Virus, Disable Antivirus, Disable Internet

September 20, 2011 at 21:54:47
Specs: Windows XP 86x Pro, Intel 4 GB
Unable to start services and missing services
open any antivirus and start scanning then they disapear
unable to update MSE
unable to change firewall / security settings
disabled internet access

I am able to get into safe mode with networking
ran two scans
Malwarebytes and it found 2
SuperAntiSpyware and it found 500 +
Cookies and a reg key for a toolbar

After running those two scans now my copy of windows is not activated

Need some help.. Worest virus i have seen in for awhile


See More: Virus, Disable Antivirus, Disable Internet

Report •


#1
September 21, 2011 at 08:32:27
Need more of an expert for this kind of stuff. already done most of that now it trying to fix the dmg

Main problems are Copy of Windows is not activated
No Internet / The dependency service does not exist or has been marked for deletion.


Report •

#2
September 21, 2011 at 08:56:35
timmytheman2,

Are you able to do a System Restore by using Safe Mode with a Command Prompt and roll back the system to a point when your computer was functioning correctly?
http://support.microsoft.com/kb/304449

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#3
September 21, 2011 at 08:59:43
No restore points and possible they were infected

Report •

Related Solutions

#4
September 21, 2011 at 11:25:07

See if you can run he following, even if it is in Safe Mode wNetworking. You may even have to go to another computer, save it to a USB flash/thumb drive, and then move it to the Desktop of the infected computer. Might have to do some moving around, but, that may be the only way...

The bottom line is that some specific info (files, settings, etc.) is needed for a starting point:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...

Save to your Desktop (or USB Drive, and then move to infected computer)

Double-click the dds file to run it.

When done, DDS opens two logs:
-DDS.txt
-Attach.txt

Save both reports to your Desktop, and you may have to place them on a USB drive, again, and upload them from a clean computer.

Since these reports are large, please go to the Uploading website:
http://uploading.com/files/upload/

In: 'Select files to upload', click 'Browse', and 'Look in' the Desktop.

Select the DDS.txt, and click on 'Open'
You will see the following:
"Your file has been uploaded successfully: (Name and size of the file)"

Please copy the 'Download link'.

Do the same uploading for the Attach.txt.

Please copy the 'Download link', for each report, and provide them in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#5
September 21, 2011 at 13:15:36
Infection by ZeroAcess Rootkid--

All Services were disabled -- started some unable to get Dhcp to start due to errors-- the dependency service does not exist or has been marked for deletion
IPsec -- a socket operation encountered a dead network

certain file types no longer work.

DDS seems to be taking along time to run// 25 mins


Report •

#6
September 21, 2011 at 15:02:37
timmytheman2,

ZeroAccess is a nasty RootKit. Have worked with it over and over, lately.

When are you getting those notices?...while running DDS?

Also, are you seeing a file that looks like this (not with the same numbers):

C:\Windows\835460608:4292948942.exe or something like:
835460608:4292948942.exe?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#7
September 21, 2011 at 15:06:13
still have the dos window open and showing

#######################################
_ thats it


Report •

#8
September 21, 2011 at 15:21:52
Looks as if that is going nowhere...

Please restart the computer, and post back on whether you see the file specified above (Post #7).

You will probably need to use the on/off button to turn the PC off, and then back on.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
September 21, 2011 at 16:11:45
don't see it there

Report •

#10
September 21, 2011 at 19:06:37
Need to look a little deeper to see if the file exists, It will throw a wrench in the works, and will not let anything run.

Please enable the viewing of Hidden files as follows:

1.Close all programs so that you are at your Desktop.
2.Double-click on the My Computer icon.
3.Select the 'Tools' menu and click' Folder Options'.
4.After the new window appears select the 'View' tab.
5.Place a checkmark in the box labeled: ' Display the contents of system folders'.
6.Under the Hidden files and folders section select: 'Show hidden files and folders'.
7.Remove the checkmark from the box labeled: 'Hide file extensions for known file type's.
8.Remove the checkmark from the box labeled: 'Hide protected operating system files'.
9.Press the 'Appl'y button and then the 'OK' button

Now, do a search (Start > Search), and look in the Windows directory for a file such as the following, but, with different numbers:
C:\Windows\835460608:4292948942.exe

You may only find:
C:\Windows\835460608

The ZeroAccess RootKit blocks and locks programs and system files by altering their permissions. The more tools/programs you run to get rid of ZA, the more programs and files it will lock.

Have no clue as to what you have tried to do, but the prognosis here does not look favorable if we cannot obtain any information to work with.

See if you can give this a whirl:

Download AntiZeroAccess:
http://anywhere.webrootcloudav.com/...

Save to the Desktop

To run:
XP users: Double-click antizeroaccess.exe to start the program.

A command (black) window opens.
Type Y to start a system scan, and then press: Enter
Wait until the scan is complete.
Follow the instructions on the screen.

To close the program, press any key.
If a restart is required, do it immediately.

Please post the AntiZeroAccess log in your reply.

You may need to download it to a different computer and use a USB drive to place it on the infected computer.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
September 21, 2011 at 19:48:31
Webroot AntiZeroAccess 0.8 Log File
Execution time: 21/09/2011 - 21:46
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
21:46:20 - CheckSystem - Begin to check system...
21:46:20 - OpenRootDrive - Opening system root volume and physical drive....
21:46:21 - C Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x4A856E82 sectors.
21:46:21 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".
21:46:21 - InstallAndStartDriver - Unable to start AntiZeroAccess driver. StartService last error: 1084
21:46:55 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
21:46:55 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
21:46:55 - Execution Ended!



Report •

Ask Question