Unable to boot after ZeroAccess infection and cleaning

*SIGH*

First of all, here's where I'm at, then you can read below for the loong story of how I got there...

After getting hit with a Windows Defender 2011 / ZeroAccess rootkit/ TDSS infection, and after a lot of reading about these new variants, I attempted to clean the infections as best I could. In addition to a couple malware EXEs that had been dropped onto the system, ATAPI.sys was infected, as was WUDFPF.sys, and there were issues with SPTD.sys. I did some old fashioned manual removal, and also I used Superantispyware, Malwarebyte's, TDSSKiller, Combofix (to detect only), and the Kapersky Recovery Disk.

After initially getting rid of the malware EXEs and associated registry entries, things were working fine and my internet was working with no issues. Even when I was being told that ATAPI.SYS and the TCP/IP stack was infected with ZeroAccess I still wasn't experiencing any issues. However after I attempted removal things went radically downhill, and I've been unable to get back into Windows ever since.

In safe mode, I could see the system pausing and waiting for a key press on SPTD.SYS, and when I pressed a key the system would briefly flash a blue screen then reboot. In normal mode it would do the same thing but without pausing on SPTD.SYS. I disabled SPTD.SYS with the Recovery Console, but now the system just endlessly attempts to boot and reboot rather than pausing at SPTD.SYS. So that's where I'm at... see below for complete details.




Several hours ago a major infection appeared on my Win XP Pro 32 system. Malwarebyte's and SAS were both running and providing real-time protection at the time, and I try to run anything suspicious in a Sandbox, but somehow something got through, and it doesn't really matter how at this point.

The initial infection was definitely System Defender 2011, and I had no choice but to turn off the system due to the way the infection behaves, locking me out from doing ANYTHING else but clicking on its own window, which I sure as heck wasn't going to do. First I did some reading about it using another laptop, then I rebooted in safe mode and started isolating and cleaning the infection manually, the old fashioned way .

I found and deleted the primary offending exe from the System32 folder, removed the associated registry entries using HJT, and deleted the program group it created. I did a few other things, and restored the system back to the previous day just for good measure, then rebooted in Normal mode. Once rebooted, on the surface things appeared fine in Normal mode, the internet was working and the infection wasn't active.

I did a Malwarebyte's scan and it found a few minor registry entries to clean up. Then I did an SAS scan and it reported a rootkit infection with ATAPI.sys and several ATAPI related registry entries. Since Malwarebyte's didn't report the problem with ATAPI.sys, and after doing some reading, I wanted to be sure it wasn't a false positive and I wasn't comfortable yet with letting SAS try to clean the .sys infection (yet). There was widespread disagreement in the messages on read on which tool to use and even whether to do it in safe mode or normal mode.

I ran Combofix just to see what it reported, and that's when it was officially flagged as being the ZeroAccess rootkit, aka Max++, apparently just about the nastiest rootkit infection in existence and part of the TDSS family of variants. I did a lot more reading, but there was so much disagreement and so many horror stories no matter which method was used, it seemed there just wasn't any one method that even remotely worked for everyone. Before I went any further tried to get all of my ducks in a row, just in case I wound up in an unbootable situation after attempting a fix. I made sure I had every tool and CD handy that I could think of.

I opted to let SAS take the first whack at it. It reported that it handled all the reg. entries and the ATAPI.SYS infection. I checked to see if it had deleted ATAPI.SYS, since I knew the system wouldn't boot without it, but the file was still there. I then ran TDSSKiller following the advice from at least one thread. It reported nothing about ATAPI.SYS at that point, but it did flag WUDPF.SYS as being infected with the TDSS rootkit, and it also flagged SPTD.SYS as being locked, although it indicated the threat/warning level was low for that issue and it didn't report that it was infected. I allowed TDSSKiller to proceed, and it claimed to have fixed the issue with WUDPF.SYS, and did nothing with the locked SPTD.SYS.

Windows was working perfectly at this point, and I had full internet access. Both cleaning tools had requested a reboot after running, so I went ahead and did the reboot, knowing that I still had the option of running the Kapersky Rescue Disk that at least a few people had recommended for dealing with this infection. Unfortunately, the problem I mentioned at the very top of this post began immediately after the reboot.

If I tried to boot into safe mode, it would load each of the drivers, then pause at SPTD.SYS with some sort of message, and requesting a key press to continue. Pressing any key just yielded a flash of a blue screen then a reboot. I ran the Kapersky Rescue Disk and the scan indicated that WUDPF.SYS was still infected with the TDSS.b variant. I allowed it to clean the infection, and it indicated it was successful.

I rebooted with high hopes that the system would at least boot into safe mode now, but it continued to pause on SPTD.sys. I then followed the final option I could find for people experiencing this same set of problems, which was to disable the loading of SPTD.sys since it's not a necessary Windows file. Again I rebooted and hoped for the best, but now the system doesn't hang on that device waiting for a key press, it just pauses momentarily after loading MUP.SYS (which is the last file that would load before pausing hanging on SPTD.SYS) then it just reboots and repeats in an endless cycle.

One other thing I tried using the Recovery Console, was renaming SPTD.SYS. Oh, and I also tried expanding and replacing ATAPI.SYS with the compressed file from the recovery console CD. It did have a different time of day, but same date and file size as the file I was replacing. Unfortunately neither of these things helped.

After 20+ years of working on PCs, I'm now at a place I don't think I've ever actually been before with XP, or certainly not for a very long time... with a Windows installation so infected I can't even boot into or find a way to repair it. I've dealt with some vicious infections before, particularly in the last several years, but I've always been able to at least get back into windows without reinstalling the OS.


PHEW. Now if anybody is still with me after reading that short novel, I'm desperate for some help, and I'm flat out of ideas. I have plenty of tools to work with, plenty of experience, and can download anything else I might need using one of my other laptops. I even have an identical laptop with an identical configuration as of about 18 months ago, but I definitely don't want to have to revert yet to making a clone of that installation and migrating all of the newer data over to it. I've made a LOT of changes to my system in that period of time, and it would take a week or more to even get it remotely close to the way it was. It is however my plan of last resort when all else fails...