Author Topic: Zero Access Rootkit??? Please help  (Read 28404 times)

0 Members and 1 Guest are viewing this topic.

qim

  • Guest
Zero Access Rootkit??? Please help
« on: September 17, 2012, 11:32:36 AM »
Windows XP SP3 - Computer comes up with blue screen, too fast to read and lists options to SafeMode. It  works progressively more slowly in Safe Mode but unable to do Windows Update- Dr FixIt statebut s '1 or more components of Windows Update are not correctly configured'.


I downloaded and have tried also to run Secunia Software Inspector and Kaspersky Online Scan and they will not run. kaspersky disppears as soon as I try to install; Secunia just hangs at the beginning.

Gmer brings up a blue creen when it goes through the registry. I ran it box by box, copies the first two; the others up to files and registry came up with a boz saying there were no changes but the registry could never be finished as the blue screen came up: Driver irq not less...

I also tried to scan with Avast anti-root kit. It ran for over 3 hours and then (I expect as it looked at the registry) switched off the computer!

What should I do now?


Hope that you can help

regards

« Last Edit: September 17, 2012, 12:36:35 PM by qim »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37581
  • Not a avast user
Re: Zero Access Rootkit??? Please help
« Reply #1 on: September 17, 2012, 12:54:51 PM »
Quote
What should I do now?
make coffee and wait   ;)


malware removers are notified: it may take hours before one arrive so be patient
« Last Edit: September 17, 2012, 12:59:02 PM by Pondus »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Zero Access Rootkit??? Please help
« Reply #2 on: September 17, 2012, 03:20:33 PM »
OK lets take a look at the MBR

  • Download RogueKiller  and save it on your desktop.
     
    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ... 
  •     Click on Scan
   
 
  • Wait for the end of the scan. 
  • The report has been created on the desktop. 
  • Click on the Delete button.
     
  • The report has been created on the desktop.
  • Next click on the ShortcutsFix   

  • The report has been created on the desktop.
Please post:    All RKreport.txt text files located on your desktop.

qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #3 on: September 17, 2012, 04:05:58 PM »
Hi Essexboy, what coulddo without you...

I am attaching RoogueKiller files

many thanks

qim


qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #4 on: September 17, 2012, 04:08:41 PM »
I've just done something stupid. tried to see if Windows update works now, and a box came up asking to install sothing, which I di not read properly assuming that it was a MS upgrade of the Windows Update. wether it was or not, Wi««ndows Update still does not work.

qim

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Zero Access Rootkit??? Please help
« Reply #5 on: September 17, 2012, 07:22:32 PM »
OK two programmes to run ..  These may be run from safe mode.  Have you been using a registry cleaner ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #6 on: September 17, 2012, 07:37:35 PM »
I'm on a different computer. CombiFix stopped half-way through with a box about Recovery Console not being installed. What do I do now?

Well, I've allowed it to download it. I hope it works. Ignore my earlier message. Will send you log if it succeeds.

qim
« Last Edit: September 17, 2012, 07:39:37 PM by qim »

qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #7 on: September 17, 2012, 08:08:02 PM »
Hi Essexboy

ComboFix finished ok, but nothiung changed in conmputer. It still restarted with blue screen and I had to recert to Safe Mode, as before. I restarted agin, abut all the same and Windows update still unvailable. I then ran farbar, but still no Windows update. It appears that the virus is still there.

I read somewhere in your Forum that it was a good idea to rename ComboFix before it downloaded but i did not do it.

What next?

qim

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Zero Access Rootkit??? Please help
« Reply #8 on: September 17, 2012, 08:47:29 PM »
Nope FSS will not repair anything and it just shows me what is wrong.  Rather than get you to dig around in the services area I will use an automated tool

Also when you get the blue screen what error does it show ?

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished


qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #9 on: September 17, 2012, 08:56:49 PM »
Hi Essexboy

The blue screen flashes past so quick that I cannot read it.


Thanks for your help

qim
« Last Edit: September 17, 2012, 09:08:00 PM by qim »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes

qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #11 on: September 17, 2012, 09:31:12 PM »
Bad news: I ran the Windows Repair prog but  I still get the blue screen on start up and cannot get in other than in safe mode. Tried Windows update but it still does not wrk

I'm praying for a solution...

Log attached

qim

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Zero Access Rootkit??? Please help
« Reply #12 on: September 17, 2012, 09:35:16 PM »
OK lets try a clean boot

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

If you are prompted, log on to Windows.
When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

Quote
You have used the System Configuration Utility to make changes to the way Windows starts.
The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.
Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.

Now we get to the tedious part,:

If windows behaves itself then do the following

Restart MSConfig and select half of the disabled services and reboot

Is the problem still present ?

If Yes then deselect half of the services that you resumed and reboot

If no then select half of the remaining services and reboot

The intention here is to isolate the one service/driver that is causing the problem

qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #13 on: September 17, 2012, 09:44:26 PM »
I've gone through steps 1 and 2, but on restart I am back with blue screen and forced to choose safe mode.

I read somewhere that Zero Access Rootkit disables/changes some drivers. It may be the problem which causes the blue screen.

I'm in your capable hands.

qim

qim

  • Guest
Re: Zero Access Rootkit??? Please help
« Reply #14 on: September 17, 2012, 09:54:57 PM »
I've just noticed something unexpected. My system is in Portuguese. In step 1 I left ticked the boxes in the General tab what I beleive is what you asked:load system services and use original boot.ini.
Then, in the Services tab I deselected all non.MS services and applied before leaving. After restarting when I looked at these tabs again, the general tab had the load system services blank and if I ticked it again all non-MS services appeared magically ticked in the Services tab!

Apaprantly I cannot have load system services in the general tab, and deselect non-MS services in services tab, at the same time-

I've tried also to select start-up items in the general tab, but it does not work either: i always get the blue screen which I cannot read

I saw in some of the logs mentions of classpnp.sys. Could the problem be there?

qim
« Last Edit: September 17, 2012, 10:08:50 PM by qim »