Zero Access Rootkit??? Please help

[qim]

I'm not sure if you read all of my last post as I'.ve been adding and amending. I would like now to deselect EVERYTHING in the Services tab except what I beleive are the essential items which are marked as such: only 3 - DCOM, RPC locator, and Remote procedure call (RPC) .  Sorry for the bad translation.

I am afraid that if I do this I may not be able to get back into the system, not even to safe mode. What do you advise?

qim

[essexboy]

Could you check C:\windows\minidumps are there any dump files there ? 

If so could you zip the last two or three and upload to mediafire for me to collect

I do not believe - at this stage - that it is malware

[qim]

Hi Essexboy

I am not sure that I can zip the minidumps as I beleive the laptop (my wife's) does not have a valid zip programme.

regarding the malware, it seems strange to me that I cannot update Windows, and that just about every scanning progranmne, even in safe mode, gets blocked, usually by disconnecting the system.

I have been looking at the Administrative Tools/Services and while there, and in safe mode without internet, a whole load od«f Russian web pages starting popping up like mad (my wife is Russian).

Do you know a free zip prog that I can download?

Thanks

qim

[essexboy]

I use this one http://peazip.sourceforge.net/

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[qim]

Hi

I have been struggling with the zip prog. I think I have it now but have no idea what and how is mediafire. Can I not email you?

Thanks

qim

[essexboy]

Yep you can

[qim]

Sorry, but how? Within the Avast forum?

qim

[essexboy]

Check your PM 

[qim]

Hi

I may be very dim, or very tired but I cannot understand the TDSSKiller. When I start it it tells me that there is an update available and prompts me to press the download button. I get a .zip file which I unzip and I am back in the same prog asking me if I want to update. Conclusion: I did not update and the results are of the older version.

Then, the box that I get has 4 boxes on top and 2 below and not 3 on top as in your post. If I tick that extra one too (Loaded Modules) I get a warning that I have to reboot because ' extended monitoring driver is required for this option. Press reboot now...' which I did and nothing changed, and I get back into a vicious circle.

Anyway I decided to leave that box empty and did the scan.  It found 3 threats  , one of which is from Vodafone dongle that I use in UK. None has the option to cure, so I left them at Skip The others are:

Service start; Demand (0x3)
File: c:\Programas\ficheiros comuns\InstallShield\Driver\1050\Intel32\IDriverT.exe

Service start Auto (0x2)
File: c:\Windows\system32\nvsvc32.exe\



I could not see any log. The computer remains as before.

I will wait 20 mins and then off to bed as it is 1 hour later where I am in Andorra and I amvery, very tired. I hope to hear from you before then. Otherwise, good night and see you tomorrow morning, hopefully.

many thanks for your help

qim

[qim]

Good morning, Essexboy

Did you get the minidumps? This morning I have been reading more about the ZeroAccess Rootkit and it all seems to relate to my problems. before you got involved I was unable to do most scans as the computer suddenly switched itself off during the scan. It appears that it is better now in that respect, and hopefully the virus has been deleted (though I doubt it as for instance I cannot run Kaspersky online scan: either it is being blocked, or does not run in safe mode). However, ZeroAccess, according to what I read. leaves damaged drivers, files, and sometimes computers.

I tried to start with minimum services from Msconfig with no luck. Always blue screen and can only use computer in safe mode. Hope th minidumps bring some light.

Many thanks for your trouble

qim

[qim]

Hello Essexboy

I have now managed to scan with the latest version of TDSSKiller. It came up with the same results as yesterday, but it refers to suspicious files rather than actuall serious thereats, which id«s why I did not get the screen to Cure.

I did also a new scan with aswMBR (log attached)

I've just realized that I sent you the minidumps by normal email, rather than through the Forum. Did you get them? if not, I will resend butcouldn't work out how to use the email address in the personal messages.

Thank you

qim


PS - VERY BAD NEWS! The computer does not even go into safe mode and I do not have a resue disk! While I have been waiting I decided to run again Windows repair (all in one). As happened yesterday, at the end, a box came up saying that it was closing down the somputer in so many seconds. This time when it restarted, I still got the choices for safe mode, but all I get now is a flashing white dash that goes on for a long time before it restarts and goes through the same procedure with the same results.

I don't know how you can help me now as I do not know how to get a rescue disk to format the disk and start all over again, on the assumption that it was caused by a virus and that it did not damage the computer physically

qim

[essexboy]

OK before I look at the minidumps

Lets access windows
Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
  
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.

• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[qim]

Hi Essexboy

Nice to hear from you.

Somehow I got back access to safe Mode. after various tries I rebooted into MS-Dos and after getting in the computer started accepting safe mode again. Another thing: windows update is still not available but I looked at the registry and found that AUOptions was set to (4) when the only valid numbers are 0 to 3! I changed to 0 but have not restarted since.

As I can access the computer should I go ahead with your last instructions?

Also: was it normal that after running Windows Repair (all in 1) the box should come up telling me that the computer was goinfg to shut down? Not restarting: shutting down. I think it happened yesterday also when I followed your instructions. I can't see how the repairs are done with the system shut-down.

qim

[essexboy]

No that would suggest a system error

Reboot as normal and I will look at the dumps now

[qim]

Hi

Strange things are happening. Not only Windows repair (all in 1), but various programmes before over the last 3 days, shut down the computer when (possibly) the scans are about to detect the virus. Wheb I received your post I was in the middle of running Gmer to see where it cut off like last time I used it. It ran ok in the registry, but after a long scan in Files the computer (as expected by me) suddenly shut off. I think there is a smart virus protecting itself and changing places as we go along.

meanwhile on restart the blue screen came up as usual, I could only get into Safe Mode, and windows Update still does not work. Here again, I keep getting an MS box to install some kind of installer, only to have this repeated in one of the next times that I try it.


Is the Boot.ini ok?

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[Operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" / cmdcons
UnsupportedDebug="Do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin/fastdetect


Sorry for this mess!

qim