Zero Access and No Fun

Zero Access and No Fun

Zero Access Virus - the New Thing in IT has been stomping through the world of IT for a while now and I have to say that I don't see tons of things that are consistent about it.  I have cleaned three computers that had it, and did it differently each time, one I had to just erase and start over with. (sometimes this is just the best anyway - backup your stuff first!)

I have to give some Shout Outs to several folks for information and tools - first off my lovely daughter (A&M IT, working on a Engineering degree), for a heads up and a link with some info*.  Second to Kaspersky AV for an awesome Rescue CD - I used parts of both and then some other repairs that I have been forced to learn on the way - because the cure was worse it seemed.

First off, the indications are wide and varied - intermittent loss of network connections, very slow internet surfing, redirects, and in some cases stop errors - specifically Stop 8E, in iaStor.sys.  I am going to start with this one, it's the most recent and I discovered a few things on the way.
.The Setup - Dell Precision M6500 Laptop (Mobile Workstation), Windows 7 Pro(32bit), 4GB, 250gb RAM.

Issues - Everything working fine (supposedly) and then BSOD Stop 8E referencing IaStor.sys - this is part of the Intel RAID Management software and is used for RAID configuration and drivers on the system.  Strangely the laptop would boot in Safe Mode which is wonderful, usually.

Ran CHKDSK /R, booted from boot CD and replaced file, scanned with Combofix*, Supersantispyware, RKILL, Malawarebytes Antimalware - from Hiren's 15.1 Boot CD.

Found lots of stuff, cleaned it, same error.  It's probably a ROOTKIT then, tried DR Web Cure IT, AVG Rescue CD, etc.  Same issue. BSOD 8E IaStor.sys.

Then I found Kaspersky Rescue CD, updated, ran, found the ROOTKIT, Trojan, and cleaned it.  So, now I'm happy.  Reboot, get new error - Stop error 7D - this one is basically saying "what did you do to the HD man?", this one I have seen before. Safe Mode stops working (sigh).

Some caveats here, if you use the "Repair Start up" from a Windows CD (must be the SAME version that you have by the way - 32bit for 32bit, 64bit for 64bit, Pro for Pro, etc.) - you will spend a lot of time watching it try to repair and then figuring out that it can't so Recovery gives up and want's to call home to MS, but then can't get there.  I found lots of sites that suggested booting from Windows CD, going to a Command Prompt, and then running BootRec /FIXMBR, Bootrec /FIXBOOT, and BootRec /rebuildbcd.  i have actually used this before to salvage a drive - and used it here as well but there were two things that happened that you should watch for.

First off, when you boot from CD you will notice at the prompt that your drive letter is X:, this is fine.  Check to see what drive your OS is on at that point.  If you have the Dell Recovery partition on the machine there is a chance that you will suddenly have THAT partition be the C: and then your OS and programs on D: - if not then all is well, run Bootrec /Fixmbr, Bootrec /Fixboot, and finally Bootrec /rebuildbcd. 

If the drive letters are switched you will need to change them.

I used a Hiren's Boot CD 15.1 for this.  Boot from Hiren's, change the drive letters, to what they were supposed to be - MAKE SURE that the correct C: Drive is marked as ACTIVE!  If not it won't boot.  After you do this run the Bootrec commands again, the rebuildbcd should now find your windows installation and all should be good.

* links - Combofix - http://www.bleepingcomputer.com/downloads, Hirens Boot Cd - http://www.hiren.info/pages/bootcd.  Kaspersky Rescue CCd - http://support.kaspersky.com/viruses/rescuedisk

HELP! My Web-Site is DOWN!! What NOW?

So have you ever wondered..... What is the log-in information for your web-site? You know the one, it lets you change or add pictures and graphics, text, videos, whatever. It also allows you setup email accounts (if you don't have local email servers), upload files, and can also help you add, change, or update the … Continue reading HELP! My Web-Site is DOWN!! What NOW?

When only part of the Internet is down

Ever wonder if your internet is down because you can't get to your gmail?  It could be gmail is AWOL.  I know, it's weird to think Google or Facebook or Yahoo could ever going down.  But, it happens - every service has it's hiccups. If you are having issues with your favorite sites, don't worry … Continue reading When only part of the Internet is down