Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Zero Access Rootkit? I need help please


  • This topic is locked This topic is locked
12 replies to this topic

#1 dennisrobinson

dennisrobinson

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 December 2011 - 09:00 AM

Hello, I am having an issue with my computer. I believe I have a virus due to the symptoms but I don't know it for a fact. Recently my computer starts up properly, when I log in, it goes to the desktop much slower than usual. When I get to the desktop I cannot start any programs. If I click on anything, nothing happens. Nothing pops up, no error messages, just nothing happens. I tried doing a system restore, but it gave an error upon completion and now the only date available is the date my computer became infected. The only programs that open are the default windows photo viewer and basic microsoft games that came with the computer. Not even the internet, or antivirus software that I have installed like avast, or malawarebytes will start. I have to post these messages from a work computer because of this issue. I've also tried starting programs using run as administrator, from the RUN box, and in safe mode with or without networking. Nothing makes a difference as the programs will just not run. When I go to task manager it shows no applications running. CPU useage is usually listed at 0%. Under processes, when I click a program it will appear in the processes but with a *32 next to it's name, that lasts about 3-5 seconds before the process is automatically ended. I've also tried every form of RKILL but nothing will open or run. Does anyone have any ideas on what my problem might be or how to fix this? I've contacted microsoft but they had no idea and I've contacted Dell who said they know exactly what the problem is...so I should pay them 200 dollars to fix it. I'm low on money due to the holidays and being poor in general haha. Any help or information would be appreciated, thanks.

Edited by hamluis, 28 December 2011 - 10:24 AM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 PM

Posted 28 December 2011 - 10:44 AM

Processes that end with *32 are 32-bit application running under WOW on a 64-bit OS.

Microsoft created a new folder named SysWOW64 for storing 32-bit .dll files. WOW64 equates to "Windows on 64-bit Windows". This folder contains all the 32-bit .dll files required for compatibility which run on top of the 64-bit version of Windows. WOW64 is the x86 emulator that allows 32-bit Windows-based applications to run on 64-bit Windows but x86 applications are re-directed to the x86 \syswow64 when seeking the x64 \system32.

For a more detailed explanation, please refer to:

Some malware infections will alter file associations and registry keys corresponding to them so programs will not work properly. In order to get them working again this modification needs to be repaired. This is a small tool that restores the default exe association.

Please download ExeFix.scr by Farbar for Windows XP and save it to a USB flash drive or to the root of the system drive (usually C:).
  • Important! Boot your computer into the user account that is having trouble running exe files.
  • Double-click on ExeFix.scr to run it.
  • The tool notifies you within a fraction of a second to reboot the computer, please do so.
Note: If the tool did not run try changing the file extension to .com or .bat or .cmd or .pif.
Also note that in order for the fix to work, you need to be booted to the user account that is having trouble running exe files.

After that you should be able to run your programs.

If not, please see this self-help guide and follow the instructions exactly as written for using FixNCR.reg, RKill and then an immediate scan by Malwarebytes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Computer wiz45

Computer wiz45

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 December 2011 - 10:44 AM

Based on the information you provided You need help from the Malware Removal Team Follow this Guide

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 PM

Posted 28 December 2011 - 10:49 AM

The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the Virus, Trojan, Spyware, and Malware Removal Logs forum if we cannot assist members here and we need to use more powerful tools or the member does not mind waiting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 dennisrobinson

dennisrobinson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 December 2011 - 05:30 PM

Thank you for your help, I will give this a try and see what happens.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 PM

Posted 28 December 2011 - 05:51 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 dennisrobinson

dennisrobinson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 December 2011 - 07:08 PM

Well no version of that worked, I also tried the multistep process that begins with defogger but nothing from that list worked at all. Defogger at least opened unlike the others but then closed after a few seconds. I tried hitman pro, and it ran unlike anything else but didn't find the problem.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 PM

Posted 29 December 2011 - 12:04 AM

Please download RKill by Grinler and save it to your desktop.
There will be a list of RKill download links using different file extensions and renamed versions. Read the comments which explains why they are offered. The iExplore.exe version is generally more effective but you may want to download more than one version before proceeding.

  • Double-click on the Rkill desktop icon to run the tool.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, and try another version.
  • If it still does not work, repeat the process and attempt to use one of the remaining version until the tool runs.
  • Note: You may have to make repeated attempts to use RKill several times before it will run as some malware variants try to block it.
  • A log file will be created and saved to the root directory, C:\RKill.log
  • Copy and paste the contents of RKill.log in your next reply.
-- If you get an alert that RKill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run RKill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that RKill can perform its routine.

-- Some security tools may flag RKill as malware, especially when renamed to iexplore.exe, explorer.exe, winlogon.exe, etc because they have definitions in place that flag certain file names used outside their normal path. If you encounter such an alert when running Rkill, you can safely ignore it and continue to allow the program to run.

Important: Do not reboot your computer until you complete the next step.

Now try performing a Quick Scan in normal mode with Malwarebytes' Anti-Malware and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 dennisrobinson

dennisrobinson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 29 December 2011 - 09:28 AM

I downloaded every version of RKILL and clicked each one multiple times, even trying run as Administrator but nothing ever opened. I will try again later today when I get home from work. I also never get a warning telling me not to run RKILL because it could be malware. Nothing ever happens when I click anything. Nothing pops up at all. The cursor just turns into the swirling circle (used to be an hourglass back in the day) for a little while and then that's about it.

#10 dennisrobinson

dennisrobinson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 29 December 2011 - 07:59 PM

Well I tried running each RKILL version about twenty times each. They never opened. Any other ideas?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 PM

Posted 30 December 2011 - 07:23 AM

Looks like more powerful tools than we recommend in this forum is needed.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. After doing this, it would be helpful if you replied back in this thread with a link to the new topic so we can closed this one.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

Note: If you can produce at least some of the logs, create a new topic and explain what happened with those logs you tried to create but could not. If you cannot create any of the logs, then still post the topic and explain that you followed the Prep. Guide but were unable to create the required logs. Again, describe what happened when you tried to create them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 dennisrobinson

dennisrobinson
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 30 December 2011 - 05:17 PM

None of the log programs worked so I could not complete ANY steps. I put another post here
http://www.bleepingcomputer.com/forums/topic435351.html/page__fromsearch__1

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 PM

Posted 30 December 2011 - 07:34 PM

Ok. Should you find that you are able to run any of those tools and generate a log before someone replies to your topic, DO NOT add another reply. Just edit the existing topic and post your log beneath the reply that you already made. Also do not bump your topic. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users