Win XP Pro hit with Backdoor.MultiZAccess.gen Rootkit

I'm working on a Win XP Pro system that got infected with a rootkit.

I performed the folowing:
1. Ran RogueKiller
2. Ran TSD Killer
3. Ram ComboFix

Browsers run properly. No provy servers found, no popups being displayed.
ComboFix mentioned it found a rootkit.

On the right side of the Start Menu, the following items are not displayed:
Printers, Run Now, Search

It rebooted three times and is still very slow. It takes a few hours just to reboot.

Any suggestions
LVL 25
Tony GiangrecoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


It is extremely difficult to get rid of a rootkit.  Even if combofix removed it, the damage is done and possible that some remnants remain.  Best to backup the data and rebuild the workstation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott SilvaNetwork AdministratorCommented:
Download an offline scanner that will boot and run from cdrom like AVG rescue or avira rescue system... This will let you scan without the rootkit running and covering its tracks.
I would recommend running an offline scanner or rescue CD without the Internet cable plugged in (just to prevent new data from being downloaded).

If you continue to try but the virus still hasn't left, it'd be easier in the long run to just reinstall Windows.  :-(
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

@bigeven2002, That is never the solution for mbr resident type or beyond rootkits. You will just get reinfected and waste a good 2 hours of installation of basics.

TG-TIS, Can you post all three logs?
Tony GiangrecoAuthor Commented:
I ran an Offline scanner over night and it didn;t do anything. I ended up doing a reinstall.

Thanks for your suggestions.
Are you sure about this? I have had a lot of experience with with zeroaccess and its not normally that easy to kill with just a reinstall.
@Russell, as long as it is not a firmware based rootkit, which in this case it isn't, then formatting and reinstalling will solve the problem.
Tony GiangrecoAuthor Commented:
The Pc appears to be clened up but this morning I noticed a Smart_HDD icon on the desktop and in the start menu, control panel and printers are not displayed.

I don't see any other symptoms of spyware. Can anyone provide a suggestion on how to dsafelt remove the Smart_hdd and resolve missing menu items? This is XP Pro.
@bigeven2002, if that's your view you need to do some more research on what a rootkit is and how they work.

There is a few options you can follow. Remove Smart HDD or follow Youngv's article 2012 varients.

Unhide should restore hidden items thy notice are missing. If Smart HDD is present rkill will remove the process from the process list and also check your file associations and restore them if needed. I would follow directly in order: rkill, unhide, then the rest of the tools mentioned. If tdsskiller works for you it will remove the rootkit component and repair the mbr. After the rootkit is safetly removed then you can format if you so choose and it will not come back.
Tony GiangrecoAuthor Commented:
Ok, I will try it and let you know what happens. Thanks for the help!
Np, Hope to get you sorted and safe.
Tony GiangrecoAuthor Commented:
Well the control panel option is available in the start menu now, but every time it boots, Windows installed pops up and wants to access an install as if the smart_hd app needs to be reinstalled.

It's a real pain. I have to click cancel about 10 times before it disappears.

Any idea how I stop it?
Ok, We are going to change the strategy here. We are going to use TheKiller and Comboxfix.

TheKiller will kill "Smart-HDD" from the process list, it also combines the functionality of "unhide" as well as fixes file extensions, and allows you to run Combofix. Post the log after it is finished.
Scott SilvaNetwork AdministratorCommented:
I would try malwarebytes... It is easier for a non techie to use... Download the free one.
Tony GiangrecoAuthor Commented:
I ran Malwarebytes the other day and it did remove Start_hd, but then the Windows Installer starts up at every reboot and takes 10 minutes to stop. I also ran Combofix and it didn't remove all the virus activity.

I will try the Killer and then Combofix again. This system really got hit. A reinstall may eventually be required but it's at a remote location that I can't get to easily.
Well, I will get a better picture with this next combofix log that you post.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.