Help removing Zero Access Rootkit

won't come up and booted to safe mode and it wouldn't let me login
try Safe mode with command promt but same thing

 

Can you try Last known good Configuration?

Can you be more specific on what you mean here:

• Do you get to the screen where you choose your username?
• Is the PC automatically rebooting when you try to boot into Normal / Safe Mode?

 

Yes i can try

Tried and it gave some error and rebooted- couldn't see the error

Same error still

I was able to get to cmd promt and Tashmanger if we need to do that

 

I get to the login screen and able to put password then gives error and just shows desktop blackground
No

 

From Task Manager, can you do the following:

File > New Task (Run...) > explorer.exe
Then press ENTER.

Can you see your desktop now?

 

Nope i can't see it and gives me the same error

 

Open cmd prompt

Type in the below:

cd c:\mgtools

FixACLS.bat

explorer

 

Ran the commands but still getting the same error for Explorer

Possible solution?

http://coreygilmore.com/blog/2008/09/11/the-application-failed-to-initialize-properly-0xc0000022/

 

Do you have your Windows XP Professional SP3 CD? You may need it for the below if it finds errors.

From command prompt, type in the below:

sfc /scannow

 

Possibly, I did review that link. I would try the SFC /scannow first as it may automatically fix the problem.

 

Scan the command under normal mode and it opened the window but hasn't started to scan yet

 

Whenever you ran Win32kDiag in this step: http://forums.majorgeeks.com/showpost.php?p=1667975&postcount=46

Did you reboot the PC?

 

No only restarted after doing the regfix.reg file

Notes: Able to get into regedit

Found explorer.exe under applications under classes_root
TaskBarGroupIcon: %SystemRoot%\System32\Explorer.exe,13

 

From cmd prompt type the below:

msconfig

• Go to the Startup tab and click Disable All
  
• Now go to the Services tab and click Hide all Microsoft services <-- This is very important, do not proceed until there is a checkmark in this box
• Then click Disable All
• Then click OK

When asked to reboot for changes to take effect, reboot your PC. See if the problem persists.

 

!!!! Windows file protection has started now
without messing with msconfig

 

Interesting. Try what I recommended. We may end up needing to expand a new copy of explorer.exe from recovery console to the proper location. It should not be in system32 folder in the first place.

Ok good. Let it finish if possible. Skip my instructions above for now.

 

Finished but .. restart?

 

Did it ever ask you for the Windows XP Pro SP3 CD?
Yes reboot. If still the same problem try what I said here: http://forums.majorgeeks.com/showpost.php?p=1668055&postcount=64

 

Nope, Never asked for CD
Restarted -- same
Disabled all startup
disabled non-windows services - same

 

Download the following: Windows XP Recovery Console SP3
Burn it as an image using ImgBurn or whatever you use to create bootable CDs.
Now you are going to boot off this CD.

http://support.microsoft.com/kb/307654
Scroll down to How to use the Recovery Console

Once you get to this screen:
http://support.microsoft.com/Library/Images/2399081.png

Start typing out the below commands:
Note: There is a one SPACE between .ex_ and c:\ and a SPACE after expand.

• expand d:\i386\explorer.ex_ c:\windows
• expand d:\i386\winlogon.ex_ c:\windows\system32
• expand d:\i386\userinit.ex_ c:\windows\system32
• expand d:\i386\csrss.ex_ c:\windows\system32
• expand d:\i386\services.ex_ c:\windows\system32
• exit

This should reboot the PC. Let me know if same problem persists.

 

Already had recovery console downloaded and install
Ran the those commands and same error !!

 

Try?
•As an Administrator open a command prompt – Start > Run > cmd
•Inside the command prompt window type:
CACLS %systemroot%\System32\*.dll /E /G BUILTIN\Users:R
And press Enter. This will take a minute or so and will display a slew of processed file: C:\WINDOWS\System32\blah.dll messages.
•Then type:
CACLS %systemroot%\System32\*.ocx /E /G BUILTIN\Users:R
And press Enter.


what do you think?

 

No I'd rather just back track the registry to a working state.

Open command prompt again

Type in the following:

cd C:\Windows\ERDNT\Hiv-backup

erdnt.exe

The below should appear (Ignore the date specified):
http://www.wikilearning.com/imagescc/5117/erdnt2.png
Don't tinker with any of the settings, just click OK.
When asked to reboot your computer, please do so now.

Let me know if you are able to get back into Windows with a working explorer.exe

 

ran the file and rebooted , it doesn't give me the error but
when i login it starts to go then gives me you need to activate windows before logging in and beeps then logs off

 

Activate over the phone. It's very straight forward.

 

Window won't come up if i select yes or no it logs me off

 

Try it through Safe Mode with Command Prompt. It should work.

 

Alright in safe mode with cmd
When using run c: gives me the explorer.exe error

but have cmd

 

Ouch. Kind of running out of options here... Let's see if this will work though.

with command prompt open type the following:

cd c:\windows\system32\oobe

msoobe.exe /a

This should launch the activation Window. From here you can re-enter your product key and hopefully activate Windows over the phone.

By the way, is there any chance that you can screenshot error messages you are experiencing? I have not seen this infection first hand but a lot of this may just be residual Windows issues which I should be able to help you with.

 

acess is denied

 

Boot back into the Recovery Console. Make sure you are using a bootable CD for this. I do not want you to use the Recovery console installed on the hard drive as there is less chance of success with the hard drive active.

Type the below, pressing ENTER after each line:
Note: Make a note of what each entry says after you have executed the command.

• rd C:\WINDOWS\$NtUninstallKB18725$
• del C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini
• del C:\Documents and Settings\Travis\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
• del C:\WINDOWS\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
• disable okqbhnnw
• del C:\WINDOWS\System32\drivers\okqbhnnw.sys
• del C:\WINDOWS\system32\539255030
• del C:\WINDOWS\System32\c_33330.nl_
• exit

 

having issue figureing out how to make one from daemon tools pro

 

rd C:\WINDOWS\$NtUninstallKB18725$ - Directory is not empty
del C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini -- no matching files
del C:\Documents and Settings\Travis\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb -- parameter is not valid
del C:\WINDOWS\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb no matching files
disable okqbhnnw --caannot be located
del C:\WINDOWS\System32\drivers\okqbhnnw.sys -- no matching files
del C:\WINDOWS\system32\539255030 -- no matching files
del C:\WINDOWS\System32\c_33330.nl_ -- no matching files
exit

 

if i open task manager and run i can click on broswer and view the C drive etc and even run some programs

 

First, download a new copy of ComboFix and save it to your USB flash drive.
Second, download subinacl.msi and create reset.cmd by reading this : Reset Registry and File Permissions
Put subinacl.msi as well as the reset.cmd file created on your USB flash drive.

http://img97.imageshack.us/img97/7562/hirenbcd.gif Please download Hiren's Boot CD -- Filesize: 523.11 MB (548519835 bytes)
This is a bootable CD -- Use software such as ImgBurn to burn it as an image.
Reboot and boot off of this CD.
From the main menu, search for Mini Windows Xp and press ENTER to select it.
Be patient as it loads...

• Once you are on the desktop, navigate to the following folder:
• C:\WINDOWS\$NtUninstallKB18725$
• Delete all the contents inside if it isn't empty.
• Now try to delete the entire $NtUninstallKB18725$ folder
• Let me know if you were successful with both of these tasks.

If it wasn't successful, you can use Unlocker which is built into Mini Windows Xp to try to delete this entire folder as well. Let me know the results.

Now using explorer from Mini Windows Xp, copy and paste the ComboFix.exe from your flash drive (Note: You may have to click the Mount Removable icon on the Mini Windows Xp desktop in order to see your flash drive || otherwise, try rebooting your PC with the USB flash drive already plugged in before booting off Hiren) to this folder: C:\Documents and Settings\Travis\desktop (your desktop on the C:\ drive)

Also copy and paste subinacl.msi and reset.cmd from your flash drive to this same folder.

Now eject the Hiren CD and reboot your PC to normal mode.

from command prompt, type in the following (the quotation marks are required):

cd "C:\Documents and Settings\Travis\desktop"

subinacl.msi

Allow this program to install

Now type in:

reset.cmd

You can review: http://forums.majorgeeks.com/showthread.php?t=169862
if you need more details.

Once you have rebooted, let me know what problems you are still experiencing.

 

Deleted $NtUninstallKB18725$
Copied the files onto my desktop

in safe mode with command promt, Verfired the folder/files were deleted

Still unable to login and getting the windows needs to be activated before logon

copy must be activated before logon, Beeps, click yes/no, then immediately back to logon prompt

Can't acess command promt from normal mode but can in safe mode with command promt

 

Follow the steps here and see if they help: http://www.rickrogers.org/fixes.htm#Activation

If this still does not work, I will have more things you can try tomorrow, including starting MSI installer (so you can run that .msi file) from Safe Mode. The above may at least get rid of the activation problem.

Regardless if the activation is resolved. I want you to retry ComboFix.exe

open command prompt, then type in the below commands:

cd "C:\Documents and Settings\Travis\desktop"

ComboFix.exe

Good luck

 

Unable to get to command prompt from Normal windows -- Can run in safe mode ?
Safe mode -- Gives Explorer error but can login-- Unable to run those dll files from your url -- Access is denied errors
Classic Login Screen
using windows key and U - Methord doesn't work and says the service is not running for it
Made backup of the HKEY_USERS reg
Unable to find those reg keys

Note: Build in Admin account is working -- Changed password
When login in normal mode-- Account is disabled

 

Note:

I did make a Norton Ghost-- Disk to image onto my External Hard drive for this machine in-case we had problems
Ghost image file is 6 GB

Dated 9/22/11 at 5:30 PM

However i am unsure if it works or not and don't have any more disk that's 640 GB or bigger

*** Trying to get Data Transfer from this Hard Drive to my New Hard Drive and wanted to keep this hard drive as a backup in-case i had any issues with something so i can go on this that hard drive and use files/programs i had on it still***

 

Yes. Try it from Safe Mode.
By the way, what happens when you press CTRL+SHIFT+Esc while in normal mode? Task manager should pop up. Then you can run command prompt from there (Start > New task... > cmd)

Does that not work? I will address the rest of your questions later, try to get ComboFix to run from either Normal Mode or Safe Mode(s). I would imagine it can run with that $NtUninstallKB18725$ deleted.

 

Computer beeps just before showing the yes/no for activation if using that Nothing happens

ComboFix is running in Safe Mode, But seems to be hanging still at the same spot

Been running for at least 20 mins now

 

Report back in 1 hour if you can if it still hasn't budged.

 

When did you first notice this??
And when did explorer.exe stop opening?

 

All Topics on this post
Working fine at Yesterday, 13:05


Yesterday, 15:41 after your fixme.reg

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot your PC regardless if it was successful or not then complete the below:


Activate windows:

Yesterday, 00:36 Activated over Phone at this time



Yesterday, 21:52

when i login it starts to go then gives me you need to activate windows before logging in and beeps then logs off

 

Reporting back -- No change
Never touch keyboard
Did move the mouse

 

Let me get the opinions of my colleagues.

 

Trying to find another hard drive that's atleast 500 GB to test the ghost image

 

While I wait to hear back from my colleagues, let's try and see if we can get that subinacl.msi file to run from Safe Mode with Command prompt

Once you're in Safe mode with command prompt, I want you to type out these commands:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"

net start msiserver

cd "C:\Documents and Settings\Travis\desktop"

subinacl.msi

Allow this program to install

Now type in:

reset.cmd

Let me know if this starts running or not, you should see a DOS window with text flying through it.

Once it's finished, the cmd window will close.

Now reboot your computer for the changes to take effect.

 

3 failed when running reset.cmd - first screen
1 failed when running reset.cmd - second screen
0 failed when running reset.cmd - third screen
0 failed when running reset.cmd - forth screen

no other errors

restarted from task manager and saw the windows restart window

explorer.exe seems to be working now -- saw non classic login screen/windows screens

askes to activate windows and i clicked yes and activated over telephone

logged into desktop now
Thank you

Still no internet acess

 

Issues still..

Some services still won't run

Under device manager i noticed there are 4 non-plug and play drivers with the yelllow ! mark
adfs
NetBios over Tcpip
SASDIFSV
SASUTIL