Zero Access Rootkit??? Please help

Windows XP SP3 - Computer comes up with blue screen, too fast to read and lists options to SafeMode. It works progressively more slowly in Safe Mode but unable to do Windows Update- Dr FixIt statebut s ‘1 or more components of Windows Update are not correctly configured’.

I downloaded and have tried also to run Secunia Software Inspector and Kaspersky Online Scan and they will not run. kaspersky disppears as soon as I try to install; Secunia just hangs at the beginning.

Gmer brings up a blue creen when it goes through the registry. I ran it box by box, copies the first two; the others up to files and registry came up with a boz saying there were no changes but the registry could never be finished as the blue screen came up: Driver irq not less…

I also tried to scan with Avast anti-root kit. It ran for over 3 hours and then (I expect as it looked at the registry) switched off the computer!

What should I do now?

Hope that you can help

regards

What should I do now?
make coffee and wait ;)

malware removers are notified: it may take hours before one arrive so be patient

OK lets take a look at the MBR

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Hi Essexboy, what coulddo without you…

I am attaching RoogueKiller files

many thanks

qim

I’ve just done something stupid. tried to see if Windows update works now, and a box came up asking to install sothing, which I di not read properly assuming that it was a MS upgrade of the Windows Update. wether it was or not, Wi««ndows Update still does not work.

qim

OK two programmes to run … These may be run from safe mode. Have you been using a registry cleaner ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

I’m on a different computer. CombiFix stopped half-way through with a box about Recovery Console not being installed. What do I do now?

Well, I’ve allowed it to download it. I hope it works. Ignore my earlier message. Will send you log if it succeeds.

qim

Hi Essexboy

ComboFix finished ok, but nothiung changed in conmputer. It still restarted with blue screen and I had to recert to Safe Mode, as before. I restarted agin, abut all the same and Windows update still unvailable. I then ran farbar, but still no Windows update. It appears that the virus is still there.

I read somewhere in your Forum that it was a good idea to rename ComboFix before it downloaded but i did not do it.

What next?

qim

Nope FSS will not repair anything and it just shows me what is wrong. Rather than get you to dig around in the services area I will use an automated tool

Also when you get the blue screen what error does it show ?

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Hi Essexboy

The blue screen flashes past so quick that I cannot read it.

Thanks for your help

qim

Direct link http://majorgeeks.com/downloadget.php?id=7141&file=15&evp=18a37c9c3804bd022748a38eb328614e

Bad news: I ran the Windows Repair prog but I still get the blue screen on start up and cannot get in other than in safe mode. Tried Windows update but it still does not wrk

I’m praying for a solution…

Log attached

qim

OK lets try a clean boot

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

If you are prompted, log on to Windows.
When you receive the following message, click to select the Don’t show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.

Now we get to the tedious part,:

If windows behaves itself then do the following

Restart MSConfig and select half of the disabled services and reboot

Is the problem still present ?

If Yes then deselect half of the services that you resumed and reboot

If no then select half of the remaining services and reboot

The intention here is to isolate the one service/driver that is causing the problem

I’ve gone through steps 1 and 2, but on restart I am back with blue screen and forced to choose safe mode.

I read somewhere that Zero Access Rootkit disables/changes some drivers. It may be the problem which causes the blue screen.

I’m in your capable hands.

qim

I’ve just noticed something unexpected. My system is in Portuguese. In step 1 I left ticked the boxes in the General tab what I beleive is what you asked:load system services and use original boot.ini.
Then, in the Services tab I deselected all non.MS services and applied before leaving. After restarting when I looked at these tabs again, the general tab had the load system services blank and if I ticked it again all non-MS services appeared magically ticked in the Services tab!

Apaprantly I cannot have load system services in the general tab, and deselect non-MS services in services tab, at the same time-

I’ve tried also to select start-up items in the general tab, but it does not work either: i always get the blue screen which I cannot read

I saw in some of the logs mentions of classpnp.sys. Could the problem be there?

qim

I’m not sure if you read all of my last post as I’.ve been adding and amending. I would like now to deselect EVERYTHING in the Services tab except what I beleive are the essential items which are marked as such: only 3 - DCOM, RPC locator, and Remote procedure call (RPC) . Sorry for the bad translation.

I am afraid that if I do this I may not be able to get back into the system, not even to safe mode. What do you advise?

qim

Could you check C:\windows\minidumps are there any dump files there ?

If so could you zip the last two or three and upload to mediafire for me to collect

I do not believe - at this stage - that it is malware

Hi Essexboy

I am not sure that I can zip the minidumps as I beleive the laptop (my wife’s) does not have a valid zip programme.

regarding the malware, it seems strange to me that I cannot update Windows, and that just about every scanning progranmne, even in safe mode, gets blocked, usually by disconnecting the system.

I have been looking at the Administrative Tools/Services and while there, and in safe mode without internet, a whole load od«f Russian web pages starting popping up like mad (my wife is Russian).

Do you know a free zip prog that I can download?

Thanks

qim

I use this one http://peazip.sourceforge.net/

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Hi

I have been struggling with the zip prog. I think I have it now but have no idea what and how is mediafire. Can I not email you?

Thanks

qim