Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requesting help 'by the numbers, from the top' ; probable rootkit


  • Please log in to reply
4 replies to this topic

#1 Hunting.Targ

Hunting.Targ

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:09:00 AM

Posted 06 July 2013 - 08:52 PM

     I am asking for help with the machine that has started all of my recent troubles; an HP Mini notebook (Intel Atom, Windows 7 Starter, no CD drive).  It appears to have been the cause of infection of my desktop computer by the ZeroAccess Rootkit.  User experience symptoms are continuous hard drive access (even while CPU usage is low), very poor responsiveness, and spontaneous disabling of Windows Update.

 

 

The desktop has been running MSE; tragically, the notebook has been running no security software of any kind (except probably Windows Firewall).  The computer has not been left unattended with internet access (it is often connected by WiFi while on, but is often disconnected after use), and almost always shut off when a session is finished.  Understanding this, and how insidious rootkits are, and that the machine may be seriously infected, I am asking for 'ground-zero' assistance.

 

For background, the troubleshooting history for the subsequently infected machine can be found in these two threads.


Edited by Hunting.Targ, 06 July 2013 - 09:01 PM.

Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 06 July 2013 - 10:43 PM

Hello -

First - Is this a new topic and not related in any way to the last topic that you just finished ?

I think I noted your last one was a Vista based computer.

We can start after you reply to this post -

 

Thank You.



#3 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:09:00 AM

Posted 06 July 2013 - 11:51 PM

It is, I believe, related, as the machine currently in question may have been the source of the other machine's infection.  However, I chose to start a new topic because:

1.  The two topics are concerning two separate machines with different OSes (Windows 7 Starter versus Windows Vista);

2.  The machine that has been cleaned is using Microsoft Security Essentials, where the machine I am posting about now has NO anti-malware protection; the nature and extent of infection and compromise may be, and likely is, therefore different than the other machine;

3.  I do not believe that the infection spread by a network connection or by direct connection, but by removable media (a flash drive);

4.  I had already taken steps to diagnose and disinfect the other machine.  I did not detect the rootkit or its activity directly on the other machine; I confirmed its compromised state when an anti-malware program (Avast) detected exploits of Java and Internet Explorer.

 

These are the reasons I started a separate topic for this issue.  If you feel this is inappropriate, or if you want more detailed information, I would suggest speaking with JSntgRvr, who walked me through diagnosis and cleaning of the other machine.

 

P.S.  Windows Defender had stopped;  I restarted it. I will turn the machine off and see if it starts the next time it is booted up.  Also, it takes a llooonnggg time to start the Task Manager (I have a shortcut set to Run as Administrator, so using the shortcut automatically incurs the User Account Control interface dialog).


Edited by Hunting.Targ, 07 July 2013 - 12:05 AM.

Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 AM

Posted 07 July 2013 - 12:08 AM

I scanned over your posts with JSntgRvr and as this is semi related, the best idea is to post to the same area -
 

Please follow the instructions in ==>This Guide<== starting at Step #6.  If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== 
Please include a description of your computer issues, what you have done to resolve them, if any.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
NOTE : Please Copy / Paste all logs requested, and do not use Attach unless specifically asked -

 

Good luck and be very patient, as the area can get very busy.

 

If HelpBot replies to your topic, PLEASE follow his Step One so it will report your topic to the team members.

 

Thank You -

EDIT - Try again to install MSE on this machine while you wait for further help -

Install M.S.E.  http://windows.microsoft.com/en-US/windows/products/security-essentials


Edited by noknojon, 07 July 2013 - 12:12 AM.


#5 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:09:00 AM

Posted 07 July 2013 - 02:12 AM

Please follow the instructions in ==>This Guide<== starting at Step #6.  If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== 
Please include a description of your computer issues, what you have done to resolve them, if any.

 

Got it.

 

 

NOTE : Please Copy / Paste all logs requested, and do not use Attach unless specifically asked -

 

Thank you, have been.

 

EDIT - Try again to install MSE on this machine while you wait for further help -

I don't think I will try installing anything new at this stage; the machine is disconnected from the internet by a firmware switch, so no commands can be issued to the machine.

I should be able to move plain text files to the working machine via flash drive (Infection probably happened due to keeping the flash drive plugged during reboot on both machines).  At this point I don't want to leave the machine open to sending alerts or receiving commands.

 

Thx much.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users