Solved

Win XP Pro hit with Backdoor.MultiZAccess.gen Rootkit

Posted on 2012-04-12
16
892 Views
Last Modified: 2013-11-22
I'm working on a Win XP Pro system that got infected with a rootkit.

I performed the folowing:
1. Ran RogueKiller
2. Ran TSD Killer
3. Ram ComboFix

Browsers run properly. No provy servers found, no popups being displayed.
ComboFix mentioned it found a rootkit.

On the right side of the Start Menu, the following items are not displayed:
Printers, Run Now, Search

It rebooted three times and is still very slow. It takes a few hours just to reboot.

Any suggestions
0
Comment
Question by:Tony Giangreco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 125 total points
ID: 37840007
Hello,

It is extremely difficult to get rid of a rootkit.  Even if combofix removed it, the damage is done and possible that some remnants remain.  Best to backup the data and rebuild the workstation.
0
 
LVL 10

Assisted Solution

by:Scott Silva
Scott Silva earned 125 total points
ID: 37840030
Download an offline scanner that will boot and run from cdrom like AVG rescue or avira rescue system...  http://www.avg.com/us-en/avg-rescue-cd   http://www.avira.com/en/downloads#tools... This will let you scan without the rootkit running and covering its tracks.
0
 
LVL 1

Assisted Solution

by:asher-is-me
asher-is-me earned 125 total points
ID: 37841102
I would recommend running an offline scanner or rescue CD without the Internet cable plugged in (just to prevent new data from being downloaded).

If you continue to try but the virus still hasn't left, it'd be easier in the long run to just reinstall Windows.  :-(
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 125 total points
ID: 37844675
@bigeven2002, That is never the solution for mbr resident type or beyond rootkits. You will just get reinfected and waste a good 2 hours of installation of basics.

TG-TIS, Can you post all three logs?
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37845302
I ran an Offline scanner over night and it didn;t do anything. I ended up doing a reinstall.

Thanks for your suggestions.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37845360
Are you sure about this? I have had a lot of experience with with zeroaccess and its not normally that easy to kill with just a reinstall.
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 37845461
@Russell, as long as it is not a firmware based rootkit, which in this case it isn't, then formatting and reinstalling will solve the problem.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37860427
The Pc appears to be clened up but this morning I noticed a Smart_HDD icon on the desktop and in the start menu, control panel and printers are not displayed.

I don't see any other symptoms of spyware. Can anyone provide a suggestion on how to dsafelt remove the Smart_hdd and resolve missing menu items? This is XP Pro.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37860847
@bigeven2002, if that's your view you need to do some more research on what a rootkit is and how they work.

TG-TIS,
There is a few options you can follow. Remove Smart HDD or follow Youngv's article 2012 varients.

Unhide should restore hidden items thy notice are missing. If Smart HDD is present rkill will remove the process from the process list and also check your file associations and restore them if needed. I would follow directly in order: rkill, unhide, then the rest of the tools mentioned. If tdsskiller works for you it will remove the rootkit component and repair the mbr. After the rootkit is safetly removed then you can format if you so choose and it will not come back.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37860862
Ok, I will try it and let you know what happens. Thanks for the help!
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37863580
Np, Hope to get you sorted and safe.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37868888
Well the control panel option is available in the start menu now, but every time it boots, Windows installed pops up and wants to access an install as if the smart_hd app needs to be reinstalled.

It's a real pain. I have to click cancel about 10 times before it disappears.

Any idea how I stop it?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37868956
Ok, We are going to change the strategy here. We are going to use TheKiller and Comboxfix.

TheKiller will kill "Smart-HDD" from the process list, it also combines the functionality of "unhide" as well as fixes file extensions, and allows you to run Combofix. Post the log after it is finished.
0
 
LVL 10

Expert Comment

by:Scott Silva
ID: 37872079
I would try malwarebytes... It is easier for a non techie to use...  www.malwarebytes.org. Download the free one.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37872448
I ran Malwarebytes the other day and it did remove Start_hd, but then the Windows Installer starts up at every reboot and takes 10 minutes to stop. I also ran Combofix and it didn't remove all the virus activity.

I will try the Killer and then Combofix again. This system really got hit. A reinstall may eventually be required but it's at a remote location that I can't get to easily.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37872546
Well, I will get a better picture with this next combofix log that you post.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question