user

I do understand your point but this is a business workstation. reconfiguration would require + 4 hours after OS install due to multiple 3rd party softwre. User had allowed AV to lapse. Found related post here; http://www.bleepingcomputer.com/forums/topic449600.html but
atapplies and what doesn't. Would like to attempt repair. please advise
0
 
LVL 7

Author Comment

by:rettif9
ID: 38747107
but (not sure what applies and what doesn't)
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 250 total points
ID: 38747139
Most of the stuff in that article applies. You need to work through each section.

As you can tell from the length of the article and the responses, getting rid of a rootkit can take more time than re-installing Windows.

If you do decide to re-install, do not forget to delete all the partitions on the disk and start again. Otherwise the rootkit will just come back.

Please explain to the user that the damage could take longer to fix than re-installing.

Good luck. ... Thinkpads_User
0
 
LVL 7

Author Comment

by:rettif9
ID: 38747146
@ Thinkpads_User

I've seen a lot of your posts. Usually spot on. Thanks for the advice. I'll get back to you.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 37

Assisted Solution

by:Gerwin Jansen
Gerwin Jansen earned 250 total points
ID: 38748458
Just a tip: Eset has a remover for zeroaccess / sirefef - see here: http://kb.eset.com/esetkb/index?page=content&id=SOLN2895

Maybe worth a try...
0
 
LVL 7

Author Comment

by:rettif9
ID: 38748759
@ Thinkpads_User and gerwinjansen

I followed the steps in the Bleeping Computer tutorial but Malwarebytes and Combofix (step 4) both stopped responding while running. Next I ran the Eset removal tool mentioned above. After this MS Updates started working but still couldn't run MWB. I noticed that MWB was hanging on a file in the Temporary Internet Files folder so I tried removing using IE which appeared to work but didn't fix the problem. I also tried CCleaner but it ran overnight without finishing. Next I started manually removing files in Temporary Internet Files folder from a command prompt. Then MWB ran to completion without finding anything but 15 risks showed up in Vipre AV (which was installed after lapse of coverage). I realize I can't be sure the system is clean but I think I may have gotten it. I intend to run Eset online scanner as well as running rkill and Rogue Killer again just to see if they come back clean. Do either of you want to see any log files? HJT etc.?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38748776
You can never be sure with rootkits because they come back again. If you think the system is working, run it for a while to see if it is stable.
.... Thinkpads_User
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 38748855
Might be an idea to run a virus scanner from a bootable cd. Avg has one,  as do Comodo, bitdefender and Avira.
0
 
LVL 7

Author Closing Comment

by:rettif9
ID: 38749823
I neglected to mention earlier that I was also reluctant to do a fresh install because the computer has a recovery partition but no Disks. Not insurmountable but it can be difficult to find drivers sometimes.
The Eset online scan found and fixed one more problem, rkill and Rogue Killer both found no issues. Vipre full scan also found nothing. I'll run a CD based scan as suggested above but I think I may have it cleaned up. Thanks for the suggestions.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38750448
@rettif9 - Thanks for the update. I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now