Nasty Rootkit Help needed..

Hello, and welcome to my nightmare

First off, I am on a second hand shared laptop (between four) and I don't know or know how to find out where this virus came
from originally. I first noticed something was wrong a few days ago when the windows7 firewall stopped running unprompted
(got a pop up warning).

so I tried starting it up manually in services and got the following error message:

----------------------------------------------------------------------------------------------------------------------------

Windows could not start the Windows7firewallService service on Local Computer.

Error 5: Access is denied.

----------------------------------------------------------------------------------------------------------------------------

There are no other user accounts just a main admin account with user accounts disabled and no system restore enabled.
I soon realized ALL the security had been disabled and I didn't have permission to re-start the services even as admin.
I knew something was not good, checked task manager and noticed a nefarious looking .exe running, named;

431318892:2476231398.exe with the description; 2476231398.exe

I tried to end process/end process tree/open file location etc, nothing from the right click menu had any effect,
the only thing that could be changed was the priority.

I knew this might be pretty bad so disconnected from the internet and rebooted into safe mode, there I checked if the long
number.exe was running in task manager, it wasn't so I thought that was a good thing and ran a few cleaning programs in
safe mode. System scanned clean but I knew this must be wrong. I scanned with Avast which is up to date, scanned with various
other malware/virus scanner programs which found nothing.

I tried to boot back into windows normally, I got blue screen saying:

A problem has been detected and windows has been shut down to prevent damage to your computer.

Then I knew it wasn't going to be as easy as running a few malware programs. So I decided to bite the bullet and connect to
the internet and research a method of identifying this *long number.exe which was still running in normal windows.
Google revealed not a single result from a search for the number, so I started searching for methods of finding unidentifiable viruses.
To cut a long story short; after trying various programs I end up on this website pleading with you for some help hehe.

I have had no experience with viruses, never encountered one before so I can't say I know what I'm looking for as I don't have a good knowledge of this system.
I unfortunately am the most tech savvy one in the house tho, and am trying to fix the problem without resorting to a reformat.
There is no backup of this hard-drive, not even a restore point.

(Which might be good at least the virus can't re infect via restore, as it has always been disabled).

So, I went through all the steps set out in :READ & RUN ME FIRST Thread: all the scans seemed to go relatively well
apart from the anomalies stated.

Combofix scan revealed the laptop was infected with Rootkit.ZeroAccess
(This is also referred to as Max ++ as far as I have read).
Finally Something found it, but now I'm worried!!

However, during the scan there was a warning "ComboFix has detected rootkit activity and needs to reboot machine".
The laptop rebooted and CF carried on running producing the log which is attached.

After a restart I scanned with Combofix for a second time and it went through the scan with no mention of a rootkit this time and no restarts, I don't know if this is good or bad.

During scan with MGtools I got a pop-up window with the following message:


----------------------------------------------------------------------------------------------------------------------------


Improve Hijack this by reporting this error *(I don't know what Hijack This has to do with MG, I didn't have it running)*

click yes to submit (I clicked no)

Error details: Unexpected error at procedure'ModRegistry_IniGetString(SFile=system.ini,sSection=bootsValue-shell

Error #5 - Invalid procedure call or argument

windows version: Windows NT6.00 1905 MSE Version 7.0.6001.18000

Hijackthis version 2.0.4

----------------------------------------------------------------------------------------------------------------------------


However it still produced a log so not sure if this information is even relevant.

So I am pretty much in the same position I was to begin with apart from now I am aware that there is a nasty rootkit somewhere on the machine. Also somewhere along the line the mysterious .exe vanished from task manager never to be seen again.

I know this thing isn't gone, my permissions still seem messed up and I don't dare do anything until I know it's not key-logging everything typed or doing something worse. I don't trust that it is gone, From what I have read so far this is a quite clever and adaptive virus so I think I need help with this now.

I truly truly appreciate the time you take to help people with this stuff, I mean that genuinely. If there were more like you the world would be a better place.. and that place would definitely have no viruses.

I still don't have permission to enable windows7 Firewall, and I have no idea if the rootkit is still on the system. I have a feeling it has rewritten some of the registry and one other thing which is strange: out of the blue
"Lightscribe control panel" has started loading an icon into the system tray on start up. I have never used or even seen this before and I didn't tell it to run at start-up. Don't know if this has any relevance to anything but maybe worth a mention in case the rootkit hooked itself into something to do with this program. Just thought it might be a clue.

I will attach the logs in this and the next post.

Thank you so much to anyone that is willing to help me with this.

Much love.

 

Thanks so much for the response, I did have the MG tools log ready but didn't want to bump thread by posting until I got a response.

Much appreciated.

I will download and run the programs you have suggested and post back as soon as it is done.

 

OK, I have now deleted the temp files and run the programs suggested.
The logs are attached.

Is it dangerous for me to be online? I am not sure of this rootkits modus operandi, anything I should avoid doing?

Thank you .

 

What about the rootkit.zero access infection that was found by Combofix? I am almost certain there is something wrong with the system.
When I go to services if I try to start windows7 firewall I get this error:

http://imageshack.us/photo/my-images/707/errorsxy.jpg/

I am not certain which other services I do not have access to (even as admin):
But this was the first thing I noticed, disabled firewall. Reading about the virus it seems the steps I have taken would not be adequate to remove this rootkit. All my software missed it, the only thing that revealed its presence was Combofix. I have read backwards engineering might be the only way to get this off the system. How can I be sure it has gone and is not just hiding from the software I am using?

Is there anything else I can try?

Also stupidly I used my USB drive on my potentially infected pc, could the rootkit have spread to the usb drive? If so would a format be enough to get rid of it?

I feel nervous using this laptop now, as I am really unsure of what might be lurking on my system undetectable. I don't really understand what combofix did, as it found the rootkit.zeroaccess during the first stages of the scan, then a few seconds later said it had detected rootkit activity and must restart the computer, so I'm not sure what happened there. Does it have the power to get rid of such a thing? I understand that the virus overwrites valid drivers and is injected into other processes address space by the kernel mode driver.

I am now in the position I dreaded, nothing showing up in scan logs but somehow knowing something is still not right.

If you have any advice it would be much appreciated, as I am pretty paranoid now in case there is a keylogger on here, or that a hacker can get into the system or any number of hideous scenarios.

Thanks so much for your time and help.
M

 

Not sure why my image link to the error didn't show up, here is a regular link;

http://imageshack.us/photo/my-images/684/errorrd.jpg/

 

Hello, the laptop seems to be acting the same as before I ran the scans with said programs. Still can't start the firewall service get access is denied error 5. Even with right click and run as admin (in services).

I got the same hijack this error as stated in my previous post when running MG tools, but I again selected "no" and MG tools seemed to go ahead and run anyway.

Attached are the logs.

Hope they reveal something one way or another.

Thank you for your continuing help.
M

 

Another thing I have just discovered is when I try to run various programs I get a pop up error stating;

"You are not allowed to write to the registry!!
Continue anyway?" I haven't tried clicking continue anyway.

Is this a real windows message? Just the two exclamation marks seemed a bit dodgy looking.

However, I then tried right click and run as administrator and it opened the programs with no error message. So that's my workaround for now until advised otherwise.

Also looking at the program files folders some of them have;

C:\"path name"\Virtual\MODIFIED\@PROGRAMFILES@

I might be wrong but I can't recall seeing such file names before? But as I said I am not familiar with this system so this might be a normal path and it is just the word MODIFIED that got my attention.

Just thought it was worth a mention.

Thanks friend.

 

Excellent, thank you so much for all your help. I would buy you a pint if i could.

I will check out the software forum if the problems persist and I can't figure out how to get around them myself. I haven't even tried reinstalling anything that isn't working yet. So this might solve the problem.

Again I appreciate very much you taking time to help me out with this.

Much love.
M

 

Hello again, I really hope you see this, I have just noticed that there are three user-names under the security tab when there is only and only ever has been one account on this laptop. When I go to user account control it says there is only one user and guest account is disabled. However when i checked the properties and checked the security tab I saw that there were three accounts listed:

http://imageshack.us/photo/my-images/4/unled1ae.gif/

Please could you give me some advice as to what these are and if they are normal?

Thankyou.