zero access root infection?

[Milena E.]

When I try to do cmd procedures that you posted, it says "The system cannot find the file specified" and "... is not recognized as an internal or externel command, operable program or batch file". I don't know why, it worked before. About Gmer, it can't delete rootkits, the only option it gives me is to "kill" the file. And it needs to reboot the system after every "killing"

[Milena E.]

It killed        ADS             C:\Windows\487094660:2072442850.exe                                                                                      816 bytes executable 
but other rootkits can't be even killed. Says it can't find the path specified                                           

[Jintan]

After each step, please try the tools you have, and use cmd.exe if it helps. Tools would be aswMBR, TDSSKiller, ComboFix. Do you have, or can borrow, and actual Windows 7 install DVD? We could use that to access a boot command prompt, and make changes before the malware or Windows loads.

[Milena E.]

I guess I could borrow it, but I haven't got the slightest idea how to use it. I can't even translate precisely what you just suggested. Anyway, I'm using Windows 7 Ultimate (Rasor) now. The installation drivers are in the possesion of a guy that, as I said, would kill me if found out what I'm up to. I admire your patience with me and my mean machine even more than I admire your skills 

[Milena E.]

I forgot to say, aswMBR and TDSS Killer can't find anything more for couple of days now, they just keep repeating that there is no threat. ComboFix blocks every time while trying to delete that $ntUninstall...something

[Jintan]

My apologies - I am traveling and have problems gaining Interent access unyill I return home tomorrow. Have you tried Safe Mode for the login? See if you can borrow that DVD, let me know and we willl walk thorugh removing what is blocking ComboFix.

[Jintan]

Let me know if you can gain access to a DVD, before we decide anything else please.

[Milena E.]

Can I borrow a regular Windows 7 install DVD or it must be this specific type (Ultimate 7 Razor) ?

[Jintan]

The regular Windows 7 DVD should do okay. We need to use it to load the system into it's System Recovery access, to delete files and/or make Registry changes.

[Milena E.]

O.K. I'll try, but it will take some time to find the DVD

[Jintan]

The infection on your system isn't necessarily the most complex of things, but the malware clowns have made it with extra, tough self-defense mechanisms. I will also post another method we can use to assess things, as well as make changes without Windows, and the malware, loaded, should you find you can do the following with less trouble.


You will need a USB drive and a CD to burn. There will be several steps to follow.

Download  GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Next download driver.sh to your USB drive
  
• Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  
• Remove the USB & CD and insert them in the sick computer
• Boot the Sick computer with the CD you just burned
• The computer must be set to boot from the CD
• In some computers you need to  tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
• Follow the prompts
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see driver.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh
  
• Press Enter
  
• After it has finished a report will be located on your USB drive named report.txt
  
• Then type bash driver.sh -af
  
• Press Enter
  
• You will be prompted to input a filename.
• Type the following:

Winlogon.exe

• Press Enter
  
• If successful, the script will search for this file.
• After it has completed the search enter the next file to be searched
• Type the following:

volsnap.sys

• Press Enter
  
• If successful, the script will search for this file.
• After it has completed the search enter the next file to be searched
• Type the following:

explorer.exe

• Press Enter
  
• After it has completed the search enter the next file to be searched
• Type the following:

Userinit.exe

• Press Enter
  
• After the search is completed type Exit and press Enter.
  
• After it has finished a report will be located in the USB drive as filefind.txt
  
• While still in the Open Terminal, type bash query.sh
  
• Press Enter
  
• After it has finished a report will be located in the USB drive as RegReport.txt
  
• Then type dd if=/dev/sda of=mbr.bin bs=512 count=1
  
• Press Enter
  
• After it has finished a report will be located in the USB drive as mbr.bin
  
• Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

[Milena E.]

If I knew how to do all that I wouldn't need any help  And I don't have a clean computer anywhere near. I didn't expect it to be this hard, it's easier for me to call someone to install everything again. Thank you so much anyway

[Jintan]

To be sure, does that mean you are not going to attempt the repairs we are doing here? Nothing wrong with that, but want to make sure.

[Milena E.]

It's not that I don't want to, it's that I don't know how and I don't have the access to a clean computer. So I'm going to try to find someone in my neighbourhood to help me.   

[Jintan]

There are the means of cleaning this system available, as there always are, but yes, they tend to run to the technical side of things, and often require a different, uninfected computer to set the stage. If this neighbor can assist with that, I sense we will succeed in cleaning this system.