[Jintan]

I received the log, thanks. Two things to use Radix for right now.


Open Radix again. Make sure Internet Explorer is running to do this step.

Click the Tools tab, then click the Memory Dumper button. Next to "Dump memory of process" use the dropdown box to bring the following into that window:

IEXPLORE.EXE

Then next to "Dump memory region", type in this information:

01020000

In the area to the right of that, type in this information:

01045000

Make no other changes in that display.

Then under "Save As" click the small folder icon, click the Desktop icon in the display that opens, and name the dumped information as jimmy.dog, and save that to your desktop.

Zip a copy of that file, then send that to me as an attachment, using the same email address and subject please.

-----------

Still in Radix - Tools, use the Browse option (the open folder icon) next to File to check, and see if you can navigate to that:

C:\WINDOWS\system32\vwsrv.exe

If it does show in that view, click the file, then click the Dump hidden file button, and save that .dmp file to your desktop. If you are able to do that, please upload it as per the previous instructions.

----------

If Radix does not show that file, open Gmer again. Once it completes it's own initial scan say No to any messages about running a scan with it, if suggested. Instead click the >>> at the top, then click the Files tab (this will be a slow procedure, so patience is needed).

Place a check next to Only hidden, then again see if you can navigate to that:

C:\WINDOWS\system32\vwsrv.exe

If it shows then, click to hilight the file, then click the Copy button, and save that to your desktop as larry.dog

Then upload that file please.

[Advertisements]

Jintan:

I just sent you the dump file via email.

I also attempted to locate the vwsrv.exe via Radix and Gmer, but both times the file is not in the System32 folder.

Thanks!

[craigrulez]

Jintan:

I just sent you the dump file via email.

I also attempted to locate the vwsrv.exe via Radix and Gmer, but both times the file is not in the System32 folder.

Thanks!

[Jintan]

I received the file, thanks. Best I can figure, though most of it non-readable code, is it's an Asus process, or at least not-very-detailed web info suggests that. Don't see Asus in the logs, so perhaps it is part of some Dell function. Red herring for now.

Click here and download Webroot's ZeroAccess/Max++ rootkit remover, transfer that file to the problem computer and click it to run the scan. Follow all prompts that lead to malware removal, including rebooting if needed. It should also create a log file, AntiZeroAccess_Log.txt, located in the same place as the removal tool. Please post that log here for review.

[craigrulez]

Hey Jintan:

Below is the log file from the scan.

Thanks!


broot AntiZeroAccess 0.8 Log File
Execution time: 03/12/2011 - 16:11
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
16:11:45 - CheckSystem - Begin to check system...
16:11:45 - OpenRootDrive - Opening system root volume and physical drive....
16:11:45 - C Root Drive: Disk number: 0 Start sector: 0x000139C5 Partition Size: 0x094EAFF8 sectors.
16:11:45 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".
16:11:46 - InstallAndStartDriver - Unable to start AntiZeroAccess driver. StartService last error: 1084
16:12:24 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
16:12:24 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
16:12:24 - Execution Ended!

[Jintan]

Something killed it. Back to the drawing board. I'll get back later with some ideas.

[craigrulez]

Sounds great, I really appreciate the time you are putting in on this by the way. If it's as frustrating for you and it is for me, I'm sure you are almost pulling your hair out by now. Lol

[Jintan]

Sorry for the delay - thinking cap time.

Click here and download Tigzy's ProtectMyTool.

Start AntiZeroAccess again. When it displays the "Would you like to perform a system scan?" command, click on ProtectMyTool to run that.

In the ProtectMyTool display, place a check next to antizeroaccess.exe, the click the minus sign (-) upper right to minimize ProtectMyTool.

Return to the AntiZeroAccess display, and type "Y" and press Enter, and let's see how it fares with the added help. Post that resulting log please. You can close ProtectMyTool once AntiZeroAccess has completed.

[craigrulez]

Hey Jintan:

Same thing as last time, looks like something stopped it again. Also, the services.exe is back up to around 230K when starting both normally and in Safe Mode, then after about 5-10 minutes it drops down to 36K and stays there.

Thanks!

Webroot AntiZeroAccess 0.8 Log File
Execution time: 04/12/2011 - 15:18
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
15:19:19 - CheckSystem - Begin to check system...
15:19:19 - OpenRootDrive - Opening system root volume and physical drive....
15:19:19 - C Root Drive: Disk number: 0 Start sector: 0x000139C5 Partition Size: 0x094EAFF8 sectors.
15:19:19 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".
15:19:19 - InstallAndStartDriver - Unable to start AntiZeroAccess driver. StartService last error: 1084
15:20:06 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
15:20:06 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
15:20:06 - Execution Ended!

Edited by craigrulez, 04 December 2011 - 03:24 PM.

[Jintan]

No way to protect it's driver. Both times the 'error" was related to Safe Mode - I am assuming your second run this time was in Safe Mode? If so, please run it in normal mode, and post the log so the normal mode error will show.

[craigrulez]

Hey Jintan:

Below is the log from running the program in normal mode with protectmytoolz also running.

Thanks!

Webroot AntiZeroAccess 0.8 Log File
Execution time: 04/12/2011 - 15:46
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
15:47:07 - CheckSystem - Begin to check system...
15:47:07 - OpenRootDrive - Opening system root volume and physical drive....
15:47:07 - C Root Drive: Disk number: 0 Start sector: 0x000139C5 Partition Size: 0x094EAFF8 sectors.
15:47:07 - InstallAndStartDriver - Main driver was installed and now is running.
15:47:07 - CheckSystem - Disk class driver state is OK.
15:47:11 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
15:47:11 - Execution Ended!

[Jintan]

Okay. That almost matches a run where it did not locate the rootkit. In the display, while it ran, did you see any indication in green no ZeroAccess was found, or anything in red?

[craigrulez]

At the end in green, it stated that Nozeroaccess Rootkit was found, also at the beginning in green it stated Rootkit device not found.

[Jintan]

Okay, thanks. More review, since I am unsure of what method they are using, and your's is not the only thread I have with this variant. Do you have or can borrow an XP install CD, and do have access to a USB/flash/thumb drive, should we need one?

[craigrulez]

Yes I have access to a USB drive that's no problem, the XP install CD is a little tougher though, I will see if I can get one, but I'm assuming probably not, I will let you know.

Thanks!

[Jintan]

This will not likely bring us any immediate solution, but it will likely start us on the right path for that.

You will need that USB (flash/thumb) drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer

• Insert your USB drive
• Press Start > My Computer > right click your USB drive > choose Format > Quick format
• Double click the unetbootin-xpud-windows-387.exe that you just downloaded
• Press Run then OK
• Select the DiskImage option then click the browse button located on the right side of the textbox field.
• Browse to and select the xpud-0.9.2.iso file you downloaded
• Verify the correct drive letter is selected for your USB device then click OK
• It will install a little bootable OS on your USB device
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
• After it has completed do not choose to reboot the clean computer simply close the installer
• Next download http://noahdfear.net...loads/driver.sh to your USB
• Remove the USB and insert it in the infected computer
• Boot the infected computer
• Press F12 and choose to boot from the USB
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see driver.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be located on your USB drive named report.txt
• Then type bash driver.sh -af
• Press Enter
• You will be prompted to input a filename.
• Type the following:
  
  

  Winlogon.exe

• Press Enter
• If successful, the script will search for this file.
• After it has completed the search enter the next file to be searched
• Type the following:
  
  

  volsnap.sys

• Press Enter
• If successful, the script will search for this file.
• After it has completed the search enter the next file to be searched
• Type the following:
  
  

  explorer.exe

• Press Enter
• After it has completed the search enter the next file to be searched
• Type the following:
  
  

  Userinit.exe

• Press Enter
• After the search is completed type Exit and press Enter.
• After it has finished a report will be located in the USB drive as filefind.txt
• While still in the Open Terminal, type bash query.sh
• Press Enter
• After it has finished a report will be located in the USB drive as RegReport.txt
• Then type dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  

  It is extremely important that the if and of statements are correctly entered.

• Press Enter
• After it has finished a report will be located in the USB drive as mbr.bin
• Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply.

For the mbr.bin, please email that to me as a zipped attachment.