Inactive Infected by Rootkit.ZeroAccess and remnants remain in system

[Broni]

Uninstall:
EasyCleaner
AML Free Registry Cleaner 4.23
Wise Registry Cleaner 5.9.1
TweakNow RegCleaner 2011
Eusing Free Registry Cleaner
Registry cleaners/optimizers are not recommended for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.
  
  The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  
• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  
• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  
• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  
• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.

• Ed Bott's Webog: Why I don't use registry cleaners
• Do I need a Registry Cleaner?

====================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

====================================================================

Does Norton report any file being involved?

 

[jdeeganjr]

Removed Registry Software and Updated JAVA

I removed (uninstalled) all of the registry software that you identified in your last post. I also removed the earlier versions of JAVA and installed the latest version.

It was very diificult to make the change to JAVA. Don't know if it was the Rootkit.ZeroAccess virus interacting with my system or if it was something else. The older version was removed without incident by JavaRa. The new version was very difficult to install - I kept getting an error 1606 (network communication failure). I finally resolved the problem and now JAVA Version 6, Update 31 is up and running on my system. My SEP did not report any suspicious behavior about this update or the updating process.

I continue to have Rootkit.ZeroAccess communication attempts. Every 1 to 3 minutes the rootkit attempts to "call home" or respond to calls from "home."

SEP says that the origin of this traffic is the kernel, specifically the file ntoskrnl.exe. I checked the specifications on this file in my infected computer. The size of the file is 2,148,864 with date stamp 10/25/2011, and time 9:37. The same file on my non-infected computer has size 2,192,768, with date stamp 10/25/2011, and time 9:33. Is this a clue about my Rootki.ZeroAccess infection?

Standing by for further guidance.

 

[Broni]

Re-run OTL.

Use the following settings:

• Click the NONE button
• Under Custom Scans/Fixes paste:

/md5start
ntoskrnl.exe
/md5stop

• Finally hit Run Scan and wait for the log to open.
• Please post the content of the log into your next reply.

 

[jdeeganjr]

Results From the Special OTL Scan

Here's the OTL log as requested:

OTL logfile created on: 3/12/2012 9:53:18 PM - Run 2
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\jdeegan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 69.02% Memory free
4.85 Gb Paging File | 4.36 Gb Available in Paging File | 90.04% Paging File free
Paging file location(s): D:\pagefile.sys 3067 4096 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 114.48 Gb Total Space | 82.77 Gb Free Space | 72.30% Space Free | Partition Type: NTFS
Drive D: | 114.49 Gb Total Space | 43.63 Gb Free Space | 38.11% Space Free | Partition Type: NTFS
Drive F: | 434.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DEEGAN | User Name: jdeegan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========



< MD5 for: NTOSKRNL.EXE >
[2002/08/29 08:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:ntoskrnl.exe
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:ntoskrnl.exe
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:ntoskrnl.exe
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:ntoskrnl.exe
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:ntoskrnl.exe
[2009/12/09 00:52:36 | 002,189,312 | ---- | M] (Microsoft Corporation) MD5=05BE3D9A71972223AFF6A3C823BA51B1 -- C:\WINDOWS\$hf_mig$\KB977165\SP3QFE\ntoskrnl.exe
[2008/04/14 00:57:54 | 002,188,928 | ---- | M] (Microsoft Corporation) MD5=0C89243C7C3EE199B96FCC16990E0679 -- C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
[2008/08/14 16:11:10 | 002,189,184 | ---- | M] (Microsoft Corporation) MD5=31914172342BFF330063F343AC6958FE -- C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[2011/10/25 09:37:08 | 002,148,864 | ---- | M] (Microsoft Corporation) MD5=3B663B9B193D7E1DE39A466020F1FD91 -- C:\WINDOWS\system32\ntoskrnl.exe
[2007/02/28 05:55:14 | 002,182,144 | ---- | M] (Microsoft Corporation) MD5=5A5C8DB4AA962C714C8371FBDF189FC9 -- C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[2011/10/25 09:33:08 | 002,192,768 | ---- | M] (Microsoft Corporation) MD5=892CDDFF7EF96951B9B0B50974070E47 -- C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
[2011/10/25 09:33:08 | 002,192,768 | ---- | M] (Microsoft Corporation) MD5=892CDDFF7EF96951B9B0B50974070E47 -- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
[2010/04/27 09:50:44 | 002,190,080 | ---- | M] (Microsoft Corporation) MD5=A2ABBEC40CDB57454645D06B7EBD22F5 -- C:\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe
[2010/12/09 09:43:18 | 002,192,768 | ---- | M] (Microsoft Corporation) MD5=A531BBD3DE13121C1380ED7DC99082DB -- C:\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntoskrnl.exe
[2006/12/19 12:51:12 | 002,182,016 | ---- | M] (Microsoft Corporation) MD5=CEF243F6DEFD20BE4ADDE26C7ECACB54 -- C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[2010/02/16 08:52:12 | 002,190,080 | ---- | M] (Microsoft Corporation) MD5=E1F653A542449D54FA2D27463D99B6B6 -- C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
[2009/02/07 19:35:26 | 002,189,184 | ---- | M] (Microsoft Corporation) MD5=EFE8EACE83EAAD5849A7A548FB75B584 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[2011/10/25 09:34:49 | 002,192,768 | ---- | M] (Microsoft Corporation) MD5=F512C662874D7545E5BD8005E6800A44 -- C:\WINDOWS\$hf_mig$\KB2633171\SP3QFE\ntoskrnl.exe
[2009/08/04 09:56:10 | 002,189,312 | ---- | M] (Microsoft Corporation) MD5=FDE779EA1A564EBFE16F4E0F82B61BAD -- C:\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe

< End of report >

 

[Broni]

All looks legit.

Where exactly Norton does say anything about ZeroAccess Rootkit?

 

[jdeeganjr]

SEP Doesn't Say Anything About ZeroAccess

Symantec Endpoint Protection (SEP) doesn't identify the presence of Rootkit.ZeroAccess. The Network Threat Protection Log that it generates shows that "something" is attempting to communicate with the internet - both outgoing and incoming. SEP notes that the source of the communication (unless I am readoing the Log incorrectly) is ntoskrnl.exe. Here is a very brief portion of the log from yesterday. Today's log is exactly the same. Note that both outgoing and incoming communications are blocked by SEP.

183781 3/11/2012 4:11:04 PM Blocked 10 Incoming UDP 192.168.1.3 00-02-8A-2B-B5-6B 138 192.168.1.255 FF-FF-FF-FF-FF-FF 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 3 3/11/2012 4:10:03 PM 3/11/2012 4:10:09 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183782 3/11/2012 4:11:04 PM Blocked 10 Incoming UDP 192.168.1.3 00-02-8A-2B-B5-6B 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 12 3/11/2012 4:10:03 PM 3/11/2012 4:10:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183783 3/11/2012 4:11:43 PM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 4 3/11/2012 4:10:42 PM 3/11/2012 4:10:53 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183784 3/11/2012 4:11:43 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/11/2012 4:10:42 PM 3/11/2012 4:10:53 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183785 3/11/2012 4:13:57 PM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/11/2012 4:12:56 PM 3/11/2012 4:12:56 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
183786 3/11/2012 4:14:31 PM Blocked 10 Incoming UDP 192.168.1.3 00-02-8A-2B-B5-6B 138 192.168.1.255 FF-FF-FF-FF-FF-FF 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/11/2012 4:13:29 PM 3/11/2012 4:13:29 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

 

[Broni]

To me your computer is totally clean.
You may want to present the above log at Norton's forum and ask for its meaning.

 

[jdeeganjr]

What About the Hooked References?

Reported by GMER in the 03/11/2012 scan (only partial results):


SSDT 8A447428 ZwAlertResumeThread
SSDT 899A0C20 ZwAlertThread
SSDT 8A452358 ZwAllocateVirtualMemory
SSDT 8A3D4388 ZwConnectPort
SSDT 8A450A58 ZwCreateMutant
SSDT 8A56B008 ZwCreateThread
SSDT 8A44B978 ZwFreeVirtualMemory
SSDT 8A603728 ZwImpersonateAnonymousToken
SSDT 8A45DE78 ZwImpersonateThread

This is okay?

 

[Broni]

Yes.......

 

[jdeeganjr]

Any Cleanup Instructions?

Is there anything I have yet to do to my system to clean-up the tools I have used? For example, OTL seems to still be present and I noticed that some of the files in the root of my C:\ directory seem to be remnants of previous actions. Specifically, I note the presence of cmldr and boot.ini seems to be a new version.

Thanks once again for your assistance.

 

[Broni]

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[jdeeganjr]

Cleanup and Postscript

I had to run OTL in Safe mode to get it to complete the custom scan. The program hung in normal mode - it never could complete its attempt to kill all processes. In any event, here's the OTL log:

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator.DEEGAN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: jdeegan
->Temp folder emptied: 14015466 bytes
->Temporary Internet Files folder emptied: 1343890 bytes
->Java cache emptied: 2027 bytes
->Flash cache emptied: 1236 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 573923 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 159086596 bytes

Total Files Cleaned = 167.00 mb


[EMPTYFLASH]

User: Administrator.DEEGAN

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: jdeegan
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator.DEEGAN

User: All Users

User: Default User

User: jdeegan
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.36.3 log created on 03142012_165339

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

********************************************************

Postscript:

My computer continues to exhibit suspect behavior. It periodically attempts to communicate over the internet, both sending and receiving. Thus far, I believe (and hope) my Symantec Endpoint Protection (SEP) is blocking this traffic.

I've contacted Symantec about this issue and hope to eventually kill this communication.

I can't help but wonder how many other computers have been infected by Rootkit.ZeroAcccess and, even though they may appear clean, are nonetheless using stealth techniques to communicate discretely across the internet. I trust that others who may read this Post will exercise due diligence in attempting to block such communications from residual code implanted on their computers by this rootkit or code that it downloaded.

I also hope that a tool will be developed to remove the malicious code that has been hooked into legitimate system processes and is able to hide itself from current detection methods.

Thanks for your help.

 

[Broni]

Let me know what Norton will have to say.

I don't see anything malicious.