Inactive System infected: ZeroAccess Rootkit Activity 4 and TidServ Activity 2
- Thread starter paulisofi
- Start date
yes, while booting to normal. The screen is all black with a bar that fill out quickly and starts over continuously (like it normally does) and below that it says microsoft corporation. Normally, it does this but for a minute or less... now this is extremely unusually long...
Hi Broni,
So, after we last talked, I continued working some more. This is what I did and the results I've had.
1.- I forced the pc to turn off by pressing the turn on button.
2.- I turned pc back on, and tapped f8 to go to safe mode in order to put created cd in cd drive.
3.- I restarted pc and booted from created cd.
4.- I followed the same steps as before.
5.- Instead of selecting "Command Prompt", I selected "Startup Repair".
6.- No problems were found. Just in case you need additional details, I'm posting full message received.
Startup Repair could not detect a problem
If you have recently attached a device to this computer such as a camera or portable music player, remove it and restart your computer. If you continue to see this message, contact the system administrator or computer manufacturer for assistance.
Review diagnostic and repair details (---> this was in light blue color))
Review advanced options for system recovery and support (----> in light blue too)
Back (--->not highlighted) Finish (--->highlighted) Cancel (--->option available)
7.- I clicked on the first link in light blue "Review diagnostic and repair details" and this is what came up.
Startup Repair
Startup Repair diagnosis and repair log
----------------------------
Last successful boot time: 2/12/2012 7:54:54 (GMT)
Number of repair attempts: 1
Session details
----------------------------
System Disk = \Device\Harddisk0
Windows directory = C:\Windows
AutoChk Run = 0
Number of root causes = 1
Test Performed:
---------------------------
Name: Check for updates
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: System disk test
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 203 ms
Test Performed:
---------------------------
Name: Disk metadata test
Result: Completed successfully . Error code = 0x0
Time taken: 62 ms
Test Performed:
---------------------------
Name: Target OS test
Result: Completed successfully. Error code = 0x0
Time taken = 94 ms
Test Performed:
---------------------------
Name: Volume content check
Result: Completed successfully. Error code = 0x0
Time taken = 93 ms
Test Performed:
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 63 ms
Test Performed:
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 47 ms
Test Performed:
---------------------------
Name: Internal state check
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Boot status test
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Root cause found:
---------------------------
Boot status indicates that the OS booted successfully.
---------------------------
---------------------------
Close (------> this was a clickable button)
8.- I clicked the "close" button and then clicked on the "Restart" button of the previous window, which was the last window in your instructions:
System Recovery Options
Choose a recovery tool
Operating system Microsoft Windows Vista on (C
hp (----> Note: in your instructions it said "(C Local Disk" but on my computer it said "(C hp" )
... And then all the exact options as in your instructions: startup repair, system restore, Windows Complete PC Restore, Windows Memory Diagnostic Tool, Command Prompt.
9.- So, I clicked "Restart", quickly removed the created cd, and let it boot in normal mode but it never did. It got stuck in exactly the same place as before: the screen that comes up right after the normal initial blue screen that has HP logo and on the bottom it gives you different options with the f keys among a couple of other things that I don't remember at this time. The screen where the pc got stuck again is all black with a bar that has like 3 or 4 small green squares in a row that keeps moving forward quickly and when they get to the end of the bar, they start again from the beginning of the bar, and on and on like that. It looked as if the machine were really booting up. But I could not hear any noise or sound or anything coming from the cpu, it was really silent, not doing anything at all.
10.- I let this screen run like this for about 15 or 20 minutes hoping that it would eventually boot up but nothing happened. So then, I pressed the pc turn on button and forced the machine to turn off.
That's all I did and now I'm going to bed. I'll talk to you tomorrow Sunday.
So, after we last talked, I continued working some more. This is what I did and the results I've had.
1.- I forced the pc to turn off by pressing the turn on button.
2.- I turned pc back on, and tapped f8 to go to safe mode in order to put created cd in cd drive.
3.- I restarted pc and booted from created cd.
4.- I followed the same steps as before.
5.- Instead of selecting "Command Prompt", I selected "Startup Repair".
6.- No problems were found. Just in case you need additional details, I'm posting full message received.
Startup Repair could not detect a problem
If you have recently attached a device to this computer such as a camera or portable music player, remove it and restart your computer. If you continue to see this message, contact the system administrator or computer manufacturer for assistance.
Review diagnostic and repair details (---> this was in light blue color))
Review advanced options for system recovery and support (----> in light blue too)
Back (--->not highlighted) Finish (--->highlighted) Cancel (--->option available)
7.- I clicked on the first link in light blue "Review diagnostic and repair details" and this is what came up.
Startup Repair
Startup Repair diagnosis and repair log
----------------------------
Last successful boot time: 2/12/2012 7:54:54 (GMT)
Number of repair attempts: 1
Session details
----------------------------
System Disk = \Device\Harddisk0
Windows directory = C:\Windows
AutoChk Run = 0
Number of root causes = 1
Test Performed:
---------------------------
Name: Check for updates
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: System disk test
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Disk failure diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 203 ms
Test Performed:
---------------------------
Name: Disk metadata test
Result: Completed successfully . Error code = 0x0
Time taken: 62 ms
Test Performed:
---------------------------
Name: Target OS test
Result: Completed successfully. Error code = 0x0
Time taken = 94 ms
Test Performed:
---------------------------
Name: Volume content check
Result: Completed successfully. Error code = 0x0
Time taken = 93 ms
Test Performed:
---------------------------
Name: Boot manager diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 63 ms
Test Performed:
---------------------------
Name: System boot log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Event log diagnosis
Result: Completed successfully. Error code = 0x0
Time taken = 47 ms
Test Performed:
---------------------------
Name: Internal state check
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Test Performed:
---------------------------
Name: Boot status test
Result: Completed successfully. Error code = 0x0
Time taken = 0 ms
Root cause found:
---------------------------
Boot status indicates that the OS booted successfully.
---------------------------
---------------------------
Close (------> this was a clickable button)
8.- I clicked the "close" button and then clicked on the "Restart" button of the previous window, which was the last window in your instructions:
System Recovery Options
Choose a recovery tool
Operating system Microsoft Windows Vista on (C
hp (----> Note: in your instructions it said "(C Local Disk" but on my computer it said "(C hp" )... And then all the exact options as in your instructions: startup repair, system restore, Windows Complete PC Restore, Windows Memory Diagnostic Tool, Command Prompt.
9.- So, I clicked "Restart", quickly removed the created cd, and let it boot in normal mode but it never did. It got stuck in exactly the same place as before: the screen that comes up right after the normal initial blue screen that has HP logo and on the bottom it gives you different options with the f keys among a couple of other things that I don't remember at this time. The screen where the pc got stuck again is all black with a bar that has like 3 or 4 small green squares in a row that keeps moving forward quickly and when they get to the end of the bar, they start again from the beginning of the bar, and on and on like that. It looked as if the machine were really booting up. But I could not hear any noise or sound or anything coming from the cpu, it was really silent, not doing anything at all.
10.- I let this screen run like this for about 15 or 20 minutes hoping that it would eventually boot up but nothing happened. So then, I pressed the pc turn on button and forced the machine to turn off.
That's all I did and now I'm going to bed. I'll talk to you tomorrow Sunday.
Broni
Posts: 56,041 +517
While in safe mode....
Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).
Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.
Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.
Click OK.
Restart computer in Normal Mode.
NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.
Same problem?
Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).
Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.
Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.
Click OK.
Restart computer in Normal Mode.
NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.
Same problem?
Hi Broni,
I'll follow your new instructions now but I wanted to tell you that on the infected computer I regularly use Norton Antivirus (with firewall) but all that is turned off at this time. I haven't turned it back on since that time you asked me to turn it off. In other words, the pc has no protection on at this time. In regards to windows firewall, I remember the other day after I turned off Norton, I wanted to make sure Windows firewall was off too, but it continuously said there was an error with that firewall. It wouldn't say what type of error, though. How shall I proceed now in regards to windows firewall before I follow your most recent instructions?
I'll follow your new instructions now but I wanted to tell you that on the infected computer I regularly use Norton Antivirus (with firewall) but all that is turned off at this time. I haven't turned it back on since that time you asked me to turn it off. In other words, the pc has no protection on at this time. In regards to windows firewall, I remember the other day after I turned off Norton, I wanted to make sure Windows firewall was off too, but it continuously said there was an error with that firewall. It wouldn't say what type of error, though. How shall I proceed now in regards to windows firewall before I follow your most recent instructions?
In short, yes, same problem. I'll explain in case you need details:
1.- As soon as safe mode came back on, a pop came on as well saying
Microsoft Windows
Windows has recovered from an unexpected shutdown
Windows can check online for a solution to the problem.
View problem details Check for solution Cancel
2.- I clicked on "View problem details" and this is what opened up:
Problem signature
Problem Event Name: Blue Screen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: a
BCP1: 00000000
BCP2: 00000002
BCP3: 00000001
BCP4: 8266883C
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\WINDOWS\Minidump|Mini021112-01.dmp
C:\Users\paulisofi\AppData\Local\temp\WER-69623-0.sysdata.xml
C:\Users\paulisofi\AppData\Local\temp\WERFBEA.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&lcid=0x0409
3.- I clicked cancel and followed your steps in msconfig and then clicked on Restart.
4.- Computer was seemingly boot up all the way, because it went past that black screen with the bar and the moving green blocks with "microsoft corporation" below, and it took me to that screen where I need to enter my login password.
5.- I entered my login password and after processing the information for a while, I got a black screen with a small pop up that said:
Location is not available
C:\Windows\s ystem32\config\systemprofile\Desktop is not a
Access is denied.
OK
6.- I left the computer there, on that screen, and came back here to post this to you. Less than a minute went by and I passed by the infected computer to go to the bathroom and I noticed that it had restarted automatically and was exactly in the error blue screen. I ran back to get the camera to take a picture of it, but when I got back, the blue screen went away and computer automatically restarted again. So I tapped f8 to go into safe mode, in case trying to boot in normal mode would cause some damage or something.
7.- That's where pc is at right now, in safe mode, ready for me to enter my login password.
1.- As soon as safe mode came back on, a pop came on as well saying
Microsoft Windows
Windows has recovered from an unexpected shutdown
Windows can check online for a solution to the problem.
View problem details Check for solution Cancel
2.- I clicked on "View problem details" and this is what opened up:
Problem signature
Problem Event Name: Blue Screen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: a
BCP1: 00000000
BCP2: 00000002
BCP3: 00000001
BCP4: 8266883C
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\WINDOWS\Minidump|Mini021112-01.dmp
C:\Users\paulisofi\AppData\Local\temp\WER-69623-0.sysdata.xml
C:\Users\paulisofi\AppData\Local\temp\WERFBEA.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&lcid=0x0409
3.- I clicked cancel and followed your steps in msconfig and then clicked on Restart.
4.- Computer was seemingly boot up all the way, because it went past that black screen with the bar and the moving green blocks with "microsoft corporation" below, and it took me to that screen where I need to enter my login password.
5.- I entered my login password and after processing the information for a while, I got a black screen with a small pop up that said:
Location is not available
C:\Windows\s ystem32\config\systemprofile\Desktop is not a
Access is denied.
OK
6.- I left the computer there, on that screen, and came back here to post this to you. Less than a minute went by and I passed by the infected computer to go to the bathroom and I noticed that it had restarted automatically and was exactly in the error blue screen. I ran back to get the camera to take a picture of it, but when I got back, the blue screen went away and computer automatically restarted again. So I tapped f8 to go into safe mode, in case trying to boot in normal mode would cause some damage or something.
7.- That's where pc is at right now, in safe mode, ready for me to enter my login password.
Broni
Posts: 56,041 +517
Restart back to safe mode.
Enable real administrator account: http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/
Restart normally, not to safe mode.
Now you should see two login options, you and Admin.
Log to Admin account and let me know how it went.
BTW, thanks for all details. It helps a lot.
Enable real administrator account: http://www.howtogeek.com/howto/wind...idden-administrator-account-on-windows-vista/
Restart normally, not to safe mode.
Now you should see two login options, you and Admin.
Log to Admin account and let me know how it went.
BTW, thanks for all details. It helps a lot.
Similar threads
