Resolved ZeroAccess virus

Status
Not open for further replies.
S

subvision

Posts: 9   +0
I recently found a topic about a zeroaccess virus, but I couldn't post, because the thread has been marked as inactive.

The user has made a scan with farbars recovery scan tool (frst). This was on a windows system. The scan showed a x: partition flaged as (boot) and (fixed) with a size of 0,3 gb. 300mb.

On this partition is the virus to be located. I have the same problem and because this partition boots first, it has full control over the operating system. In my case, it was windows7.

Most partition programs even don't see this x: partition, and it is not hidden. Maybe this is because it's in use, I don't know. The trojan was suddenly activated on my system and I couldn't get any more updates for my antivirus program (avast free antivirus). This could be avoided by deactivating the windows scripting host with xp-antispy.

Then it became worse. I got a BSOD with the message "System code has been changed" and at this point, I was sure to have an active trojan on the system.

The reason why I post all this is, that I also am a victim of this kind of trojan and it is almost impossible to get rid of partition x:. Every time I deleted my hd entirely and created my partitions from scratch with parted magic, the trojan partition was also reinstalled when I installed windows 7 again. (64 bit)

I don't know where the installation routine is hidden, maybe the bios, maybe the firmware of my devices, hell, it could also be installed over my cracked and hacked router.

I don't know what to do.

I installed linux mint 13 a few days ago, but because this trojan partition is so tricky, I don't know if I am still infected neither I do know how to locate partition x: with the tools I have for use. That are parted magic and gparted. Both don't "see" a partition x:.

Also if the trojan on partition x: can't change code on a windows installation, because there is none, it could still be used as a keylogger or some kind of that.

I don't feel safe and I hope you guys don't ever meet this kind of hack.

Greetings,

subvision

At last, if someone knows a program like frst that doesn't needs a windows installed, please feel free to post it here. This is needed.
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


Farbar Recovery Scan Tool

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button. It will do its scan and save a log on your flash drive.
  • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
    frst2.jpg

    When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  • Type exit in the Command Prompt window and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.
 
I can't use farbar recovery scan tool any more, because I have not windows installed any more. Maybe you haven't read my post fully or I wasn't clear enough.

I have linux mint 13 installed, and I am looking for a substitute for frst, that I can use under linux mint. Frst won't work without an installed windows.
 
It appeared you were talking about the Windows being installed and something about trojan partition being involved still...my apologies for confusion.

Try this please. You will need a USB drive with no less than 64 mb of space. Also, be best to attempt to make this from a Windows-based system, if you can...

  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK. Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.


    SelectDiskImage.gif
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click
    on the folder that represents your USB drive (sdb1 ?) If it is not
    there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

    Winlogon.exe
  • After the search is completed please type the following then press Enter:

    volsnap.sys
  • After the search is completed please type the following then press Enter:

    explorer.exe
  • After the search is completed please type the following then press Enter:

    Userinit.exe
  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Navigate to mbr.bin, zip the file, and attach it to your next reply
  • Copy and paste the contents of report.txt and filefind.txt in your reply
 
I have no working windows system at hand. Any other clues? Maybe for a linux system? Or is this board only for windows users? Then you have my apologies, I didn't knew that.

What I'm looking for, is a tool like frst, that I can use with my linux mint 13 system and find (and probably delete) the infected x: partition.

Within the linux os I have no chance of seeking and destroying the x: partition, cos the os only recognizes partitions that have been hanged in and are mounted.

I have to say, that I am sure about the x: partition. There the trojan is to be found. This method of infecting systems is not common, but at least I have found one other user on this board with the same problem. I can seek and post the thread, if you wish.
 
All partitioning programs you mentioned just see the linux partitions, that are mounted. What I need is a program on a cd, like gparted or parted magic, that can see partitions flaged with (boot) and (fixed). Boot, in this case, means that the partition is started first, or am I wrong? Well, this is, what I need. Or maybe a tutorial how I can make the boot-partition x: visible and accessible to me.

Btw, my linux mint 13 is based on ubuntu 12.04 lts.
 
Well that sucks.

How about a DBAN (boot-n-nuke)? Wipe it all out, reinstall Windows and Linux and go from there?

You can burn ISOs in Linux.
 
First, thanks for your support at all. I used the program killdisk to wipe my whole hd and then I installed windows on it. Same procedure, when I installed linux mint 13. But when the trojan partition installed itself with windows installed, I am not sure it is there with linux installed. The problem that I have is, that I simply can't spot the trojan partition with linux installed. Both gparted and parted magic don't see the trojan x: partition. I found this out when I had windows 7 installed. With help of farbar's recovery and scan tool (frst) I could see the trojan partition was there.

Now I have linux installed, and frst won't work. It is not enough to wipe the hd. The trojan partition installed itself, when I installed windows 7 and it could be there in this moment, with linux installed.

I simply can't see the x: partition. That's the problem I have. I have no problems wiping my hd. Both killdisk and parted magic are options to successfully wipe the hd fully.
 
The whole point of DBAN is to completely wipe the entire drive and sanitize it.

Anyway, the Ultimate Boot CD should be able to suffice. See the partition management section after you download the setup files for Linux burning. You'll need a blank CD, of course.

http://www.ultimatebootcd.com/

Let me know how you work it out. I know of quite a few more resources, but let's take this one at a time. I have no tutorials for any of this, so I apologize if it seems I'm putting this in your hands. I'll be here though every step of the way. :)
 
Thanks for your help. I have burned the *.iso file to disk, but I will be able to take a look at it tomorrow. Here in germany it is terribly late and I have other things to do, before I go to sleep. But thanks for your help, this is really appreciated. I will report.
 
OK, with the partitioning tools on the cd I was able to not only locate the (ntfs) x: partition, but also to delete it. But I'm pretty sure it will install itself again and take 300 mb from my home partition.

At this point, I don't know, what to do, especially because I don't know how the x: partition gets installed. I fear, to just delete the partition is not enough.

At least, I have now a tool at hand with which I am able to say, the x: partition is there, even with linux mint installed. I guess, the trojan doesn't have all of its capabilities, but it can still serve as a keylogger, or some kind of this.

As long as I don't know, how the partition x: gets installed, I am clueless. At least I can spot it now and tell, it is there. But this is all, that I can do.
 
It got installed by the TDL rootkit, which does it by itself by infection on a Windows system. Once the partition is deleted, the infection is diminished.

If you want to install Windows, I can very well run some verification on it.
 
The trojan partition installed itself, after I had comepletely wiped my hd. Then I installed linux mint 13. The source of the infection must be another. I just checked my partitions, and as far as I can tell, I am free of any infection. I converted the 300 mb x: partition into an empty fat16 one, and I am trojan-free. At least I believe so, as I don't have found a 300 mb ntfs x: partition at the moment.

I have the feeling the trojan partition is not installed automatically, but manual. So if "my hacker" wishes me to be infected, it will be that way.

No other way, but to check my partitions now and then, sometimes.

I just read something about the TDL rootkit, and I don't think my infection is the same, as I have said at the beginning of this post. Maybe they found another way to spread the rootkit.
 
You seem to want to compromise my expertise so there's no point in arguing. Shall I mark this one resolved?
 
No, I believe it is TDSS. But the way, my system was infected was not due to a windows installation. I agree with you that it is TDSS. But I completely wiped my hd before installing linux mint 13 and the trojan partition was installed, regardless of the os installed.

I thank you for your support, DragonMaster Jay. You helped me a lot. Thank you.

You can mark this thread as solved, if you wish. If I have problems again, I can open another thread again and I hope, I will get the same help then as I got this time.
 
What I think has happened here, is that the TDSS rootkit has indeed installed itself via exploit on the Windows system. Problem is, it installs itself on the lower level portions of the disk, such as the MBR or boot record. Installing itself as a partition had to happen while on the Windows system, because that is how the exploit works.

Here is the writeup for the MBR portion: http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-082613-5957-99&tabid=2

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:DOS/Alureon.A

Trojan:DOS/Alureon.A is the detection for a variant of the Alureon malware family that infects the Master Boot Record (MBR). It attempts to decrypt and execute the contents of a file named "ldr16".

The file is stored on the encrypted virtual file system (VFS) created by Trojan:Win32/Alureon.DX.
Click to expand...

There are no current writeups of partition infections of TDSS because it's rather new. My writeup: http://secureconnexion.wordpress.com/2012/09/19/new-tdl4-variant-affecting-government-isps-etc/


Topic resolved.


Personal Tips on Preventing Malware

See this page for more info about malware and prevention
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
539
Mark Fuller
M
dcovalencia
Solved Downloaded a .exe file from a copy of a website
Replies
23
Views
3K
Broni
Broni
A
Pirated Windows installer found to contain crypto-hijacker, exploit EFI partition
Replies
11
Views
700
AndreV
A

Latest posts

Back