Ran all suggested malware removal tools and ZeroAccess trojan still installed.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by poozie, Jun 15, 2012.

  1. poozie

    poozie Private E-2

    Still having problems accessing files and folders on C drive; no access or access denied to open or view Docs and Settings folders, App Data, etc. Access is even denied to my user Documents\MyMusic, MyPictures, and MyVideo files.

    Read and followed instructions in the Read & Run Me First removal guide. Downloaded SuperAntiSpyware, Malwarebytes, ComboFix, and MGTools.

    Looked for log from SAS but couldn't find anything saved anywhere. If I right-click on the .exe saved to my desktop, properties show it as "SAS.exe.exe" Is that normal??

    Also, I noticed after running Malwarebytes or Combofix (I don't remember which-sorry), a new folder was created - "C:\$RECYCLE.BIN" which, of course, is locked.

    A little more history here: I knew I had this trojan a couple of months ago and, without reading up on anything, thought I could do a system recovery from a recovery disk I had. Unfortunately, that didn't work, and I ended up with a black screen that kept saying, "No operating system installed". A friend took my laptop and said he "wiped it down as deep as he could go", then installed Windows 7 (I previously ran Vista). Got the laptop back recently and found out the trojan is still here, living large in the background on my laptop.

    So, I am assuming the logs will show a pretty bare bones system here, and that's why.

    I've attachd the logs I can find.... HOWEVER, when I try to attach MGTools.zip file, I am unable to do so. I can send the logs individually, but for some reason, it won't let me send the .zip file. What should I do??

    This has been going on for over 4 months, so any help you can give outside of tossing this thing out of a moving car at 90 mph would be greatly appreciated!

    Thanks.
     

    Attached Files:

    poozie, Jun 15, 2012
    #1
  2. poozie

    poozie Private E-2

    ZeroAccess trojan still present after all removal tools used

    I've had this trojan on my laptop for almost 4 months. Before doing any research, i tried to do a system recovery from a disc I had made last year, but ended up with a black screen telling me that "no operating system installed". Gave my laptop to a friend to "fix". He "wiped the hard drive down as deep as poosible", installed Windows 7 (I previously had Vista), and gave it back to me. I assumed he knew the extent of this trojan, but obviously he didn't. I have a 64-bit operating system, running Windows 7. Everything else was installed or re-installed by my friend after he "wiped the hard drive".

    I read the Read & Run me guide, installed and ran all the tools, etc. Here's the issues:

    I am denied access to common doc files, my start menu folder, my templates folder, etc. I have two program files, one of which has "(86x)" behind it; after running the removal tools, i found a new folder on my hard drive: "$RECYCLE.BIN" which of course, is locked. When I right-click on the SAS.exe file on my desktop, the properties show this: "SAS.exe.exe", same with "mb.exe.exe" (is this normal??).

    There is nothing in the SAS folder on the C drive, but SAS didn't show anything anyway; I've attached the combofix log; inside the MGLogs.zip file is another folder called "Qoobox" along with the text logs, but it's not giving me the option to upload the .zip folder, just individual logs in it; I cannot find or am being denied access to the Malwarebytes logs.

    I'm so frustrated with this thing!! Argh! Please help!!

    What do I do now??
     

    Attached Files:

    poozie, Jun 15, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: ZeroAccess trojan still present after all removal tools used

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it. Did that help?
    Nothing to worry about.
    They've been renamed incorrectly with a double extension, you can see this now that hidden files and folders are set to show.

    Why not? You can attach a zipped file here the same as you can with a normal text file.
    I know, I know. :) Let's try this.

    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

    ------------------------

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    ---------------------


    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
    Kestrel13!, Jun 15, 2012
    #3
  4. poozie

    poozie Private E-2

    I'm not being allowed to download files now. I get a warning msg window that says "Windows has determined that this file (which is anything I try to download) could be potentially harmful to your computer" then says something about not letting it download or be opened or saved or anything.

    I will see if I can find another computer to access the file.

    As far as the .zip file, when I browse to the folder and click on it, it simply opens to show the list of docs inside and that other file. Am I missing some incredibly obvious way to get this .zip file to upload??

    if i don't answer right away its because i work out in the forest and don't have access close by, so it might be a day or two before I get back to you, but i really appreciate your help!!
     
    poozie, Jun 18, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't navigate to the zip file first... simply go to attach it here and THEN navigate to the zip file to attach to your post here.

    Try using SAFE BOOT MODE instead. Any luck? Attach what you already have though. (The MGlogs.zip I presume?)
     
    Kestrel13!, Jun 19, 2012
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds