Sorry that took so long, I was busy obeying the HelpBot. Anyway, first, the update. This is kinda long, bear with me.
First thing I've noticed, Explorer.exe
uses a lot more memory than usual, if I'm not mistaken. Whenever I start up Internet Explorer
, or any browser, I think, I get "Detecting proxy settings" in the lower left hand corner of the Status Bar. Also, like some of the classic adware/malware, keywords in the text on the pages I browse now get highlighted into URLs for tiny ads that come up like tooltips when you roll over them. They're normally GeoAds
, powered by RivalGaming
Still getting popups, but the websites popping up don't seem that malicious themselves. I'm getting stuff from Zazzle
, a reputable t-shirt company. Not sure how this rootkit would be associated with Zazzle. But I'm also getting popups from Facebook
, asking me to sign in so I can view and also follow certain feeds and pages.
I hear these Zero Access rootkits steal password information and stuff. I noticed that now, Internet Explorer keeps getting AutoComplete
turned on, and Form Data
keep getting saved. I continuously clear that data now, and check in to see if those boxes have been checked off again. So far nothing particularly sensitive has been signed into yet, so if my info is getting stolen, so far everything is salvageable. Haven't even signed into e-mail yet.
In addition to that, I hear these Zero Access rootkits sometimes allow remote access to your computer so that a hacker, or hackers, can control your computer remotely. But is the control automated? Or is an actual person sitting down doing XSS stuff to my computer or something? Because one night I left my computer running overnight, and early the next morning I found Facebook signed into, amongst the other popups that are now popping up. It was the account of someone who'd used this computer a while back, so that might be automated from the cookies on my computer, but ANOTHER night I found Master Volume Control
up, the volume had been muted, and in my Internet Explorer browsing history I found that "The Three Swordsmen" had been watched in full on ChinaFlix.com
. No one else was home that night. Spooooooky...
I might've muted the volume, I don't remember, with these things happening I'm kinda paranoid, thinking "Did I do that, or was it the malware?" Eventually I ran MalwareBytes
, did a full scan, and it found that a bunch of Zero Access rootkit stuff was in C:\System Volume Information
. It deleted that stuff. Then I decided to wait for updates here on Bleeping Computer.
Upon getting updates, I decided to do as HelpBot said and try DDS
again, as well as GMER
. DDS froze once again. GMER ran to completion once again, but also, like before, I got this error message box that said...
LoadDriver( "C:\DOCUME~1\Parent\LOCALS~1\Temp\fflcrpoc.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.
ALSO like before, I was unable to check off System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, or Libraries
. Perhaps because of this, in conjunction with the MalwareBytes run, GMER detected no system modification
. So while it ran to completion, no log popped up. Even though I was got a popup even as GMER was running!
Could the reason I'm having trouble running these things be because I'm unable to run things as the Administrator
? That's another problem that's come up. When I try to run GMER, or any program, as the Administrator, which I deleted the password on, I get this...
Unable to log on:
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
Maybe this Zero Access rootkit has taken Administrator control, and because it has Administrator control, I can't run these programs to full potential. Or maybe it's a process running that's keeping me from running these programs. Or maybe something else?
If this thing is embedded in the TCP/IP stack, I heard there was a way to delete and reinstall the TCP/IP stuff in Command Line.
So as you can see, DDS froze before a log could pop up, and GMER didn't find anything. So I have no log for you guys, unfortunately.
Do I go ahead and run aswMBR
Went ahead and ran aswMBR. But it wouldn't come up. I first tried running it completely disconnected from the Internet, but it wouldn't come up. Tried running it from the desktop by typing in %USERPROFILE%\Desktop\aswMBR.exe
in the Run
field, but that didn't work. Tried browsing to it in Task Manager
, that didn't work. I think I saw its process pop up briefly, but it went away. I think.
Gulp... I had a similar problem with TDSSKiller when I first tried to get this fixed.EDIT 2:
Wait! Maybe the reason I can't run aswMBR or TDSSKiller is because of some security settings, possibly coupled with my Administrator powers being clipped or something. See, 'cause on an uninfected computer, when I try to run aswMBR, I get the standard Security Warning prompt
asking if I wanna run the program, because aswMBR doesn't have a valid digital signature.
Maybe this rootkit has made it so I don't have the power to run programs without a valid digital signature? And now only the Administrator can, but I can't take Administrator control?
Edited by Kaljinyu, 08 April 2012 - 12:20 PM.