Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Self Introduction


  • Please log in to reply
6 replies to this topic

#1 VirtualAnt

VirtualAnt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 14 March 2012 - 06:38 PM

Hello Everyone! I discovered this site while looking for virus removal instructions. I was lead here many times during my various searches and I have to say that I am quite impressed with the quality and thoroughness of the information I have been finding. I am an IT professional specializing in DB design, but over the past 20 years have worn many hats. Soon I will posting a request for help in recovering from a severe virus infection, but I am also hoping that over time I can contribute at least as much as I am given. It is good to be here, and a hearty thanks to the hosts, admins, and all who join in the fun!

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:10 AM

Posted 15 March 2012 - 02:00 AM

Hi VirtualAnt!

Welcome to BleepingComputer! We're glad to have you join us!

Warmest Regards,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 VirtualAnt

VirtualAnt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 15 March 2012 - 03:48 PM

Hi SweetTech!

I very much appreciate your warm welcome. I have a machine recently recovered from (what I believe was) an infection by ZeroAccess (or a variant). The machine (XP sp3) boots fine enough, but there is still residual damage - most notably an inability to connect. I am crafting my help-request and am reviewing the site guidelines. Thanks again!

ant

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:10 AM

Posted 17 March 2012 - 12:27 AM

Hi Ant!

ZeroAccess, can be a real pain, it tends to cause all sorts of damage, to a variety of settings on your computer. You should be aware that ZeroAccess does have backdoor capabilities.

When my users are infected with this infection I provide them with a backdoor warning, that contains some important information, as well as some information about the particular infection.

I'm going to provide you with that information, so that you're aware of what it's capable of doing, and then make an informed decision on whether or not you wish to continue trying to clean the computer up or if a reformat and re-install is the best action for you to take.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

Special thanks to quietman7 for providing the above information.



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Warmest Regards,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 VirtualAnt

VirtualAnt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 20 March 2012 - 06:35 PM

Thank you SweetTech. I was just about to post my help request, but now I will wait until I review the info you provided (not easy because I am now at the mercy of the library). I am not certain that it was ZeroAccess, TDSS, or something else. I was scanning the harddrive of a friend in my machine and I became infected - persistent BSOD, scary stuff whatever it was. I run AVG, Comodo (firewall only), and UnHackMe. MY hd is a 1Tb in two partitions. If I decide to reformat will I lose both partitions?

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:10 AM

Posted 20 March 2012 - 11:41 PM

Hi Ant!

Not a problem! I realize this can be scary! I've been in your shoes before, so I know exactly how it feels to be stuck with an infected computer.

If I decide to reformat will I lose both partitions?

If this were my computer, yes, I'd definitely reformat the entire drive. If you need assistance in doing so, the techs in the Windows XP forum.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 VirtualAnt

VirtualAnt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 25 March 2012 - 07:12 PM

Ok ST. I sifted through all of the very informative articles you posted. Thanks for that. Are there tell-tale signs that it was indeed ZeroAccess that got me? According to the very first article, the objective of ZA is to install "FakeAntivirus crimeware" (4th paragraph). I did not get that symptom. Once I started noticing trouble, the only symptom was a persistent BSOD (occuring anytime from Windows boot 'til no more than 2 mins of desktop time). So it seems to me in this case that the ultimate goal was not to bilk me for "removal" costs, not to use me as a zombie, but simply to disable my machine.

The only reason I suspect ZA is because of some pages I came accross when I searched for the BSOD hex codes (atapi.sys...). I installed the drive in a Win7 machine and performed a scan with Avast! Then I rewrote the MBR from a bootdisk, reinstalled it as a bootdrive, rewrote the MBR again (I think I even tried some virus specific tools). The Win7 machine exhibits no sign of infection. Once I reached a stable desktop, I disabled the network cards, and scans with AVG and mbam came back clean. I do have about 40 entries in my Services which I do not recognize, and 8 out of those that I researched so far have no visible executable behind them. The machine seems like it has been operating normally offline for over a week now.

So, if I decide *not* to reformat and I keep the computer disconnected, then I assume my risks are minimal, other than a possible offline resurrection (I have a lot of music, video and rare s/w). I do no banking and keep very little personal info on this computer, so if I eventually decide to risk it and connect, I imagine that my only risks are my e-mail accounts, and possible re-infection (perhaps even worse).


If I *do* decide to reformat, it will come from a known safe offline image. In your opinion, can I keep files from the second drive on the infected computer? Can I move my data files (movies, music, docs, etc.) from the infected drive (once *not* installed as a boot drive) to another drive?

Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users