Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Win XP Pro hit with Backdoor.MultiZAccess.gen Rootkit

Posted on 2012-04-12
16
Medium Priority
?
894 Views
Last Modified: 2013-11-22
I'm working on a Win XP Pro system that got infected with a rootkit.

I performed the folowing:
1. Ran RogueKiller
2. Ran TSD Killer
3. Ram ComboFix

Browsers run properly. No provy servers found, no popups being displayed.
ComboFix mentioned it found a rootkit.

On the right side of the Start Menu, the following items are not displayed:
Printers, Run Now, Search

It rebooted three times and is still very slow. It takes a few hours just to reboot.

Any suggestions
0
Comment
Question by:Tony Giangreco
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 375 total points
ID: 37840007
Hello,

It is extremely difficult to get rid of a rootkit.  Even if combofix removed it, the damage is done and possible that some remnants remain.  Best to backup the data and rebuild the workstation.
0
 
LVL 11

Assisted Solution

by:Scott Silva
Scott Silva earned 375 total points
ID: 37840030
Download an offline scanner that will boot and run from cdrom like AVG rescue or avira rescue system...  http://www.avg.com/us-en/avg-rescue-cd   http://www.avira.com/en/downloads#tools... This will let you scan without the rootkit running and covering its tracks.
0
 
LVL 1

Assisted Solution

by:asher-is-me
asher-is-me earned 375 total points
ID: 37841102
I would recommend running an offline scanner or rescue CD without the Internet cable plugged in (just to prevent new data from being downloaded).

If you continue to try but the virus still hasn't left, it'd be easier in the long run to just reinstall Windows.  :-(
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 375 total points
ID: 37844675
@bigeven2002, That is never the solution for mbr resident type or beyond rootkits. You will just get reinfected and waste a good 2 hours of installation of basics.

TG-TIS, Can you post all three logs?
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37845302
I ran an Offline scanner over night and it didn;t do anything. I ended up doing a reinstall.

Thanks for your suggestions.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37845360
Are you sure about this? I have had a lot of experience with with zeroaccess and its not normally that easy to kill with just a reinstall.
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 37845461
@Russell, as long as it is not a firmware based rootkit, which in this case it isn't, then formatting and reinstalling will solve the problem.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37860427
The Pc appears to be clened up but this morning I noticed a Smart_HDD icon on the desktop and in the start menu, control panel and printers are not displayed.

I don't see any other symptoms of spyware. Can anyone provide a suggestion on how to dsafelt remove the Smart_hdd and resolve missing menu items? This is XP Pro.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37860847
@bigeven2002, if that's your view you need to do some more research on what a rootkit is and how they work.

TG-TIS,
There is a few options you can follow. Remove Smart HDD or follow Youngv's article 2012 varients.

Unhide should restore hidden items thy notice are missing. If Smart HDD is present rkill will remove the process from the process list and also check your file associations and restore them if needed. I would follow directly in order: rkill, unhide, then the rest of the tools mentioned. If tdsskiller works for you it will remove the rootkit component and repair the mbr. After the rootkit is safetly removed then you can format if you so choose and it will not come back.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37860862
Ok, I will try it and let you know what happens. Thanks for the help!
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37863580
Np, Hope to get you sorted and safe.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37868888
Well the control panel option is available in the start menu now, but every time it boots, Windows installed pops up and wants to access an install as if the smart_hd app needs to be reinstalled.

It's a real pain. I have to click cancel about 10 times before it disappears.

Any idea how I stop it?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37868956
Ok, We are going to change the strategy here. We are going to use TheKiller and Comboxfix.

TheKiller will kill "Smart-HDD" from the process list, it also combines the functionality of "unhide" as well as fixes file extensions, and allows you to run Combofix. Post the log after it is finished.
0
 
LVL 11

Expert Comment

by:Scott Silva
ID: 37872079
I would try malwarebytes... It is easier for a non techie to use...  www.malwarebytes.org. Download the free one.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37872448
I ran Malwarebytes the other day and it did remove Start_hd, but then the Windows Installer starts up at every reboot and takes 10 minutes to stop. I also ran Combofix and it didn't remove all the virus activity.

I will try the Killer and then Combofix again. This system really got hit. A reinstall may eventually be required but it's at a remote location that I can't get to easily.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37872546
Well, I will get a better picture with this next combofix log that you post.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question