help with win32:zeroot-b

Hi, I need help with this rootkit, please.
Avast scan at startup did not detect it. Only AswMBR found it.
I’ve also made a rootkit scan with spybot2 (which i installed just for a scan and then uninstalled it) and didn’t find zeroot-b, but it did alert me of a MBR-physicaldrive0.

Here are the logs of Hijackthis, Adwcleaner, Mbam and aswMBR.

Thank you very much for your kind help.

hey and welcome to the forum. plaese attach the otl scan log too from this guide.

http://forum.avast.com/index.php?topic=53253.0

here are the OTL and TDSSKiller logs.

Thanks again

Hey here are the logs of spybot and superantispyware, don’t know if they can be of any use.

Wish you a Merry Christmas in the meanwhile!

Hey here are the logs of spybot and superantispyware, don't know if they can be of any use.
SpyBoot...... absolutely nada
[b]Cons[/b] Extremely poor detection of malware. Extremely poor removal of detected malware. Even worse removal of rootkits in particular. Many user interface elements significantly awkward.
[b]Bottom Line[/b] Spybot was one of the first antispyware tools ever. It's been dormant for a while. Now Spybot - Search & Destroy 2.0 promises to destroy "spyware, malware, adware and other malicious software.[b]" In testing, it proved almost 100 percent ineffective[/b].
http://www.pcmag.com/article2/0,2817,2412372,00.asp

Malware experts are notified…be patient

No sign of zero access there , I see that you have run combofix… Could you attach that log

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O2 - BHO: (no name) - {1C67BFBC-BB54-4EE2-A3E8-0AA6EFEE5715}A3E8-0AA6EFEE5715} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\ShellBrowser: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1733644386-987702636-2351089283-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi!

Pondus: I uninstalled spybot right after the scans, but i noticed that the quick-scan for rootkits alerted me of MBRphysicaldrive0 and another K something which looks like a windows update. Since I didn’t see signs of these in the other logs i decide to upload these too :slight_smile:

Essexboy, I’ll try with yr code in OTL and past the log ASAP. Regarding Combofix, it runs smoothly through the various level but doesn’t reboot system at the end, it says deleting TEMP folder but after that doesn’t do anything. It does not hang though. And, most importantly, it creates a logfile which just redirects to My Computer, even if I rename it in *.txt! Any ideas why? This happened even when i changed combofix name and run it again.

Thank you Essexboy
Here are the Otl logs (the one after the fix and the one after a fresh quick scan).
The pc still boots slowly and the windows sound is distorted. Everything slows down and the CPU usage is often at 100%, but I’m still able to write from here.

Lets try this next

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Here is the new TDSSKiller log.

Merry XMas :slight_smile:

Looks like it is repair time

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Thankx essexboy, I have dled the tool and run it as in your instructions. The system file check didn’t ask me for the windows xp cd though. I also did the start repairs and restarted, but it doesn’t look much better and the windows sounds is still distorted.
Next step?

OK I feel that the aswMBR is a false positive

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

After completing stage 50 ComboFix Says:

Deleting Folders:

c:\Documents and Settings\All Users\Datos de programa\TEMP

and just stays there forever without doing nothing, it’s not frozen, but it does not do any action nor boot the pc and does not create a log, just a shortcut in c:\ named Combofix, which points to My PC.

OK could you re-run combofix from safe mode please

Combofix behaves exactly the same in safe mode, does not freeze but does not end and reboot either, and the log it produces in c:\combofix is actually just a shortcut to MyPC.

The machine still takes a while to boot up, and most of the times the sound is distorted, not always though.
Normal use of pc is difficult because the CPU rapidly rises to 100%.

If it’s a false positive, what is causing these issues?

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Thank you for your help!

Here are the roguekiller logs.

When CPU usage inceases to 100 can you open task manager and let me know what process it running at highest

Ok after all of this cleaning I rebooted and re-enabled windows firewall and avast antivirus. Looking at task manager I’ve noticed that wuauclt.exe is always using up a lot of memory (100.000KB or more) and CPU as well. One of the svchost.exe is up there too, followed by explorer.exe. And then I’ve also noticed that Avast is trying to update but it takes ages to DL the definitions and even more to check for a new version of the program (it’s not a connection problem because on the other pc in the same LAN everything works fine).
When I kill wuauclt.exe and after waiting many minutes for Avast to complete its update check, then the CPU goes back to 0%, but as I try to open some programs (typically firefox) it goes back to 100% and it takes 2 or 3 minutes to use the browser. When everything’s calm it goes back to 0% but even touching the touchpad sends the CPU to at least 20%.