ZeroAccess - Help Please

Hey Guys.

McAffee recently detected a trojan which it claimed to have stopped. The trojan was persisitant with McAfee stopping it about 8 times. Then a notification came up advising me to reboot. Since then I've had nothing but problems and it all points to ZeroAccess. This was two weeks ago, and at the time i was transferring photo's from a sd card, had Itunes running, and some websites up in the background.

In normal mode I can't access any program including basic system ones. I get 'The specified service does not exist as an installed service'. Everything is now running very slowly, and I can no longer connect to the internet.

In safe mode it was much the same until I turned off UAC and can now access most programs. This was difficult and required the use of cmd.exe and msconfig as somehow clicking anything needing admin rights did nothing. The internet still doesn't work. Bluetooth and all USB ports no longer function, so I'm using my dvd-rw drive to transfer data.

Below are the logs i think you need. Hope this is enough info.

Many Thanks, Gary.

 

Welcome to MajorGeeks, whammybar

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22
• Java(TM) 6 Update 26

__

Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the Scan has finished, press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

Now turn UAC back OFF.

__

Delete these folders if they still exist:

• C:\Users\Admin\AppData\Local\{f1b23171-63a5-5b72-c014-5aa9b66dee3c}
• C:\WINDOWS\Installer\{f1b23171-63a5-5b72-c014-5aa9b66dee3c}

If they are being stubborn to remove, skip this step for now.

__

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Step 2 tab
  • Press Do It
  • Allow the computer to reboot and perform the check disk.
• Once the check disk has been completed, go to the Step 3 tab of Windows Repair
  • Press Do It
• Reboot your computer once again once sfc /scannow has completed.
• Reopen Windows Repair
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Repair Internet Explorer
  • Remove Policies Set By Infections
  • Repair Missing Start Menu Icons Removed by Infections
  • Repair Icons
  • Repair Winsock & DNS Cache
  • Remove Temp Files
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
  • Repair MSI (Windows Installer)
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

Please download and run ComboFix and attach its log.
Read these instructions on how to use it: How to use ComboFix
Do not uninstall ComboFix yet as we may need it to fix remaining malware issues.

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi Thisisu. Thanks for the response.

I have done everything in your previous post, and will upload the RogueKiller log tomorrow (am using my phone to post this).

After running ComboFix I tried updating the MGTools logs doing exactly as you said. When I right click C:\MGtools\GetLogs.Bat and click run as admin I get a notification saying 'Illegal operation attempted on a registry key that has been marked for deletion' and nothing else happens.

 

Reboot your computer and try again.
This message is a bug by ComboFix.

 

Brilliant. MGtools is now updating the logs. As I said before, will upload tomorrow

 

These are the next set of logs.

Thanks

 

Fixing items using ComboFix
Make sure that ComboFix.exe that you previously downloaded is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\Tasks\PTSchedule.job
C:\Windows\temp\ehprivjob.log
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\RACAA43.tmp
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Users\Admin\AppData\Local\{f1b23171-63a5-5b72-c014-5aa9b66dee3c}
C:\WINDOWS\Installer\{f1b23171-63a5-5b72-c014-5aa9b66dee3c}
C:\Windows\49FA793C785E47E993DFBD442B0B45D1.TMP
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZPdtWzdVitaKey MC3000"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nsi]
"DisplayName"="@%SystemRoot%\\system32\\nsisvc.dll,-200"
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\nsisvc.dll,-201"
"ObjectName"="NT Authority\\LocalService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):6e,00,73,00,69,00,70,00,72,00,6f,00,78,00,79,00,00,00,\
  00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nsi\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,73,00,69,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Test for internet connectivity and let me know what other problems remain if any.

 

After running the script and rebooting everything appears the same. Still very slow (35 secs to load any window), no audio, wrong screen resolution, and no way of connecting to the internet. When trying to connect I still get 'The specified service does not exist as an installed service.

Also, when running Getlogs.bat I get a popup...
ProcessDll.exe - Common Launguage Runtime Debugging Services
Application has generated an exception that could not be handled.

 

Hello

Let's try to repair your internet connection now:

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Attached is nsi.zip
• Inside is nsi.reg
• Extract nsi.reg onto the desktop of the compute with the issue.
• Now double-click nsi.reg and allow the registry patch to merge into the Windows registry.
• If successful, reboot the computer and test if the internet is now working.

 

Thanks thisisu. The internet works perfectly, despite the network icon in the taskbar still showing ' the specified service does not exist as an installed service.

The other problems (slow loading times, no audio) still exist, so would you like any further logs?

 

I want you to read and follow these instructions: TDSSKiller - How to run

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Some more logs for you

 

Re-scan with TDSSKiller with the parameters you used before.
This time if sptd appears, delete it! Skip the rest of the detections again.
Then attach the latest TDSSKiller log. (How to attach)

 

Have deleted sptd.

 

Re-scan with TDSSKiller with the parameters you used before.
This time if NIHardwareService appears, delete it! Skip the rest of the detections again.
Then attach the latest TDSSKiller log. (How to attach)

__

Let me know how the system is running after you have completed this step.

 

Most of the problems still exist, such as...
No audio - 'The audio service is not running' is displayed in the taskbar.
Very slow accessing any folder within Vista.
None of the USB ports recognise a flash drive (nothing appears in My Computer)
When accessing Device Manager via the Control Panel it is completely empty.

 

Your latest logs are clean. These remaining Windows issues you will need to get assistance in the Software or Drivers forum.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Brilliant.

Thanks for your time and effort