1. Click here to join our community discord server.

A funny case i got recently..

Discussion in 'Off Topic' started by Stefeman, Feb 14, 2013.

  1. Stefeman

    Stefeman Head Administrator Staff Member

    Since i have 1 week pause from work because of college, i kindly accepted a case where i am to clean an infected computer.

    I got two ways to solve it:

    1. Delete everything and re-install the OS. + Re-install & re-configure all applications and services (No way i can do this in a week).
    2. Just remove the "infection" without loss of any current data.

    Well, the catch is here:

    I believe that the computer is infected by following Rootkits:

    Trojan.Zeroaccess
    Trojan.Zeroaccess.C

    And who knows what more there might be..

    The issue is this:

    While investigating more into the infections i found out this:

    - They both run on ring0 (Driver level).
    - It can fucking update itself
    - Can/Does download more unknown stuff
    - Opens several backdoors to botnet server if there is internet access
    - Can also save itself to boot sector
    - is able to achieve the above functions silently as it infects a system driver that acts as a rootkit hiding all of its components on the computer.
    - creates an encrypted hidden volume in the computer's file system where it stores all of its components and any other malicious software that it downloads.

    [​IMG]
     
    Stefeman, Feb 14, 2013
    #1
  2. Raised in Hell

    Raised in Hell Senior Member

    Comodo or AVG?
     
    Raised in Hell, Feb 14, 2013
    #2
  3. JavCube

    JavCube MG Donor

    Just format that thing...

    It's like watching an Alien movie as I can see.
     
    JavCube, Feb 14, 2013
    #3
  4. davzee

    davzee <img src="http://mgftw.com/webdesigner.png" />

    Virus's like that are hard to get rid of, either post a thread in a forum like techsupportforum.com or bleepingcomputer.com and let one of their wizards help you with it or just bite the bullet and format

    I had a nasty trojan a while back that completely fucked my computer, multiple error messages on start up, all my shortcuts + folders disappeared without a trace (luckily not deleted) i couldnt even open my anti virus lol had to boot in safe mode to use the net... so i posted a thread in one of their forums as a last resort before formatting and losing everything, they fixed it thankfully, geniuses. Cant remember the whole process but it was a combination of HijackThis, Malwarebytes, ComboFix and something else
     
    davzee, Feb 14, 2013
    #4
  5. erik

    erik MG Donor

    I have seen this before...

    ZeroAccess is actually considered Crimeware, which makes its signature by being
    -hard or impossible to detect w/ antivirus software
    -hard or impossible to remove w/ antivirus software

    It frequently comes from PUP or potentially unwanted programs.

    BleepingComputer.com's AdwCleaner 2.009 (i THINK is the newest version) cleans up PUP.

    Malwarebyte's Anti-Malware should lock down the ZeroAccess.(version) Crimeware. You then need a stringent utility like Norton PowerEraser to do the final removal.

    Hope this helps... Those are the ones I used to get rid of it...
     
    erik, Feb 14, 2013
    #5
  6. longjohn

    longjohn Member

    you can easily reformat the pc and re-install the all applications within few days or less. Its largely depends on how many applications the computer has, or if any important date might be lost.

    1.reformatting should take you under an hour (depends on OS)
    2.write down all the applications names, this can be downloaded or if he has the original copies (or backups)
    3. windows update will take you few hours if not more
    4. he can use avg antivirus (its free) or get nod32 and install comodo firewall

    this process should take you 3 days tops
     
    longjohn, Feb 14, 2013
    #6
  7. WeeJocky

    WeeJocky Game Server Moderator

    I've dealt with a few bad attacks in the last couple of years (mostly internet-ignorant friends who open and run anything that's thrown at them).

    My normal method is to roll back the system a couple of days if possible, do a full scan with Windows defender, Malwarebytes, Spybot - Search & Destroy, (hijackthis if there is a browser issue and you know what to look for) then AVG (and McAffe if I have time/feel the need) in that order and rescan with malwarebytes after a restart just to check. That routine hasn't failed me yet, although maybe I've just been lucky :P.

    Oh and make a restore point after you are done.
     
    WeeJocky, Feb 14, 2013
    #7
  8. McDonut

    McDonut MG Donor

    3 ways, normally if I've 1 full day I'll do all 3 and get away with a more or less working PC
    1. run linux livecd, preferably ubuntu, get avast free trial and try to clean that way
    2. get the latest version of stinger and rootkitremover from mcafee, copy into 2 empty thumbdrive
    2a. boot into safe mode, run the stinger and rootkitremover, before rebooting and installing AVG to scan through
    2b. boot into the linux livecd, run the stinger and rootkitremover via WINE, if you want to be double sure they stay removed.
    3. go to portableapps.com/apps, get clamwin portable, despite being free, it manage to settle some of the tougher cases I've had before

    lastly, from the same website, get Process Hacker Portable, it's way better than the usual task manager

    make sure you use partition manager to unhide that hidden partition or in linux, use gparted to delete it first though
     
    McDonut, Feb 15, 2013
    #8
  9. Stefeman

    Stefeman Head Administrator Staff Member

    Yeah, i reformated the whole computer this morning.

    I just have to re-install and re-configure tons of stuff.
     
    Stefeman, Feb 15, 2013
    #9
  10. MarksmanR

    MarksmanR MG Donor

    I like making 100% realistic photos of landscapes of alien planets by typing out the code in notepad then saving it as a .jpg
     
    MarksmanR, Feb 18, 2013
    #10
  11. marvel

    marvel Head Administrator Staff Member

    There's only one option with an infected or hacked computer: format.

    Even if you clean the infection or get rid of all the hacks/backdoors you'll never be 100% sure if there's still something on it, so you still can't risk doing things like online banking or any other sensitive stuff.

    Once a system is compromised you can never trust it again unless you re-format.
     
    marvel, Feb 18, 2013
    #11
  12. erik

    erik MG Donor

    You're right. Here I am talking about my personal combo of products that work for me, and how to remove certain things, but I suppose that's only good enough to get you to the Data Recovery / Data Backup stage.

    EVEN THEN it's still risky, as if you reformat & use that backed-up info... you could reinfect your system.

    I change my mind; I agree - reformat.

    Someone once said something to the effect of (watch me butcher this quote / idea...) "Just because your software caught all the detections and just because you think they're all gone, doesn't mean they are! We only know as much as the hackers publish at a time... if that."

    It's true!
     
    erik, Feb 19, 2013
    #12
  13. erik

    erik MG Donor

    TrendSecure's HijackThis (HJT Logs they request are from this program,)

    ComboFix,

    and other select utilities are VERY STRINGENT AND ABRASIVE: they really mean it when they say "do NOT use unless instructed to." I just felt I should mention that since they can both perform irrepairable damage if used wrong.

    Davzee mentioned some GREAT SITES!

    - bleepingcomputer.com (trusted site for security utilities)
    - techsupportforum.com (i do not know that one)

    Try vistax64.com (which is now sevenforums.com.) They're VERY VERY elite / well-managed and moderated forums. Brink (Sean) runs the place. Good stuff!

    Also check http://www.howtogeek.com/ <----- This site is AMAZING!
     
    erik, Feb 19, 2013
    #13