Posted 17 January 2012 - 09:14 PM
I should be posting this in the VTS&M removal logs forum, but I'm under kind of time crunch. My client cannot wait more than a few days to get their computer back, and I know the VTS&M forum is backed up. So, as a last resort before wiping and reinstalling, I'm looking for some help from you gurus out there.
This PC is running Win XP SP3 fully updated. It is an eMachines W5233. He brought it to me complaining that it was very slow and kept popping up a System Check program that he didn't download. The entire desktop was hidden and nothing could be installed. Below are the steps I've taken yesterday and today in as close to an order as I can put them: (MBAM, SAS, and aswMBR logs can be shown if needed)
1. Booted into safe mode and ended the System Check process in order to remove that program.
2. Had to run Unhide software to get the desktop icons back.
3. MBAM had to be ran in safe mode without updating first and it found nothing.
4. SAS found nothing but tracking cookies.
5. Roguekiller found some stuff and cleaned them. After that, MBAM ran and found some more.
6. Eset online scanner found 14 more items.
7. SAS found 480 items.
8. After looking at some of the items found, I ran Combofix just to see if it would find anything. Combofix starts and after about 5 minutes pops up with "You are infected with Rootkit.Zeroaccess in the TCP/IP stack. This is a particularly difficult infection to remove.....etc." Clicking OK clears that window until about 5 minutes later and another window pops up stating "Rootkit activity is detected. This may take some moments." Clicking OK clears that window as well. But, then shortly after that, Windows locks up (the mouse cursor still moves but you can click on nothing). Combofix never even shows Step 1 in its scan. Just to make sure that I wasn't being too impatient, I started combofix last night and after clicking OK on that second popup, I went to bed. 9 hours later, the machine looked exactly as it did the night before. Locked up.
9. TDSSKiller will not start in normal or safe mode.
10. aswMBR will not start in normal or safe mode.
11. I tried Rkill from BC and ran it. After a few tries, it stopped userinit, but I still couldn't run TDSSKiller or aswMBR.
12. On a whim, I burned and booted on a UBCD4Win CD. Once it was up, I went to where I had saved the aswMBR.exe file and started it. It started up ok. I selected just the C: drive to scan, and it found Partition 2 MBR infected with Alureon-K (rootkit). I clicked the FixMBR button and after a minute or so a new MBR was written successfully.
13. I rebooted into safe mode and tried running TDSSKiller, but it still won't start. aswMBR still will not run while booted into Windows in any mode. Combofix still locks up after the same point is reached.
If the MBR is infected with a rootkit, can it even be cleaned? Something tells me that after I used aswMBR while booted on the UBCD and rebooted, as soon as Windows loaded, the MBR got infected again.
I have a few days to play around with this before having to wipe it and reinstall so if anybody wants to take a crack at it, I'm all ears.
What's more irrational--a guy who believes in a God he cannot see or a guy who is offended by a God he doesn't believe in?