Okay, so I’m back. Damn wiki sites are killing me. Every time I go to one, it seems that they’re loaded with something bigger and better each time around.
This one is weird. So during one of my visits (Gears of War wiki, ruined the story for myself, btw), I noticed considerable CPU load. I didn’t think anything of it, maybe just avast! updating itself. But then all of a sudden, unbelievable lag. I tried to run a scan, so I looked for avast.
The bubble wasn’t there. Manual start up of avast! showed all shields were down. Attempts to activate them were unsuccessful, as the virus wouldn’t let them up. Tried running a scan, but it failed halfway through, and tried with MBAM but came up with the same result. Tried to schedule a boot time scan, but again, NOTHING. Set the schedule, slap the restart, straight to XP.
Then for the finale, I tried to run the avast! full scan. Lasted halfway through again, but now, like MBAM, I can’t access the programs anymore. I can’t rollback anywhere because looking at my backup program, I just learned that it hasn’t been backing anything up since February.
So, in short, I’m boned. Please help?
P.S. Upon preparing my ASW log, it now shares the same fate as avast, running halfway through and now being unable to access it.
Hi I believe you have the zero access bootkit - so this will take a few posts to clear. Please do not try anything on your own as using the wrong programmes could make your computer a brick
First I will kill the ADS, then we will run aswMBR to confirm the analysis and ensure that I will get the right tool to continue. Do not use any buttons on aswMBR this will be a purely analysis run
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 50 7B 9A 0C E9 86 58 46 A3 42 75 1D BC 00 20 AE [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63192
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 63192
FF - prefs.js..network.proxy.type: 0
O2 - BHO: (no name) - {0C9A7B50-86E9-4658-A342-751DBC0020Ae} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4 - HKLM..\Run: [conhost] C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe File not found
F3 - HKCU WinNT: Load - (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe) - File not found
@Alternate Data Stream - 784 bytes -> C:\WINDOWS\4093404390:429589260.exe
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
Okay, I got home and attempted to run the fix. Attempted.
Good news: I can still use my computer.
Bad news: OTL is also suffering the same fate as the rest of my antivirus. I’ve outsmarted it (somewhat) by copying OTL and running it that way, but any time I run my custom fix, it gets axed and disabled. New symptom though: Running the custom fix in safe mode disables explorer.
On a side note, Spybot is somehow able to keep running scans through. Other than that, I’m leaving my desktop off and running on a laptop. At this point, I’m desperate for anything.
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Okay, so running combofix, had a hang-up for the restart, (ran the scan when I left for school at 8, system hung up after closing explorer, stayed that way.) Probably a bad move, but I forced a restart with the reset button on the front of the case.
Started into normal XP and began ComboFix. Let that run, and got a log from it (attached.)
Finally ran OTL with my custom fix, and it worked on through.
And lastly ran aswMBR. It was going good, but then came up with an error and it closed and left me without a log to present you. After that, I shut her down and here I am.
Well each zero access infection is a bit different
Please read carefully and follow these steps.
[*]DownloadTDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
Run the programme follow the recommended steps 1 to 3 (disk check, sfc and system restore)
At step 4 select advanced mode
Select the items that I have indicated below
Run the repairs and reboot on completion
Okay, ran that, and headed into the restart. Initiated MBAM for a scan, but figured I’d try to update first, but I can’t connect to the internet. Checked physical connection through my CAT5, I know my router’s working because my laptop is on the wireless network. Right clicked the Local Area Network icon in the tasks and clicked “Repair”, but came up with this error:
“Windows could not finish repairing the problem because the following action cannot be completed:
Renewing your IP address”
Open Services…
Start > Run > Type: services.msc > Click OK
Scroll down to and double click DNS Client
Set to Automatic under Startup type
Click the Apply button
Click the Start button
When it starts click OK
Repeat for DHCP Client.
And repeat for Remote Procedure Call (RPC).
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Alright, ran the fix, but did something that might anger you, haha…
I didn’t save the log file. Sorry, slipped my mind after reading it, but it did the replace. It also mentioned something was missing at the end, (which is probably what caused me to just close it.)
In any case, my computer’s still trying to run the IP Renewal, but is still just looping.