rootkit.zeroaccess is fustrating me - please help =(

Welcome to Major Geeks!

Why are you running your PC with no protection software?

Did you put in the below very poor choice of name for a startup procedure?
O4 - Startup: PRINTER.lnk = C:\map****er.bat



Now download The Avenger by Swandog46, and save it to your Desktop.

See the download links under this icon

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• the FSS.txt log
• C:\MGlogs.zip

 

Please answer my questions from my previous message.

Also copy the below file:
C:\WINDOWS\system32\dllcache\netbt.sys

To the below folder:
C:\WINDOWS\system32\drivers

Then reboot your PC. After reboot, make sure the C:\WINDOWS\system32\drivers\netbt.sys file still exists. Also tell me if you are still having any problems.

 

I strongly suggest that you change the name to avoid having it deleted by scanning programs.

But you missed my question about no protection.

Let's get a new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip

 

That looks incorrect since Farbar Service Scanner showed the afd.sys file to be valid but we will copy one from dllcache anyway.

What I saw was that your netbt.sys file was missing. Now I see the registry entry for it is also missing.


Let's use ComboFix to add back in your netbt service key

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now rerun Farbar's Service Scanner tool to create a new FSS.tx log.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• the new FSS.txt log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

1. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • The above file will open in the notepad.
   • Under TCP/IP Primary Install section find the following: Characteristics = 0xA0
   • Edit 0xA0 and replace it with 0x80 (replace A with 8)
   • Under File menu click Save and close the notepad.
2. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install a popup window opens.
   • Select Protocol from the list and then click Add.
   • A new window opens, click Have Disk....
   • In the browse... box type c:\windows\inf
     
   • Click OK.
   • Select Internet Protocol (TCP/IP), and then click OK.
   • On the Local Area Connection Properties screen select Internet Protocol (TCP/IP) and click Uninstall, and then click Yes.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
3. Go to Start ==> Run (or Windows key+R)
   • Type the following in the run box and click OK: notepad c:\windows\inf\nettcpip.inf
     (note that there is space after notepad)
   • A file opens in the notepad. Under TCP/IP Primary Install section find the following: Characteristics = 0x80
   • Edit 0x80 and replace it with 0xA0 (replace 8 with A)
   • Under File menu click Save and close the notepad.
4. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
   • On the General tab, click Install
   • A popup window opens. Select Protocol.
   • A new popup window opens. Select Internet Protocol (TCP/IP), and then click OK.
   • Wait until it asks to restart, and then restart as requested. Continue with the below after restarting.
5. After restart please run Farbar Service Scanner again and save the fss.txt log to attach below.
6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
   
   Then attach the below logs:
   • the new fss.txt log from Farbar's Service Scanner
   • C:\MGlogs.zip

 

Oh and one more question. Why does MBRcheck show the below for your MBR

Code:

 
    232 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   Windows 2008 MBR code detected

rather than a Windows XP MBR

 

Nope! Because it does not appear to be infected. It is just not a Windows XP MBR which is probably due to some tool you ran on your own.

You need to stop doing things on your own and only do what we ask you to do. When you posted your first logs, only a few files in your system32\drivers folder had been touched and changed to new dates and possibly this was due to the ZA infection. Now every single driver file in this folder as been modified to today's date. What are you doing when not here????? If all of these files wind up being infected now, you will have to reinstall from scratch to fix.

No it just means what all malware removal experts know, and that is that NO scanner / tool and fully detect and fix Zero Access. They never have. It always required manual intervention. The best tool thus far has been ComboFix but even it is very incomplete and there is always residual damage ( like no internet access or more ) due to the infection even after it has been removed. Your damage seems to be significant. You have many required system services that are no longer running which is the reason you have network resource issues you mentioned. We will try to manual start a few down below.



Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair Windows Firewall
  • Repair Internet Explorer
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Windows Updates
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Reboot after running Windows Repair.

Now please download MiniToolBox and save it to your desktop and run it by right clicking and selecting Run As Administrator.


Checkmark following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List IP configuration
• List Winsock Entries
• List Devices -> All
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run from.

Now, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  afd.sys
  cdrom.sys
  dhcp.sys
  ipsec.sys
  netbt.sys
  tcpip.sys
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Application Layer Gateway Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

Now locate the IPSEC Services service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Windows Firewall/Internet Connection Sharing (ICS) service and Start it and set the Startup type to automatic, Did this Start?

Now locate the Workstation service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Computer Browser service and Start it and set the Startup type to Automatic, Did this Start?

Now locate the Security Center service and Start it and set the Startup type to Automatic, Did this Start?

Now close the above services forms and reboot your PC. After reboot, get a new log from MGtools and attach it here along with your answers to what happened while trying to start all the above services. Also remember to attach the Results.txt log from MiniRegTool

 

The services you said started appear to have stopped again based on your logs. Seem you have some major issues within Windows itself.


Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.



Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm.cmd
• Now double click on resetperm.cmd to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.
  [*]Once it finishes, reboot your PC.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
C:\MGlogs.zip

 

When you ran resetperm.cmd, approximately how long did it seem to run for? Was it very fast or did it run for 10 to 20 minutes?

Earlier you questioned about the MBR and backing important data up. Have you backed up your data? We are starting to see more strange MBRs like yours that are for a different version of Windows and we are starting to think a new form or infection is around. Hence I will be asking you to fix the MBR soon. Do you have your Windows XP boot CD?

 

Just use the below procedure to make a special bootable CD and see if you can follow the instructions to get to the Recovery Console command prompt.

Using ARCDC to get the Recovery Console Command Prompt

If you can get to the Recovery Console, type in the below commands. The second one will reboot the PC, just remove the CD and boot normally.

fixmbr
exit

After reboot, run a new MBRcheck scan and attach a new log. Let me know if there is any change in system behavior.

 

It really should not matter which PC you make it on.

 

You're welcome. Yes you had gotten the MBR to be correct.

Replacing the harddisk is probably not needed, just a reinstall would likely be okay. There just seemed to be too much residual damage to Windows itself.

Based on your logs, you may have a Factory Image stored on your hard disk which you may be able to use to restore the system to factory ship state...... as long as the malware did not damage this factory image or the ability to use it.