Solved

Win XP Pro hit with Backdoor.MultiZAccess.gen Rootkit

Posted on 2012-04-12
16
885 Views
Last Modified: 2013-11-22
I'm working on a Win XP Pro system that got infected with a rootkit.

I performed the folowing:
1. Ran RogueKiller
2. Ran TSD Killer
3. Ram ComboFix

Browsers run properly. No provy servers found, no popups being displayed.
ComboFix mentioned it found a rootkit.

On the right side of the Start Menu, the following items are not displayed:
Printers, Run Now, Search

It rebooted three times and is still very slow. It takes a few hours just to reboot.

Any suggestions
0
Comment
Question by:Tony Giangreco
  • 6
  • 5
  • 2
  • +2
16 Comments
 
LVL 17

Accepted Solution

by:
bigeven2002 earned 125 total points
ID: 37840007
Hello,

It is extremely difficult to get rid of a rootkit.  Even if combofix removed it, the damage is done and possible that some remnants remain.  Best to backup the data and rebuild the workstation.
0
 
LVL 9

Assisted Solution

by:Scott Silva
Scott Silva earned 125 total points
ID: 37840030
Download an offline scanner that will boot and run from cdrom like AVG rescue or avira rescue system...  http://www.avg.com/us-en/avg-rescue-cd   http://www.avira.com/en/downloads#tools... This will let you scan without the rootkit running and covering its tracks.
0
 
LVL 1

Assisted Solution

by:asher-is-me
asher-is-me earned 125 total points
ID: 37841102
I would recommend running an offline scanner or rescue CD without the Internet cable plugged in (just to prevent new data from being downloaded).

If you continue to try but the virus still hasn't left, it'd be easier in the long run to just reinstall Windows.  :-(
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 125 total points
ID: 37844675
@bigeven2002, That is never the solution for mbr resident type or beyond rootkits. You will just get reinfected and waste a good 2 hours of installation of basics.

TG-TIS, Can you post all three logs?
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37845302
I ran an Offline scanner over night and it didn;t do anything. I ended up doing a reinstall.

Thanks for your suggestions.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37845360
Are you sure about this? I have had a lot of experience with with zeroaccess and its not normally that easy to kill with just a reinstall.
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 37845461
@Russell, as long as it is not a firmware based rootkit, which in this case it isn't, then formatting and reinstalling will solve the problem.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37860427
The Pc appears to be clened up but this morning I noticed a Smart_HDD icon on the desktop and in the start menu, control panel and printers are not displayed.

I don't see any other symptoms of spyware. Can anyone provide a suggestion on how to dsafelt remove the Smart_hdd and resolve missing menu items? This is XP Pro.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37860847
@bigeven2002, if that's your view you need to do some more research on what a rootkit is and how they work.

TG-TIS,
There is a few options you can follow. Remove Smart HDD or follow Youngv's article 2012 varients.

Unhide should restore hidden items thy notice are missing. If Smart HDD is present rkill will remove the process from the process list and also check your file associations and restore them if needed. I would follow directly in order: rkill, unhide, then the rest of the tools mentioned. If tdsskiller works for you it will remove the rootkit component and repair the mbr. After the rootkit is safetly removed then you can format if you so choose and it will not come back.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37860862
Ok, I will try it and let you know what happens. Thanks for the help!
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37863580
Np, Hope to get you sorted and safe.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37868888
Well the control panel option is available in the start menu now, but every time it boots, Windows installed pops up and wants to access an install as if the smart_hd app needs to be reinstalled.

It's a real pain. I have to click cancel about 10 times before it disappears.

Any idea how I stop it?
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37868956
Ok, We are going to change the strategy here. We are going to use TheKiller and Comboxfix.

TheKiller will kill "Smart-HDD" from the process list, it also combines the functionality of "unhide" as well as fixes file extensions, and allows you to run Combofix. Post the log after it is finished.
0
 
LVL 9

Expert Comment

by:Scott Silva
ID: 37872079
I would try malwarebytes... It is easier for a non techie to use...  www.malwarebytes.org. Download the free one.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 37872448
I ran Malwarebytes the other day and it did remove Start_hd, but then the Windows Installer starts up at every reboot and takes 10 minutes to stop. I also ran Combofix and it didn't remove all the virus activity.

I will try the Killer and then Combofix again. This system really got hit. A reinstall may eventually be required but it's at a remote location that I can't get to easily.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37872546
Well, I will get a better picture with this next combofix log that you post.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now