[Essexboy]

Yes it does, OK we will use Combofix to install the recovery console. Naughty but easy

Download ComboFix from one of these locations:

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Once the recovery console is installed we will boot to that and run :

From the command prompt, enter: chkdsk /r (note the space between chkdsk and /r)
Allow it to complete undisturbed.

[Advertisements]

ComboFix log:

 ComboFix.txt   18.79KB   94 downloads

Late here, so will try recovery chkdsk in morning.

[pivan]

ComboFix log:

 ComboFix.txt   18.79KB   94 downloads

Late here, so will try recovery chkdsk in morning.

[Essexboy]

Night

[pivan]

Ran chkdsk from recovery module aok, took forever, fixed one or more errors on the volume.

ComboFix found ZeroAccess rootkit. Does the log suggest it's been cleaned?

Anything else we need to do?

[Essexboy]

Combofix cleared the remnants of the zero access

So the question now is what problems remain

[pivan]

Other than not being able to run chkdsk from the Windows command prompt, all seems to be well.

Shall I just uninstall/delete the various programs used of late?

[Essexboy]

Subject to no further problems

I will remove my tools now

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Commands
  [resethosts]
  [emptytemp]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
• In the Run box, type in ComboFix /Uninstall
  (Notice the space between the "x" and "/")
  then click OK
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

Keep safe

[pivan]

I'll be monitoring things carefully over the next few days, but I think I'll be bold and say my problems seem to be fixed (albeit in a roundabouty kind of way!). I thank you greatly for your attention, essexboy, and may your dragons always be fiery.

Will let you know if anything else crops up.

[Essexboy]

Definitely an unusual one, but I had some more exposure to the new MBR infection. Hopefully aswMBR will be able to detect this variant now

I will leave it open for a while just to be sure

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.