System infected: ZeroAccess Rootkit Activity 4 and TidServ Activity 2

Inactive
By paulisofi
Feb 6, 2012
  1. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    No problem at all. Thanks so much for all your help to begin with. I'll follow your new instructions now.
  2. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    Where can I find that "command prompt"?
  3. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    never mind... I found it...
  4. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    I just opened command prompt and this is what I got:

    Administrator: Command Prompt

    Microsoft Windows [Version 6.0.6002]
    Copyright <c> 2006 Microsoft Corporation. All rights reserved.

    C:\Users\paulisofi>_

    Where am I supposed to type the command

    net user administrator /active: yes

    Right next to

    C:\Users\paulisofi>here???

    Because I tried to create a new command with C:\> but it won't let me because as soon as I hit enter another identical c prompt with users\paulisofi> comes up.
  5. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    Yes.
  6. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    Thanks................
  7. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    In short, it didn't work. These are the details:

    1.- As soon as safe mode came back on, a pop up similar to the one before came on:

    Microsoft Windows

    Windows has recovered from an unexpected shutdown

    Windows can check online for a solution to the problem.

    View problem details Check for solution Cancel


    2.- I clicked on "View problem details" and this is what opened up (here are the few differences):

    Problem signature

    Problem Event Name: Blue Screen
    OS Version: 6.0.6002.2.2.0.768.3
    Locale ID: 1033

    Additional information about the problem:

    BCCode: a
    BCP1: 00000000
    BCP2: 00000002
    BCP3: 00000001
    BCP4: 8263983C
    OS Version: 6_0_6002
    Service Pack: 2_0
    Product: 768_1

    Files that help describe the problem:

    C:\WINDOWS\Minidump|Mini021212-01.dmp
    C:\Users\paulisofi\AppData\Local\temp\WER-3539600-0.sysdata.xml
    C:\Users\paulisofi\AppData\Local\temp\WERC294.tmp.version.txt

    Read our privacy statement:

    http://go.microsoft.com/fwlink/?link...63&lcid=0x0409


    3.- I followed the instructions to enable built-in administrator account to the letter.

    4.- Restarted pc in normal mode and chose Administrator

    5.- After some time processing the info, new screen came on, the regular screen when you're normally logged in but with only 3 icons on the desktop and the error message popped up in a bubble in the system tray. I took two pics of that bubble but since I was trying to hurry trying to beat pop up before it went away, and struggling to avoid the glare bet the camera and pc, the pics came out too blurry for me to read. I can only make it says

    Windows failed to...

    Next time I'll make sure to use the digital voice recorder to record short messages. I'm really sorry about this.

    6.- I then waited a minute or two to see if blue screen would come on, but it didn't so I came back to this pc to post this. Then I heard the typical sound of windows restarting, then it had the two icons to choose:

    Administrator paulisofi

    7.- I didn't do anything since I came back here to post and now again after a few more minutes, I heard the sound of windows restarting one more time. This time I went ahead and shut it down (by choosing "shut down").
  8. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
  9. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    All my blank dvd's are brand new and for that I think they all need formatting, like what happened to the one I created for the vista recovery yesterday. How shall I proceed here? Shall I just put dvd in there and see what happens or format it now before putting it in? And how should I format it? I'm sorry but I don't usually use dvd's or cd's at all. Only to watch record and watch tv shows or movies. on tv.
  10. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    I suppose I should download that from the clean computer but the clean computer has Windows XP and the infected one has Vista. No problem?
  11. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    Or should I do that from infected pc? Infected pc has no internet access.
  12. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    Create the CD on good computer.
    Run the program and it'll tell you if something needs to be formatted or not.
  13. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    I'm sorry Broni, I had to leave in a hurry for an emergency. I'm totally back hands on to this again. I followed your instructions: put blank DVD in, double clicked on downloaded item and then a pop up asked me:

    Do you want to burn this CD?

    I clicked Yes and then it started to extract. Then imgburn came on as if wanting to burn DVD. A new pop up came on saying disk needs formatting and asked me if I wanted to do that. I said Yes, and that's what it's doing right now.
     
  14. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    Imgbrn is burning DVD now.
  15. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    I have the newly created dvd ready and already put it in infected machine. I started reviewing the steps of new instructions and have some questions before proceeding:

    Shall I do the next instruction below on infected computer?

    Infected computer doesn't have internet connection

    For the last instruction above, can I use the same usb flash drive that we used the other day when you asked me also to download and install panda usb vaccination? USB flash drive still has old (infected?) file in it.


    Thanks.
  16. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    Yes.

    Yes.
  17. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    Oh, no. It just said windows xp and this pc is vistadoes...
  18. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    Sorry... now typing from phone...it said windows XP and infected PC is vista...
  19. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    I won't go on till I hear back from you. I'm afraid something could be wrong here...
  20. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    What said?
  21. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    State your issue more clearly.
    I'm not there :)
  22. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    I'm sorry, I try to type as quickly and as I can and the phone is not the best device for that, at least for me. Now, typing from clean computer.

    I put newly created dvd in infected pc and restarted it. It booted from dvd automatically and after a black screen with a bar that was getting filled in white got all filled up, then windows came on but not windows vista, it said windows xp, with the big window logo as usual. But up on top it said windows xp not vista.

    Now it's booted all the way. I don't recognize most of the icons though.
  23. paulisofi

    paulisofi Newcomer, in training Topic Starter Posts: 145

    The new screen where machine has booted all the way says reatogo-x-pe
  24. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    You're doing fine.
    You're booting from an external source.
    Follow the rest of my instructions.
  25. Broni

    Broni Malware Annihilator Posts: 45,275   +243

    This is what it should say.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.