Root Kit Zero Access / Win32 Patched HN Trojan

Silver-Cat

Hiya, I've managed to get a nasty bug on my laptop.
Can't run malware bytes as says not authorised! And the computer keeps shutting itself down. Tried getting into safe mode but then also shut down.

Getting all sort of messages on booting and when get it running there is little I can do.

I know it's a bug as watched a main.exe go bonkers on me. Couldn't switch it off and had to do a cold boot to get rid of it.

Help please!!!!

Silver-Cat

Plus every bit of software scan I do gets shut down within minutes of starting to scan.

stilltheone

Make, model and OS? 32 bit or 64 bit?

Silver-Cat

It's a fujitsi siemens running vista HO
Not sure about the rest.
I have limited access, windows defender if off and keeps switching off when I start a scan.
Just trying again now.

RussJK

It can be fixed, so think of it as a particularly annoying puzzle

See if you can run Hijackthis (http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe), and do system scan and save a log, and post the log here - we'll see what the autostart is.

Also see if you can start in safe mode (restart, keep hitting F8).

Another thing to try is rkill, which will attempt to shut down the virus processes - http://www.bleepingcomputer.com/download/anti-virus/rkill

Gdata fake antivirus remover: https://www.gdatasoftware.co.uk/?eID=PushFile&dl=311d0c13d6%3AAFIJBA4%3D

EMCO (little known tool) http://emcosoftware.com/malware-destroyer

Trend BETA remover http://www.majorgeeks.com/Trend_Micro_Fake_Antivirus_FakeAV_Removal_Tool_d6984.html

See if you can manually shut down the naughty task: CTRL SHIFT ESC in process list of Task Manager, or sysinternals process explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653

Silver-Cat

Thanks for that. Windows defender still running scan amazingly. I'm watching it as I type this (on iPad) so fingers crossed. Malware bytes is a White box like it's been deleted!
Once completed or shut down I'll then reconnect to Internet and try those you mention.

Silver-Cat

Defender showed it as Trojan dropper. Didn't complete removal of it though as appeared to crash

Grampus8

Sit tight and wait for the warm embrace of help.

Silver-Cat

So far, can run rkill and get the below

Rkill was run on 08/07/2011 at 21:36:39.
Operating System: Windows Vista (TM) Home Premium

Processes terminated by Rkill or while it was running:
\\.\globalroot\Device\svchost.exe\svchost.exe
Rkill completed on 08/07/2011 at 21:36:44.

RussJK

After you run rkill, see if you can now run Malwarebytes or any of the others. Rkill is just the way in, and will only last for that session. Still got to kill the method for the nasty to start.

Oh, there's also HitmanPro http://www.surfright.nl/en/hitmanpro. If you can't run it or get an odd error, then save it to the desktop - and hold LEFT CTRL as you click on it to open it.

Silver-Cat

Both malware bytes and the other one mentioned above run but get shut off within seconds.
Hijack this runs at first but then gives an error and also closes itself.