Repeated attempts by Zeroaccess.b Trojan today

[safetydave]

May have other issues have attached hijackthis log for suggestions

[TimW]

Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Option1: Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

Option2: Enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Quote:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

[safetydave]

Tim
I appreciate your reply
Farbar Recovery Scan Tool Log File Attached

[safetydave]

Tim I also noticed that this laptop has not had a windows update since 4/13/12. When I went to the window update program, it would not update because:
Windows update cannot currently check for updates, because the the service is not running. You may need to restart your computer.
Windows updates are set to install automatically.
I cannot view update history.

[TimW]

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Running MGTools.

[safetydave]

Tim:
I was able to complete the fix with Farbar Recovery Tool and attached the Fixlog.txt as requested.
I installed MGTools.exe and ran the program successfully. I attached the MGlogs.zip as requested.

[Kestrel13!]

Logs did not attach.

[safetydave]

Apologies
Logs attached

[TimW]

Please run CCleaner and clean out your temp folders.

Tell me what issues you may still have, if any.

[safetydave]

Tim
I ran ccleaner, the laptop has been running much better, no more malware alerts
Installing the full versions of malwarebytes and superantispyware I has helped alot. I appreciate your help.

I attached a rkill.txt file after running rkill.exe today that indicates ZEROACCESS rootkit symptoms found!
However when I checked the address in the registry the entry was not there.
Please advise

[TimW]

Extract bfe.reg to your desktop.
Double-click BFE.reg and allow it to merge into the registry. If you get a "successfully merged into registry" type of message, reboot your PC and see if you can turn on BFE, or if it is already turned on.

You can run these commands from the command prompt.

• net start bfe
• sc qc bfe

Now re-run RogueKiller and attach the log.

[safetydave]

Tim
Thank you for your reply
I got a "successfully merged into registry" type of message, rebooted PC, but was not able to turn on BFE after running the following from the command prompt:
net start bfe
sc qc bfe
I attached screen shots of two different errors messages I received while trying to start BFE.
Safetydave

[TimW]

Delete the BFE.reg file that exists on your desktop. Download this one to the same location.
BFE.reg


Now, boot into safe mode please to carry out the next set of instructions.

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BFE.reg file saved to your Desktop and double click it. Allow it to be added to the registry.

Back into normal mode now -
Download Windows
Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

After reboot, check to see if your firewall is working.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this

[safetydave]

Tim
Thank you
Ran regedit.exe as admin was able to import BFE.reg
BFE never would start in safe or normal mode
Windows repair went ok - mglogs.zip attached
Ran rkill64 log attached -
* ALERT: ZEROACCESS rootkit symptoms found!
* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
Safetydave

[TimW]

Your logs look good. All the services are now running. Use RogueKiller to remove that last item. Then tell me how things are running for you.

[safetydave]

Thanks Tim
Not sure how to use Roguekiller to remove ZEROACCESS rootkit symptoms found!
When I run Roguekiller it does not seem to remove it
I deleted the item using regedit not sure if I should have done that

[TimW]

Quote:

Originally Posted by safetydave

I deleted the item using regedit not sure if I should have done that

That should have worked. Re-run RogueKiller and attach the new log.

[safetydave]

Tim
Thank you
I see no change in the roguekiller log
I attached it along with a screen shot of the registry location in question.
Is it possible that roguekiller is mistaken?
Gratefully
Safetydave

[Kestrel13!]

Hello there. This is looking quite a mess. According to the rkill log you have lots of missing services. Then when I check other logs, it says some of those services are ok, so let's do this for now please.

Quote:

Is it possible that roguekiller is mistaken?

(You have been running rkill, not RogueKiller!!!)

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :reg
  HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 /s

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[safetydave]

Kestrel13!
I appreciate your attention to the details that I missed and for trying to help.
I am not as well versed as I should with Malware removal.
I followed your instructions hope I used the correct software this time!
Safetydave