Zeroaccess and cant change windows firewall

Hi

My laptop has been overheating for a long time (8 months), I am pretty sure it is just a clogged fan system as I use it in a dusty environment however i have had my suspicions.

Recently Avira started reporting zeroaccess (a few days ago), subsequent running of avira (free edition) scan removed a couple of virus's initially but after that scan runs failed to identify anything.

After this everytime i logged in avira would block zeroaccess although it would never show in the scans.

I updated malwarebytes and ran a full scan (log attached) which found and removed zero access and numerous other malware (29 i think). Zero access no longer showed up with avira and subsequant scans with malwarebytes were clean.

After this I still could not change the windows firewalls settings. I tried importing the reg for BFE and fire wall and activating though system.msc however this failed when activating the windows firewall service.

I got desperate and did what I probably shouldnt have .. .followed a post on removing zero access without reading all the readmes... I ran combofix (didnt change any settings or use scripts), ran tdskiller with default actions... then ran avenger (same again and no scripts).

I still couldnt change the firewall settings so I decided to do the right thing and follow the readme at this site... step by step...

logs attached....

(is combofix still running? i am not sure... should i have uninstalled it before following the steps?).

I need help to:
1) see if there is still anything bad on my computer...
2) get the firewall back under my control
3) make sure I didnt break anything the first time i ran combo etc
4) see if there are any bad processes causing my computer to overheat

Thanks in advance....
I really appreciate any help given

Andrew

 

Hi apologies.... I did attach the files and I am not sure why they are not there.....

I will try again.... hopefully they are attached now?

 

I need to add That:

After reboot I lost internet access
When i opened iexplorer or programs like steam they wouldnt open and would give a wsa error:

I tried instructions on another thread, these were:

"Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
In Registry Editor, locate the following keys, right-click each key, and then click Delete:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2
When you are prompted to confirm the deletion, click Yes.
Close the Registry Editor.

Locate the Nettcpip.inf file in C:\WINDOWS\inf and then open the file in Notepad.
Locate the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics = 0xA0 entry by replacing 0xA0 with 0x80. Save the file. Exit Notepad.
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK. It will report as unsigned, this is the one we want! Do not choose Microsoft TCP/IP v6!

Note This step returns you to the Local Area Connection Properties screen. However, the Uninstall button is now available.
Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
You will be asked to reboot your PC for the changes to take affect, go ahead and do this now.

Once you have rebooted...
In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
On the General tab, click Install, select Protocol, and then click Add.
In the Select Network Protocols window, click Have Disk.
In the Copy Manufacturer's files from text box, type C:\WINDOWS\inf, and then click OK.
Select Internet Protocol (TCP/IP), and then click OK.
Restart your computer.
Test your Internet connectivity."

I only got as far as deleting the winsock and winsock2.

I couldnt edit the Nettcpip.inf file in C:\WINDOWS\inf as it said I wasnt a trusted installer?? I am administrator!

Still no internet, however programs like steam and iexplorer actually open now.

Please help (if only to stop myself from getting in even more trouble!!)

THanks

Andrew

 

Hi TimW

Thanks again for looking into to this issue..your time it is greatly appreciated

I have done as you said, logs attached.

I now have access to window firewall settings
Still no internet.
Explorer takes ages to start (even if opening the control panel and accessing firewal settings) and has been freezing quite frequently.
computer temprature when nothing running seems to be lower than it used to be but reached 90degrees C when I switched on high performance (I have had to run the computer in power save mode for months) and opened excel and explorer.

Every thing else seems ok.

Thanks again for looking into to this issue..your time it is greatly appreciated

 

Hi

I need to add that the windows explorer problem became so bad that i couldnt even open files in excel etc...

I restarted the computer in safe mode and explorer worked fine ... after this windows explorer appears to work fine now, also excel files etc open ok.

Steam and internet explorer will not open.

thanks

 

Hi

Log attached.

No internet still
Internet explorer wont open

I used the computer for a while after the OTL restart and found it to be slow. So I restarted and got the message "preparing to configure windows please do not turn off the comuter"

once the restart was completed I still found computer to be very slow and eventually mirosoft offic word froze. I attempted to use ctrl alt del and got the message
"logonui.exe was unable to start correctly (0xc00001d) ctrl-alt-del to close the application" then "failure to display security and shutdown process the logon process was unable to display security and logon options when ctrl alt del was pressed. if the operating system does not respond press esc or restart computer using power switch"

I pressed esc.. used shutdown.. which resulted in slow partial shutdown... I had to use the power switch to switch off.

restarted in safe mode.... all ok... restarted normally....

works but still very slow

 

Doh.

Attached now.

 

Hi

No need to apologise, you are doing me the favour.

Attached are the logs

Hope you recover quickly.

 

Hi

Attached are the two new logs.

Computer appears to be running ok since running combofix although I havent had a chance to restart since then.

Still no internet.

I can connect to the network however it says unidentified network no internet access..

Thanks

 

Hi
Sorry I havent got back to you yet. Life got real busy (made even harder by an antagonisingly slow computer!!) but also I wanted to try and work out what was happening with my computer performance so I could give you better feed back.

Some points to note:

After each fresh restart my computer is extremely slow for about 2-4 hours. It will then start performing much better but still slow. I have to restart it in the evenings and get it working by bed time then hibernate it over night so it is useable the next day!

During the slow period numerous errors come up especially when trying ctrl-alt-del. such as "the application was unable to start correctly in safe mode 0xc000014236"

a service "lic.agent?" (cant rememebr what it was called now) continuously starts and stops

computer runs at 37-45 degrees C in safe mode (with no applications open)
Computer runs at 77-85 degrees C in normal mode (with no applications open)(both on power saving setting).

I have just noticed tonight that there were 2656 processes running and remembered that the other night I saw 4100 processes running (but thought i had misunderstood!!).

On checking Resource monitor I saw that 98% physical memory was being used (of 6GB!!!).

I restarted and watched the physical memory steadily get used up over the period of about 10minutes (I took screen shots every minute if you want to see it, it shows the top 10 processes as well). Eventually it settled between 97% and 100%. Services.exe was the largest at 4,904,496 commit kb and 4,721,000 working kb.

After another day of messing around and desperation I investigated the processes running. There were hundreds of "conhost.exe" running and hundreds of processes which started with CWH followed by three or four numbers and letters ending with .tmp (eg CWH588.tmp).

I decided to risk ending the .tmp processes as they seemed the safest to kill (based on my very limited understanding).

eventually I killed all 1300 of them and they inturn ended the conhost.exe processes.

There are now 74 processes running, the temperature is at 60 degrees C (balanced mode not powersave mode), Physical memory usage is at 68% and the computer is refreshingly fast and my stress levels are dropping rapidly.

I hope you can make sense of this and help as soon as possible!!! I am too scared to restart the machine! but at least i have a temporary method of keeping the machine useable!

Many thanks and looking forward to your response!

 

Hi

Attached is the combofix log

Since I killed the 1300 tmp processes restarting the computer has not resulted in the extreme slowness that was happening before (dont know if they are related or not).

The tmp's are still being generated unceasingly but not as quickly.

On further investigation the cwsvc.exe was linked to the temp files (chain)

Pausing the cwsvc.exe stopped the tmp files from being generated (until restart).

During running combofix an error popped up for update.exe... 'illegal operation attempted on a registrey key that has been marked for deletion'

The update.exe was located in the netnanny directory. Netnanny was disabled at the time of running combofix.

The cwsvc.exe sounds like a netnanny file as well (contentwatch is netnanny).

I am happy to uninstal netnanny and reinstall later if you think it will help.

 

Hi

I uninstalled netnanny, this stopped the creation of the temp files.

I re-enabled my wireless network but still no interntet.

Restarted computer.

On restart the computer was very slow and 100% memory used after short time. On investigation it showed svhost.exe(networksrvicenetworkrestricted) continually restarting and ending.

Disabled wireless internet and restarted computer.

No svhost.exe problem. 18% memory usage, computer fast, average 61 degrees C with nothing running. So seems good when network disabled.

So 2 problems in performance remain

1:Svhost file problem (and no internet)

2:Tested running a computer game... (warband mount and blade... lasted for roughly 8 minutes at around 81 degrees C, after another few minutes it overheated - i think this is at 100 degrees C and switced off). Appears that running graphic intensive programs overheat the machine.

(also i noticed you have been thanked 0 times in this thread.. how do I thank!)

 

Hi

Many thanks, I will post in those forums.

So from your side im all clear now?

Certainly running heaps better, I dont have to have fans blowing on it all day now!

Big relief.