Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

In Dire need; probable rootkit with no security software


  • Please log in to reply
8 replies to this topic

#1 Hunting.Targ

Hunting.Targ

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:03:58 AM

Posted 08 July 2013 - 01:07 AM

I got done being assisted in cleaning my desktop computer last week.  Now I am hoping to tackle the 'root' (sorry, couldn't let it go) of the problem:  My wife's notebook seems to be the cause of my desktop's infection with the ZeroAccess rootkit.  The desktop is now clean and running normally (with Avast currently standing guard).  The real problem is that the notebook, while having the same basic user experience symptoms, is not running any security software.  Windows Defender, and also Windows Update, have been disabled, and even after restarting, appear to be disabled after a restart.  After posting in "Am I infected?..." , I was instructed to run dds and post the logs here.  Well, in addition to having new symptoms, including a one-time failure of the security options screen (the screen invoked in Windows by using Ctl+Alt+Del), and now the disappearance of my desktop wallpaper, dds failed to run from the desktop (one time only).

 

While the machine is not currently connected to the internet (there is a firmware switch that turns off the NIC), the problem appears to get more serious every time the machine is restarted.

The general user experience symptoms are: very slow responsiveness of the GUI and all user requests; continuous hard disk use even in the absence of high CPU usage; extremely long response times to requests for system service and component tools, such as Windows Update, Windows Defender, and Control Panel.

Specific symptoms:

  • The desktop background is now black.
  • All desktop icons have been auto-sorted (not by me).
  • One time only, after not responding to various security-related tasks, I tried to invoke the Security Options screen and got the following Critical Failure dialog:


"Failure to display security and shut down options

The logon process was unable to display security and logon options when CTRL+ALT+ DELETE was pressed.  If the operating system does not respond, press ESC or restart the computer by using the power switch."

I did a hard power-off and reboot.

 

  • One time only, dds failed to run from the desktop.  The following text error message displayed:

"

BOOTMGR is missing

press Ctl+Alt+Del to restart

"

As of this posting, I am waiting for dds to complete (close to an hour now).  If it completes successfully, I will post the logs.  If dds does not complete, or continues to run without any apparent progress,  I will terminate it at at least restart Windows Defender.  Right now all I can do is hope that there is still hope.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


BC AdBot (Login to Remove)

 


#2 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:03:58 AM

Posted 08 July 2013 - 03:39 AM

As of this posting, dds had been running for over 2.5 hours.  I eventually moused over the program window, to be met with the following dialog:

 

 

This application has stopped responding.  It may recover if you wait.

 

Do you want to end this process?

 

End Process     Cancel

 

 

Having had enough, I clicked on End Process.  Nothing happened for 15 minutes.  I tried to close the dialog.  Nothing happened.  I tried to invoke the Security Options screen with Ctl+Alt+Del .   Nothing.  After 30 minutes, I opted for a hard power-off.  I then removed both the power cord AND the battery.  The case underneath the location of the CPU was warm to the touch.  I am fairly confident there was no processor damage (the heat duct assembly is made of aluminum coated with copper) - I am just at a loss right now.  There are other options I could pursue to restore some system stability, but I would appreciate some input.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:58 AM

Posted 10 July 2013 - 07:53 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:03:58 AM

Posted 10 July 2013 - 08:52 PM

Hi, M0Ie, I am here and hoping that there is still hope.  So that you don't have to read a bunch of background; the Notebook is by HP, using Intel Atom and running Windows 7 Starter.  The notebook had been having symptoms for a couple weeks when I took it to my home office to diagnose it using the desktop, and that is how the desktop became infected.  I believe the infection vector was a flash drive I was using to (unsuccessfully) attempt to run Windows Defender Offline in an external boot environment.  So my desktop did not become compromised due to inadequate security or poor practices; it was an 'inside job'.

I am working from a fully functional desktop; if you have any questions or instructions before I re-power the notebook, please let me know so that I can be ready to work with you promptly.


Edited by Hunting.Targ, 10 July 2013 - 08:57 PM.

Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:58 AM

Posted 11 July 2013 - 06:45 PM

Let's work with the notebook and if that works we should be able to deal with the desktop too.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Scan your computer's memory for errors.
    Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.

Posted Image
m0le is a proud member of UNITE

#6 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:03:58 AM

Posted 11 July 2013 - 10:43 PM

Before we continue; My desktop system has already been cleaned up.  I wanted to be clear on that so that we do not get into miscommunication.

 

There is one other wierd symptom I will mention now that we are getting underway.  In Windows Explorer, there is a drive Q:, which is listed as 0 bytes, cannot be accessed, and when I reviewed its properties, it has a complete blank on listed permissions.  Not even SYSTEM permissions were present.  This is what clued me in that something bad was happening.

 

As to following your instructions:

I tried getting into recovery mode by following the boot prompt "Press ESC for startup menu" then selecting "F9   Recovery Options" ; I get the 'Windows is loading files' screen, then HP's Recovery Manager software.

I tried pressing F8, and got

"BOOTMGR is missing

Press Ctl+Alt+Del to restart"

I pressed ESC on startup again and selected "F2   System Diagnostics" and got HP software.

 

At no point did I see a way to access a command prompt.  This is an HP notebook; it did not come with a CD drive or an OS install or recovery disk.

 

Can I turn the flash drive into a recovery boot environment and work from there?  Should I just try to install Avast or MSE and see where that goes?

I will patiently await your reply.

 

Edit; I accessed the BIOS settings (I did NOT change anything) and when I exited I got the same message about BOOTMGR.


Edited by Hunting.Targ, 11 July 2013 - 10:52 PM.

Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:58 AM

Posted 13 July 2013 - 06:36 PM

BOOTMGR is missing

 
That has to be fixed before we can go any further.

This checklist is useful, the excerpt from it suggests the following reasons (though rootkit damage could be the cause)


The most common reasons for BOOTMGR errors include corrupt and misconfigured files, hard drive and operating system upgrade issues, corrupt hard drive, an outdated BIOS, and damaged or loose hard drive interface cables.

Another reason you might see BOOTMGR errors is if your PC is trying to boot from a hard drive or flash drive that is not properly configured to be booted from. In other words, it's trying to boot from a non-bootable source. This also would apply to media on an optical drive or floppy drive that you're trying to boot from.

 

With these I need to refer you to an operating system forum on Bleeping Computer to test a number of issues. Post a new topic and let me have the link. Once (and if) the boot can be repaired we can then start looking for malware. Until then I will keep this topic open.


Posted Image
m0le is a proud member of UNITE

#8 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:03:58 AM

Posted 15 July 2013 - 10:39 PM

I have started a new topic here.  Please read my post and reply there.  If and when we can get FRST to run, I will post the log file back here, and I expect that thread will have served its purpose.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:58 AM

Posted 16 July 2013 - 07:11 PM

I'm following the topic. You're in good hands with Anshad
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users