ZeroAccess botnet infection files hidden

Dell / Latitude d620...
December 30, 2013 at 05:49:30
Specs: Windows XP, Core2Duo
I got the following e-mail from my ISP.

=====================================================================

T&T IISS Network Security <netsec@att.net>
Dec 27 (3 days ago)

to ctg8273, ctgarrett, dawgfan1785

Important computer safety notice from AT&T Internet Services Security Center - Bot Traffic Detected
Site ID: ctg8273@bellsouth.net
Primary Account Holder: GARRETT
Billing Acct Ending: xxxx
Dear GARRETT (Primary Account Holder),

AT&T has received information indicating that one or more devices using your Internet connection may be part of a zombie computer network (“botnet”). Internet traffic consistent with a bot infection was observed on Dec 26, 2013 at 7:40 AM EST from the IP address 98.80.182.75. Our records indicate that this IP address was assigned to you at this time. Infection details:

Type: ZeroAccess
Source port: 50589
Destination IP: 174.xx.xx.247
Destination port: 16471
For security reasons, the destination IP is partially obscured.

Botnets are networks of computers which have been infected with malicious software and placed under the control of a hacker or group of hackers. They are often used for attacks on websites, spamming, fraud, and distribution of malicious software. Because bots are designed to run in secret, an infected computer may display no obvious symptoms.

To address this problem we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.
If you use a wireless network, ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). Check the connections to the router and ensure that you recognize all connected devices. This will ensure that an infected computer owned by someone else is not using your Internet connection.
Update the security software on your system and install any necessary service packs or patches.
AT&T offers a free online scan tool PC Health Check that will scan for virus/spyware activity at https://pccheck.att.com/. AT&T also offers the AT&T Security Suite; see http://www.att.net/iss. (You must be logged in with the Master Account ID to download AT&T Security Suite).
When you have taken action, please respond by forwarding this email to abuse@att.net with an acknowledgement of: “I am taking steps to address this infection.” When we receive such an acknowledgment, we can maintain the high quality of service you expect from us. We welcome feedback on what removal tools or methods were used.
Additional tools and information:

AT&T PC Health Check: https://pccheck.att.com/
Microsoft Security Essentials: http://www.microsoft.com/security_e...
Microsoft Safety Scanner: http://www.microsoft.com/security/s...
OS X Gatekeeper: http://support.apple.com/kb/HT5290
Malwarebytes Anti-Malware: http://malwarebytes.org/
Spybot +AV: http://www.safer-networking.org/
Regards,

AT&T Internet Services Security Center


DISCLAIMER: The information above contains links to software by third-party vendors (hereafter, “the Software”). AT&T is not responsible for support or assistance for any of the Software. If you need support or assistance with any of the Software, please contact the Software's vendor directly. AT&T is unable to provide a warranty or guarantee, either expressed or implied, for any of the Software. You will be responsible for your own system software and system security and not hold AT&T, its partners, agents or affiliates liable for any costs or damages whatsoever (including, without limitation, damages to access system, hardware and/or software) to your computer as a result of installing or using any of the Software. You also understand that use of all hardware and/or software must comply with the Bellsouth Acceptable Use Policy.
Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.

©2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy (Updated September 16, 2013)

=====================================================================

This may take a while. This is my dads laptop running Windows XP it is from his work. Back in 2010 or 2011 it had a very bad infection that hid everything and also a mbr virus I do not remember all the details. But I thought I had it all clean I personally would have did a reinstall if it was me but that is not really an option because of so much work related software etc on the drive. It has went back downhill every sense. There is still alot of his programs hidden and alot of things in the start menu are hidden like disk defrag the one in XP under system tools. This is really really a mess. I need some expert help to get this all cleaned up. The e-mail came because on the 26th I thought I had it all clean I connected it to my router and next thing I know a few days later I get the e-mail. I know there is someone who can give some advice. BTW I have restored a backup I did before I did any scans so this is just like it was when I got it from my dad the reason is because the things I was doing was not working so I restored and decided to get some expert advice. The system post then boots to a screen where I can select recovery console was required when I used cobofix before also an option for debugger. If I select recovery console I get an error.
TRAP 00010010 =================EXCEPTION=========================
Then a bunch of funny writing.
I have an XP Professional CD I may need it to boot to the recovery console and maybe run combofix from a USB flash drive. I am in EST time if anyone across the pond halps.
Thanks

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


See More: ZeroAccess botnet infection files hidden

Report •

#1
December 30, 2013 at 07:59:34
mmm this one may take more expertise than I may be able to offer; but there are one or two here are well across the pests issue in depth…

Meanwhile I suggest you boot the system as is with Linux disk (Ubuntu is a common favourite). You can then access "all" the data/personal files etc on the hard drive (HD) and save them to external media. I usually go with DVD as minimum and ideally make a second copy of said files to another (external) HD; this as no medium is perfect and "can" fail at any time…

Verify the copies are accessible - if possible via the Linux boot up; and perhaps another working system; although as there is pest involved here... I'd be inclined to consider involving another computer very carefully.

"When" you have the system up and running again, scan those copies too - just to be certain there "ain't nuthin nasty" that managed to hide there too...

While you are booted up via Linu/Ubuntu - go on-line and run a few of the freebies scans "out there".

Sophos, Avast, Avg all of them; do then one at time of course… and Trend Housecall is another to use.

Trend Housecall you go to:

http://www.trendmicro.co.uk/campaig...

The others are sophos.com, avast.com, avg.com

Ubuntu is available as freebie download ISO - which burn to a DVD; and then boot with the at DVD. It boots into RAM only; and the installed HD is merely a resource for the Linux OS to access et…

This way you can safeguard a;; the important stuff on tehe HD - and then safely consider assorted options to repair/rebuild…

Worst case - a total wipe/re-sinstall. But possibly appropriate pest treatment may do what's needed…

Pests involving the mbr can be nasty to deal with; similarly rootkit invasions…

Bitdefender (there is a freebie version of that too...) may resolve mbr pests - and possibly rootkit as well:

http://www.bitdefender.com/toolbox/...

Bitdefender is well regarded her by some of those more expert in pest removals…

Likewise Malwarebytes - may help:

http://www.malwarebytes.org/lp/malw...

Sophos may well resolve any rootkit issues (they claim their freebie version will…)

Incidentally - "are you absolutely sure" the email(s) came from your ISP… There is growing presence of "fake" emails that purport to be form a source "you' may know.. but aren't from that source… Even selecting them - but not actually opening some of them nowadays is enough for them to drop a nasty - and the damage is done… And clicking on any links within them of course - even more so…

I have to say my nose twitches on this one (think of Samantha in Bewitched..); something within the content of the email doesn't feel right...

message edited by trvlr


Report •

#2
December 30, 2013 at 08:29:04
Lets confirm their findings.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://tigzyrk.blogspot.fr/2012/11/...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#3
December 30, 2013 at 08:34:20
I knew you'd drop in on cue - Johnw; you being one the more cognisants/savants re' pests…

I'd still encourage the safeguarding of data asap though; ideally before doing anything else - just in-case...


Report •

Related Solutions

#4
December 30, 2013 at 08:42:54
Thanks for the suggestion. I got it to boot by booting to the XP CD and using the R and ran fixboot command. Now it boots but I can tell a bunch is hidden like I said no disk defragmentor only thing in system tools is Internet exploer add ons. I am going to try the ubuntu now and see. Only thing I am concerned about is whatever is hidden may be infected. Also plugging a flash drive in because I used my main computer to download rouge killer will it get infected and infect my other computers?

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#5
December 30, 2013 at 09:06:24
to unhide the files

http://www.bleepingcomputer.com/dow...

You may also want to try running adw cleaner.

http://www.bleepingcomputer.com/dow...

and Malwarebytes

http://www.filehippo.com/download_m...

To err is human but to really screw things up, you need a computer!


Report •

#6
December 30, 2013 at 09:22:50
I ran unhide and it did not unhide the files also ran the other tools you suggested hopperrox that was before i did the restore from the backup I just decided to start over. what i am saying is i backed the whole drive up when it was infected. I know it is going to take awhile and for some reason I am unable to make the recovery DVD's using the HP Software. I am not worried about that right now. I want to try and get it clean before I do a re install and if I have to I will figure something out.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#7
December 30, 2013 at 09:31:39
mmm - there is always that possibility of cross infection… But safeguarding data files to DVDRW (and/or another external HD) may allow you not only to scan the disk(s) but also to neutralise anything nasty there later… But not (fortunately) having had that problem I can't say for definite - re' anti-virus utilities being able to clean out DVDRW. Possibly Johnw can/will comment/advise further there?

Presumably the flash drive "was" clean before you used it to download/store the killer utility via 'your" computer… If so I think it is unlikely to be cross infected, since you say it was used on your computer as download destination for the killer utility; "not" to store things "from" the infected one? But no harm to avoid using that usb drive elsewhere for now, once you have had it connected it to the infected system; it can be checked later - even better simply erased first before further use?

The Ubuntu routine would be wise (in my view) for reasons already stated. And as above the copies can be checked via any anti-pest utilities - before (or possibly as) they are restored to the repaired system.

Also Ubunty would allow you a safe path to checking the DVD copies and the usb-flash drive - via on-line scanners?

In my own limited experience with pests.. they (the actual package to be activated) seem to end up more in the download areas (download folders, various temp folders etc…); and then the actual active aspect of course usually within the OS/application itself. Although a pest can be transmitted unknowingly by one user to another within a document/file - from an infected computer - email or otherwise… It depends on just what it is…

Scanning of any external source - usb-flash/HD (DVD), downloads etc. is usually wise(r) if any suspicions re' pests…

Having followed/read some of the posts by Johnw and Derek, to name but two of several here, when dealing with pests various… I willing defer to their greater knowledge in dealing with the little (and not so little) b….rs. My limited knowledge (re' pests and ealing with them especially) is garnered over many years and by no means as comprehensive as many here.

message edited by trvlr


Report •

#8
December 30, 2013 at 10:55:19
I don't know what to tell you, sounds like a bad infection and it needs a wipe which you say is not an option. That bites. Is there tech support where your Dad works, could they help?

Have you done or heard of the #2 repair option? It basically reinstalls xp on itself. Can be useful to fix xp systems that no longer boot and virus complications depending on the virus. It does not guarantee to rid you the virus depending on damage but thought I'd throw it out there.

To err is human but to really screw things up, you need a computer!


Report •

#9
December 30, 2013 at 11:55:40
Agree that a repair installation "might" at least rebuild the OS etc. enough to see what's there; recover access to data etc.. and allow one or two pest removers to be installed - as per earlier suggestions from various folks. Updates etc. would have to re-applied… But if you that route - again safeguard data files "first"… Although it doesn't (isn't supposed to) affect etc .other files/applications and data… one never quite knows… Thus safety-first is wise(r).

Likewise a parallel installation would (hopefully) allow a full boot to the second installation; and then use "that" installation to clean out the first? You would have dual-boot XP and XP with the second one set as default after installation. I have used that approach once or twice to good effect...

If/when the first is cleared out of pests.. reset it to be first item in the boot-menu?

Repair installation here:

http://www.michaelstevenstech.com/X...

Parallel installation - start an installation as normal; decline to run "any" kind of repairs. Install as say win-XP-2 (the default for a parallel/second installation will either be windows, or windowsNT if I remember correctly - depending what the damaged version went in as…).

By calling it something obvious - makes it less confusing later when you reset the boot-menu and/or maybe even delete the second version (although I would leave it there. - unless drive space is at a premium).


Report •

#10
December 30, 2013 at 15:24:26
trvlr posted "I knew you'd drop in on cue"
Then I went back to bed.

Report •

#11
December 30, 2013 at 17:16:02
Well I should have stated that he is now retired and they let him keep the laptop. He was with that company over 40 years. He has another laptop now and I have had it sense before Thanksgiving. The screen hinges was broke and I repaired it myself by replacing the lid. I told him I fixed it he has not said anything about getting it back. He may want a few things off of it I am not sure why he just said if I could get some things off. I have booted to Linux disk and got his user folder off on an external that should have everything he wants. Now I guess I could do a clean install but the XP C.O.A on the bottom is faded and unreadable. I have seen HP XP Pro disk on eBay it should have the pre activated key for HP computers. Or I may can still order the Recovery DVD from HP. But it's going to have to be one with the pre activated SLP keys. I have a Dell OEM XP Pro disk but I need one from HP so it will be activated im not too concerned with the faded XP C.O.A as long as I don't remove the faded C.O.A it would be legal. The reason I posted in the first place I just thought it may save time and may be worth trying to clean it without a re install.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

#12
January 2, 2014 at 04:36:59
I do still want to try and proceed doing this. I have ran unhide Adw Cleaner and the program that restores the start menu. Also ran JRT and ccleaner. I just installed MSE AV and it chose to turn on firewall. But I got a message that firewall could not be turned on an unknown error message said to turn it on manually I try that and get the same error Due to an unidentified problem, Windows cannot display Windows Firewall settings. As soon as MSE updates I am disconnecting the Ethernet cable I don't want
at&t to have a duck fit again.
Just in case I have to restore. Can someone give me the page to where
I can order recovery disk for this model? It's a business model does have the option to create disk but I get an error when I try. The drivers and support page does not have a link to order disk. Maybe they no longer provide disk for XP because my Windows 7 HP still has the link on the drivers page.
Thanks

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

#13
January 2, 2014 at 06:32:51
mmm If you have a hunt around the Dell site - either enter the tag number for the laptop, or do a search by product… - and then get into their support area for it… Possibly you will find something there; or is that what you've already tried...

The downloads section will include the manual too - and that may tell you a little more about obtaining a suitable disk. Often references n those that may not be on the support site

A trawl via google using:

Laptop Dell Latitude D620 Core 2 Duo recovery disk

does bring up a lot of hits - mostly eBay - "selling" a recovery CD. Not sure if they are the genuine Dell badged article or not…

Worst case is to secure a full install XP disk and simply re-install…

Likely the version installed originally is an OEM; and so if you secure an OEM disk… it may go in OK over the current version - as a true Repair installation - one that does NOT use the recovery console approach. I referred to that in my post (9) above.

The windows sticker on the laptop (base usually) may include OEM in its details.

Need more help in securing an XP full retail or OEM disc, post back...

However… I am somewhat konphused at this stage…

You appear to be discussing two different computers - one a Dell Latitude, and the other an HP; as you seem to be referring to needing first a Dell CD and then an HP CD?

Which is it you require; and which system are you trying to recover/rebuild?


Report •

#14
January 2, 2014 at 17:27:30
This is an Compaq/HP NX7400. Sorry for the confusion. On the bottom right corner it has Compaq NX7400 and the middle bottom it has HP and has HP Wallpaper and their is an HP_RECOVERY partition. I have tried making the disk but get an error. The Dell Latitude is fine and I have 2 or 3 XP Pro disk for it.
Thanks

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#15
January 3, 2014 at 05:32:12
Thank you for clarification…

Have a good read of these two links; the first is about securing recovery CDs in general - and points out that for some configurations you do have to contact HP/Compaq; the information is all there (I think/hope).

The second is the full web-site support - information and everything else for the model laptop you have. Well worth a good read - and also suggest you download/save whatever you can (drivers etc. at least) - for future use if needs-be; and not the least the manual.

http://h10025.www1.hp.com/ewfrf/wc/...

http://h20566.www2.hp.com/portal/si...

I would advise you to make your own recovery set of disks too - once the system is up and running again; besides having whatever disk(s) you can secure from HP/Compaq.


Report •

#16
February 27, 2014 at 08:45:51
I was unable to get back and still have the problem. I have restored the laptop to back like it was when I got it from my dad. I have been a little sick and not able to get back. I would still like to continue with this thread. I don't think HP has recovery disc's for this model because of XP being so old. I have found a site called Computer Surgeons.
http://www.computersurgeons.com/ They only deal with HP/Compaq computers. I have ordered a kit for a Compaq I have and it worked. I may just order a kit for the NX7400. I believe it is separate disk for this model OS, Drivers, Applications ETC. If there is a OS disk I can do a repair install. If someone can suggest anything in the mean time it would help. I turn it on. I see the HP splash screen then a screen with Microsoft Windows Recovery Console
do not select this(debugger enabled)
Microsoft Windows XP Professional
That is the choices I think it means not to select Microsoft Windows Recovery Console
If I select Microsoft Windows XP Professional it never boots it goes to a black screen and I never see a XP Splash screen. I feel it is a boot sector virus. I have a XP OEM disk for a repair the only think if I do a repair it is going to ask for a Product Key and mine is unreadable it's faded. That's why I may order the kit from the site I mentioned.
BTW Safe mode does the same. Only a black screen.
None of the safe modes work.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

#17
February 27, 2014 at 09:49:26
mmm. Did you, per chance, run any of the Anti-virus rescue disks that are now available?

These are an anti-virus utility usually built onto a Linux variant and will (usually) go on-line to update themselves when they boot up etc.. After-which they will scan the whole system and clean out/fix whatever they can.

Often "very effective" in dealing with root kit pests...

I suggest you download the ISO from the following; save to wherever and then burn to to a DVD. Boot up with that DVD - ensuring you are connected to the internet when you boot up.

http://support.kaspersky.com/us/vir...

http://www.bitdefender.co.uk/suppor...

http://www.avg.com/gb-en/avg-rescue-cd

I suggest all three and use in that order...

Why all three - just in-case one of them misses something the others don't?

Watch the boot up screens carefully for each as you boot up from the whichever DVD. There are keys to press to ensure it does boot and scan - otherwise at least one of them will ignore the DVD and boot into windows (if it can).

Each will take about an hour or so (typically) to scan fully - depending on what's on the drive?

If you have (or obtain) an XP disk - be it OEM or even retail - likely you can find and download the assorted drivers for the laptop - from the various sites supporting the few items that may require them (and not included in XP).

Belarc Advisor (freebie download to run...) will identify what's installed in terms of "hardware" - network adapters various; likewise "msinfo32" (no " ") run from a command line (start\run - type in - msinfo32 - and press enter; it will generate a full report too of what's in the laptop. Both items will dig out all CD keys etc too... At the least print out the reports and keep safe; and if possible save "off the system as is...

When you know what's installed in terms of hardware... post the details here.

As always - do not include "any" CD/software keys - or user or login details...

OEM version of XP-Pro is around for very few pennies; and it maybe you can use the key for the installation already present too activate it - presuming the damaged version is an OEM. If it's a retail version, they too are available for legit download (no key included though) - and again your present key may work with one of those...

Try the above clean out routines; and in between each one - perhaps see if the system will boot OK ; if only to safe mode initially?


Report •

#18
February 27, 2014 at 11:10:46
Thanks for the reply's. The OEM disk I tried using was one from digital river it is legal it has no product key with the download your advised to use the Product Key on your computer. I booted up the CD several times sometimes when I click next after it loads all the files I get a message no hard drive was found. Sometimes I get an error a file on the CD is corrupt it's different files different times I tried.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#19
February 27, 2014 at 11:38:25
"Frequently" - but not exclusively so - the error that such and a such a file is corrupt (when installing from a cd/dvd) can be due to failing memory.

It may happen every time, it may happen intermittently...; and is not unknown to be due to RAM problems...

Reduce RAM to a single stick and see what happens; try each stick in turn, and if one stick produces the error and another does not... it "may" be that the RAM stick producing the message "is" failing in some way...

If possible try known RAM that is known to be good/OK too?

And again - have you run the rescue disks as above - if not then give them a go?


Report •

#20
February 27, 2014 at 12:04:32
OK there is 4 GB in the laptop with XP 32 Bit. That could be why I get the error. I will try one 2 GB stick and see what happens. I tried my Dell OEM I was going to boot to the command and do a fix boot.

Thanks

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

#21
February 27, 2014 at 12:16:13
Just took out a stick of ram. It now has 2 GB. That could be it or the 2 GB I took out could be bad. The other 2 GB stick is under the keyboard. I booted to the CD and this time it worked I chose R and got to a command and typed fix boot. Now it boots. I am still going to run the boot disk. But like it's stated above there are some hidden files.
*update*
running memtest86 from ububtu cd

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

#22
February 28, 2014 at 03:33:20
I tried twice to burn iso of bit defender to a CD it failed. I got the Kapersky it is scanning now.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#23
February 28, 2014 at 03:50:54
Wasted 3 CD's on bit defender. AVG and Kaspersky burned fine. Sorry for so many post I did not see the edit post option for some reason it's not there this morning.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#24
February 28, 2014 at 05:57:45
mmm I wonder why you had problems with Bitdefender burn...

Kaspersky will likely do what's needed; and AVG a useful double-check...


Report •

#25
February 28, 2014 at 11:08:29
Kaspersky found some backdoor. Could be the Zero Access. And I just tried AVG and it stalls on the part with ISO Linux at top and some other writing will not go further.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#26
February 28, 2014 at 12:02:12
I haven't used/tested the AVG disk so can't comment from personal experience re' why it may apparently hang... But perhaps read through the guide here:

http://www.avg.com/gb-en/226386

It may help?

There is a rescue disk from Sophos.com as well. You make it as per their instructions and use as is. It does not update itself when you boot up with it - why??? The seem to prefer one effective,y download core data etc. when the disk is to be used and renew/remake the disk... It may also of use nonetheless.

If you can boot to a Linux desktop from any of the rescue disks (after letting them do what they can) might be worth to run the Trend Housecall freebie scan too. Google for Trend Housecall free scan and you'll get the direct location. If per chance it asks you to login, create a Facebook or similar account, it's not the site. I have found one link that has done that in the past...; but the UK link doesn't for sure and will fine regardless of where you are.

You can also use a Ubuntu cd or Knoppix, or Puppy Linux, or Zorin to get to a Linux desktop and then run Trend, and similarly Sophos, AVG, Avast free "on-line" scans, and I think Bitdefender too. Might not hurt to do so?


Report •

#27
March 2, 2014 at 06:28:46
What I amm doing now is I got the drive out of the laptop. It is connected to a USB dock connected to my desktop. I tried to scan with a program called trojan scanner. It only allows you to detect and you have to purchase it to remove but it did find somthing that looks real nasty Hidec.3exe Risktool.Hide100 it was in the combofix folder. It seems alot of programs are hidden. When I connect the drive thru USB It looks like nothing is hidden. I tried to install Super Antispyware but it said I was not an admin. Also that trojan program it would not install same it said I was not an admin. I am logged in as admin BTW.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

#28
March 2, 2014 at 06:34:25
Perhaps rescan the usb connected drive again both with Kaspersky, Avast too (rescue disk boot from the desktop) if possible. (i.e. boot the desktop with a rescue disk and rescan...) Also rescan via whichever OS you boot your Desktop to?

Not at all familiar with the two utilities you mention...


Report •

#29
March 2, 2014 at 09:28:28
Trojan Remover is free www.simplysup.com

Trojan Hunter cost 39.99 for one computer and 59.99 for up to 4

www.trojanhunter.com

The one from Simply Sup has been scanning for 3 hours and has not found anything. I bet it would if I could scan while booted to windows but it is not letting me do anything like that becasue it saids im not an admin. I will try the other 2 like you said. I did find some things on what I mentioned Hide.3xe .

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#30
March 2, 2014 at 10:43:29
Do any of the scans indicate where the pests are located; and are there any registry locations included?

My understanding is that some of these pests sit quietly waiting to execute at boot up; which might possibly allow one to simply locate and delete the ".exe file" - via a Linux based boot and access to the hard drive?

Incidentally it might not hurt (in fact I'd recommend) you to contact johnw (private message initially) and point him to this thread; and ask for his much more enlightened and experienced input… I have noted he has angles/insights that are often very useful…; and from which I and many others here are learning - for future reference.


Report •

#31
March 2, 2014 at 14:38:49
I don't think it indicated where it was. I did notice somthing. A while back maybe a few years ago when the laptop first got infected I was directed to run ComboFix. So when my desktop is booted up and the USB dock is plugged in I can see a folder it looks like the My Computer Icon but it's basicly a folder. All the hidden files are in that folder. I did some googleing and found this (link to another forum)
http://forums.majorgeeks.com/showth...
I have tried a suggestion of copying some text to a notepad and saving it like in the above link says. But still cannot fun combofix because computer saids im not the admin. But atleast mybe im getting somewhere and found all the hidden files is their a way to boot to safemode command and somehow restore the files in combo fix?

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#32
March 5, 2014 at 14:58:05
Came across this item - and note it refers to a specific (and useful) Kaspersky tool... as well as other ideas...

http://malwaretips.com/blogs/malwar...

might be worth to investigate?


Report •

#33
March 6, 2014 at 05:18:57
trvlr, I have pretty much done what you suggested. Also have done some ideas of my own. I finally got msconfig to run. I have ran rkill several times it finds something every time. I think the above site meant to run it in safe mode? I will try that next. Also finally got MSE to uninstall not that it's no good it was just dead. I had to use revo uninstaller to get iot out. Found another old tool I used called Win ASO disk cleaner it found over a GB of temp files found more than cCleaner. Thanks for all the help. I am still working on this I feel it's not clean yet.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram


Report •

#34
March 6, 2014 at 06:24:28
Safe-mode is often the preferred state to run a lot of repair/clean out routines...

Have to admire your perseverance and encourage you to continue...

Keep "us" posted on your progress...

If all else fails... and the pests are still there (wherever...) possibly you may have to "byte the bullet" and re-install a clean system? Which would of course means either a recovery partition routine; or a retail or OEM disk installation?

If the latter (full rebuild) then I would suggest a full reformat of the drive too; and ideally reconfigure to have two partitions; one for OS etc, the other for data/personal stuff and so on?

Retail win-7 disks are around - but usually at slight premium these days. OEM are a lot cheaper (and the "reconditioned software version - from M$) is also around for about the same as unbadged OEM). OEM is the same as retail other than it is tied to the motherboard of course...

Downloads of both are available too - but of course one needs either a current retail key or an OEM equivalent; otherwise one has to pay for one...

If going for OEM I'd go unbadged versions (not with a Dell or HP etc label on it). You would need to locate some of the drivers for the laptop (possibly) and they're out there for the most part - and for free.


Report •

#35
March 6, 2014 at 18:32:48
I will more than likely buy the disk from the Computer Surgeons they are pretty much after market HP/Compaq recovery disk. I have checked they have the disk it's 3 disk OS Applications and Drivers. I have had no issues with HP/Compaq recovery software like what comes pre installed. I did have one of the first model's with Windows 98 first ed and it locked up allot and had allot of illegal operations. I later figured out it was related to something that Compaq used called Back web.
BTW I have tried booting to XP recovery console and get a BSOD. I just did a hdd test the one that's in the BIOS also ran the memory test in the BIOS and ran memtest86 last week. Also when I boot up with the XP CD and choose R it saids no hard drive was found. I tried looking in the BIOS for a setting ACHI or SATA but it's not there.
<edit>
just found the SATA / AHCI setting.

Laptop Dell Latitude D620 Core2Duo
Windows XP Pro SP3
Desktop HP Pavilion p6533w
AMD Dual Core 3.0
Windows 7 Home Premium
Server Windows XP Pro SP3
3.0 Ghz 3 GB Ram

message edited by ChristopherTGarrett


Report •

Ask Question