Rooktkit Zero Access - another sufferer

Hello. I'm helping a friend with her Dell Inspiron laptop (XP), and it's infected with, perhaps among other things, Rootkit Zero Access.

Going through the Read and Run Me First list, I went through and uninstalled everything I could find that wasn't essential. Then I did the following:

> CCleaner *
> MBAM *
> Super Anti-Spyware *
> Combofix *
> MGTools *
> I tried RootRepeal, but I got a BitZipper message that my trial version of their extractor program had expired, so I couldn't extract the exe from the rar file. I then tried it on other computers, and the message I got at that point was that winows didn't recognize the file and wanted me to choose the program to use to open it.

* On all these programs: I couldn't run any of them except in Safe Mode. I believe that's not as effective, but the computer just froze when I tried to run any of them when signed on normally. So I just did what I could.

Attached are the logs. Many thanks!

 

Hello Lydster,

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Thanks for the quick response.

> I was able to run TDSS in regular mode (not Safe), it found Rootkit, I chose the Restart option, but the computer froze for over 15 mins. I had to turn it off using the power button.

> I ran aswMBR in regular mode. Although there was a Fix option in the program, you didn't mention using that, so I just got the log.

> I tried to run OTL immediately after aswMBR, but the computer froze for a long time again. I did a Restart and then tried OTL a few more times in regular mode. It just wouldn't run/kept stalling. I finally ran it in Safe mode. (OTL also created an Extras text file that I've attached.)

Attached are logs. Look forward to hearing from you.

 

Hi Lydster,

Please retry attaching the logs. (How to attach)

 

Not sure why they didn't attach last time. I've done this before, but I think I'm trying to do too many things at once. Here we go...

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

Go ahead and do this while I review the rest of your logs.

 

I would prefer if you ran this from Safe Mode for a higher chance of success. The PC will need to reboot in order to finish and produce a log. Allow the PC to reboot to normal mode, NOT safe mode again.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ADSMService.dll -- (utscsi)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pdframe.dll -- (mssqlserverolapservice)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\smrne.sys -- (uxlo)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\vhxe.sys -- (sfuo)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] --  -- (cerc6)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\SULEE~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\elvks.sys -- (auun)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (35084562)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (13201682)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-1935655697-1606980848-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
NetSvcs: mssqlserverolapservice - %systemroot%\system32\pdframe.dll File not found
NetSvcs: s716bus -  File not found
NetSvcs: wlidsvc -  File not found
NetSvcs: utscsi - %systemroot%\system32\ADSMService.dll File not found
NetSvcs: asapiw2k -  File not found
NetSvcs: servicemgr -  File not found
NetSvcs: ozoneinstallerservice -  File not found
NetSvcs: Epfwndis -  File not found
NetSvcs: SE2Dmdm -  File not found
NetSvcs: lvprcsrv -  File not found
NetSvcs: ifxspmgtsrv -  File not found
NetSvcs: s116mgmt -  File not found
NetSvcs: dvd43llh -  File not found
NetSvcs: cis1284 -  File not found
NetSvcs: A4S2600 -  File not found
NetSvcs: mcpromgr -  File not found
NetSvcs: Ndisipo -  File not found
NetSvcs: ccdecode -  File not found
NetSvcs: tifm -  File not found
NetSvcs: ppa3 -  File not found
NetSvcs: sshrmd -  File not found
NetSvcs: dot4ufd -  File not found
NetSvcs: sbpci -  File not found
[2012/03/14 16:52:30 | 000,475,736 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\3555743drv.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/02/24 21:29:36 | 000,006,192 | ---- | M] () -- C:\{26C24170-A203-4798-A1E8-DB128ECA5AA8}
[2012/02/24 21:16:55 | 000,006,192 | ---- | M] () -- C:\{8802B8B0-67F9-4536-B578-17DA04AAC87B}
[2010/04/03 10:35:31 | 000,000,821 | ---- | C] () -- C:\WINDOWS\checkip.dat
[COLOR="DarkRed"]:services [/COLOR]
utscsi
[COLOR="DarkRed"]:files[/COLOR]
rd /s/q C\WINDOWS\$NtUninstallKB19674$ /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6NK6K21" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C7UASJNG" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\SJHZV1E8" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\YEU53VTA" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\2R0HSU72" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\5C947J62" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\97V2KPN1" /c
del /a/f/q "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\AVOMSQZR" /c
C:\{28534373-2F27-400B-96F1-5A57D726CE37}
C:\Documents and Settings\su lee\Local Settings\temp\nsy7.tmp
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"services"=dword:00000000
"startup"=dword:00000000
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif After the reboot, rescan with OTL using these settings:

• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  %systemdrive%\redbook.sys /s /md5
  %systemdrive%\redbook.svs /s /md5
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\redbook /s
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

http://img684.imageshack.us/img684/6489/aswmbr.gif Rescan with aswMBR

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

Hello there. Finally got a chance to look at this again this weekend. Here's the deal:

Ran TDSS in regular mode. I deleted TDSS file and it did "Cure" on a Rootkit entry. As happened before, I chose the Reboot option, but the computer froze for several mins. I had to turn it off using the power button.

When I turned it back on, after it ran through the initial Dell screen, I got a Broadcom Intel Base-Code message (before it even loaded the OS):

PXE-E61: Media test failure, check cable
PXE-M0F: Exiting Broadcom PXE ROM.

And it just hangs there indefinitely.

What's on the agenda now??

 

It seems as though your computer is having difficulty recognizing that there is a hard drive attached to the system and is trying to boot from LAN instead.

Also I'm noticing that there is no CD/DVD Rom detected either (according to your logs).

Code:

[Disks]

Item	Value	
Description	\\.\PHYSICALDRIVE0	
Manufacturer	[B][COLOR="Red"]Not Available[/COLOR][/B]	
Model	[COLOR="Red"][B]Not Available[/B][/COLOR]	
Bytes/Sector	512	
Media Loaded	Yes	
Media Type	Fixed	hard disk media	

You may have more problems than just malware but let's try the following:

When you first turn on the computer and you see the Dell splash screen - Press the F12 key to go into "Boot Options".

Let me know which devices are listed here. Let me know if you see : FUJITSU_MHZ2120BH_G2 (aswMBR sees this)

 

After F12, the following appears:

Internal HDD
CD/DVD/CD-RW Drive
Onboard NIC

When I go into Bios and check Device Info:

Primary Hard Drive = 128 GB HDD
Fixed Bay Device = DVD+/-RW
Video stuff
Audio stuff
Modem
Wi-Fi

Boot Sequence is:

1. Onboard NIC
2. CD Drive
3. Internal HDD
4. Diskette Drive
5. USB Storage Device

** I changed the boot sequence to HDD first, and that only brought up a blank black screen with a flashing cursor after the Dell screen. The PXE error did not display.

Thanks.

 

That looks about right.

Do you have your Windows XP CD? We need to get into the Recovery Console and add a new bootsector to the hard drive.

 

This is a friend's laptop, so I don't have her product key on me -- if that will be required. If all we need is any XP Pro OS disk, I do have that, as I run the same OS on my Inspiron as she does.

 

No we do not need the product key for this.

Please follow these instructions:

1. Insert the CD
2. Reboot your computer
3. At the DELL Splash screen, press F12
4. This takes you to the Boot Menu
5. Select CD/DVD Rom from the selection by using the Down / up arrows
6. PRESS Enter have you have selected the CD/DVD Rom drive.
7. You'll hear the CD spinning up, be ready to press ANY key when you see the following message:

http://ww2.justanswer.com/uploads/anuangelanu/2010-05-06_055805_1.gif

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
http://support.microsoft.com/Library/Images/2399081.png
When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

Now type in fixboot and press ENTER.
It will ask you if you are sure you want to restore a new bootsector to the hard drive.
Press Y (and then ENTER) to say Yes.
It should say Operation completed successfully
Type exit

Now reboot your computer and see if you can get past the flashing underscore _ now.

 

Ran through the steps you outlined. The PXE messages come up after reboot, and it hangs there with the flashing _

 

Is the hard drive still boot priority #1 in the BIOS?

Try booting from the hard drive using the F12 boot menu selection.

As I was saying earlier it seems like the system is having a hard time reading the hard drive at times.

 

Yes, indeed. When I change the boot sequence to Hard Drive 1st, then I get just a blank screen with the flashing underscore; not even a PXE message. I ran diags under F12 just to see if there was anything obvious, but everything passed. So what do you say? I guess we can't pursue the virus problem if we can't even get this to boot to the hard drive. Should we "transfer" this ticket to a Hardware forum, or something like that?

 

Retry booting into the Recovery Console and trying both of these commands, pressing ENTER and Y (for yes) after each:

• fixmbr
• fixboot
• exit (restart the PC // boot from hard drive)

Also ensure that there are not any USB devices plugged into the system when it is trying to boot.

If this does not work, then visit the Software or Hardware forum for further assistance on getting the PC to boot.

 

My apologies for the delayed feedback on this, but I've been slammed. I just had to come back and say MANY THANKS for your fixmbr and fixboot guidance. This got Windows OS to load again, and then I was able to move on with the other fixes. Based on what various other forum posts were saying about the 'PXE-E61 Media test failure' error, I thought the hard drive was dead and was getting ready to purchase another one when I tried your suggestion first. Wonderful!

 

You're welcome, Lydster
Let me know if you need any additional help.