Rootkit: Can't get rid of it!

November 20, 2011 at 04:24:11
Specs: Windows XP
Hi there,

I was contacted by a neighbour this morning as they were having problems with their printer, so I went round to investigate.

It appears they have got a rootkit infection according to TDSSKiller, which won't cure the problem, by the name of Rootkit.Win32.zaccess.e (Service seems to be related to an AVG file located in C:/windows/system32/drivers).

I tried running Malwarebytes Anti-malware but it won't run.

Furthermore, I tried restarting in Safe Mode, but I am presented with a blue screen, so that won't work either.

The CD drive isn't detected (neither is the printer, hence the printer problem they were having), so creating a CD on another computer and running it on the infected computer is out of the question.

The internet on the infected computer had google redirecting problems, but now the internet will not work at all (therefore I cannot download programs to create logs etc.).

I found an article about deleting items of the registry, but those files are not present, so that's not possible either.

System restore won't work either.

A 'privacy protection' virus was also present, however, I managed to remove that.

Due to the fact I can't get any new programs on it to attempt to get rid of it, I suspect the only way may be to boot from the Windows XP CD and reformat the hard drive when reinstalling Windows!

Any advise would be great, as my neighbours are relying on me to get rid of the virus as they don't want to pay extortionate removal prices!

Many thanks in advance!

See More: Rootkit: Cant get rid of it!

November 20, 2011 at 06:55:41
rkill should kill of the root kit, then you should be able to do the tdsskiller and malware bytes. I would suggest getting a clean copy of all three(maybe on a usb if thats an option?, since the cd is out), and then running them from safe mode.

it looks like you have an identical post on several other sites as well?


Report •

November 20, 2011 at 14:20:37
Can you boot from a USB?

rKill would be great, if so.

You can try renaming MBAM.

Or if you can get into TM, nuke most of the processes.

Or in msconfig, disable anything suspicious.

Or Safe mode, command line only, and run C:\windows\system32\restore\rstrui.exe . Try that first.

Report •

November 22, 2011 at 00:41:37
Hi WhatsOccurrin,

You have a very nasty rootkit, TDSS and MBAM will not remove this one totally.
I suggest you run combofix from this link and follow the instructions exactly.
At the end the virus will be removed but you will have no internet connection.
A cool program called D7 will cure this, download from this link:
No need to install the 3rd party tool kit, after loading go to repair tab and work your way down the networking list.
Here is a great tutorial on D7 installation and setup.
NOTE: You will have to download both programs onto a usb flash drive.

Report •

Related Solutions

November 22, 2011 at 16:41:07
Hi guys,

Cheers for the replies.

I've solved the issue now, through reinstalling windows and formatting the hard drive. It was the best option in the end, since the computer is 6 years old anyway, and hasn't had a reformat since (and consequently was stupidly slow).

Thanks again! Much appreciated!

Report •

November 22, 2011 at 16:52:50
Your most welcome, with a rootkit like this one. There is no way to remove it 100% guaranteed as it is a rather nasty one. And even 1% left behind could mean your pc's security being compromised.

Report •

Ask Question