Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need some advice and information on Rootkit-Zero Access


  • Please log in to reply
6 replies to this topic

#1 FTLDmike

FTLDmike

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 30 September 2011 - 01:58 PM

Good afternoon everyone,
I am a long-time lurker, first time poster. What a great site.

Unfortunately I think my system has been compromised by Zero Access. I have all of the symptoms that I have seen described. Let me tell you, this thing is as nasty as everyone says. Before I post a request to help remove it in the other forum, I want to get some opinions on whether my PC will be safe even if removal is successful. I have enough access to backup any critical data to another partition. So, is it a better option to just give it up and reinstall? Is a reinstall sufficient or is this an instance where a re-format is in order?

I would also be interested to know if anyone has determined what this thing is actually designed to do? Any advice and information is greatly appreciated.

Regards,

Mike

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:09 PM

Posted 30 September 2011 - 03:08 PM

This it is and you need specific help.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 FTLDmike

FTLDmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 30 September 2011 - 03:13 PM

Thanks Boopme. I have already downloaded the utilities and reviewed the prep guide. And yes, I know I need really specific help with this one.

I take it that your feeling is that this would be worth the effort and can be repaired safely? (barring any of the unexpected things that I know can happen).

Thanks Again,

Mike

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:09 PM

Posted 30 September 2011 - 03:21 PM

Hi Mike, Yes it can be repaired safely and perfectly.. Only downside is that right now we are backlogged and it will take about 3 days for their reply to you.


Your decision as to what action to take should be made by reading and asking yourself the questions presented in "When Should I Format, How Should I Reinstall?" In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.


If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 FTLDmike

FTLDmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 30 September 2011 - 03:30 PM

Ok, thanks very much for the reply and information. I will give it a try.

I would also point out to anyone reading this that the machine in question was running up to date AVG protection and all modules were active at the time of infection. The file was identified upon "open" by the application, which tried to stop it and the firewall attempted to block it as well--All to no effect. It was able to immediately disable the "Identity Protection" module and to cripple the Anti-virus in real time. From there, it was the mayhem I have seen described in other posts.

Thnaks,

Mike

#6 FTLDmike

FTLDmike
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 03 October 2011 - 09:08 AM

Boopme,
Thanks for the offer of help. Ultimately the machine got infected with some other stuff and became more trouble than it was worth. I was able to backup critical data using my Ubuntu CD to a second partition I had setup on the hard drive. I decided to blow away Windows and install Ubuntu. I plan to use it for a while and see if I miss Microsoft. :-)

Again, thanks for the offer to assist and all the great work you guys do over here.

Mike

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:09 PM

Posted 03 October 2011 - 07:50 PM

Not an unwise decision to make. Also what I'd have done.
You're welcome.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users