Trouble w/ poss ZeroAccess rootkit (WinXP)

Welcome to Major Geeks!

There are a few things to fix but let's first work on the ZeroAccess infection before doing anything else.

• Exit any programs that you may have started. Shutdown protection software too.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Rerun RogueKiller ( if running Vista,Win7, or Win8 user right-click and select Run as Administrator to run ) for WinXP and Win 2K just double click to run
• Wait until Prescan has finished
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and attach the content of the Notepad into your next reply.
• The log should be found in a new RKreport[x].txt on your Desktop
• Exit/Close RogueKiller and reboot your PC.
• After reboot attach the above RogueKiller log.
• Now uninstall >> Search Protect by conduit
• Now run new scans with RogueKiller and also Hitman Pro. Save the new logs and attach them too.

 

You're welcome. Looks much better but more to do.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select any of the following lines that still remain (some may be gone already ) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Installl Converter - {6ec74131-08b2-4f67-a9bc-5914ef1edb97} - C:\Program Files\Installl_Converter\prxtbInst.dll
O3 - Toolbar: Installl Converter Toolbar - {6ec74131-08b2-4f67-a9bc-5914ef1edb97} - C:\Program Files\Installl_Converter\prxtbInst.dll
O4 - HKLM\..\Run: [SearchProtectAll] C:\Program Files\SearchProtect\bin\cltmng.exe
O4 - HKCU\..\Run: [SearchProtect] C:\Documents and Settings\ARSIMS5\Application Data\SearchProtect\bin\cltmng.exe
O4 - HKUS\S-1-5-21-1887795725-247674877-3292285946-1005\..\Run: [SearchProtect] C:\Documents and Settings\ARSIMS5\Application Data\SearchProtect\bin\cltmng.exe (User '?')
O23 - Service: Search Protect by Conduit Updater (CltMngSvc) - Conduit - C:\Program Files\SearchProtect\bin\CltMngSvc.exe

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Services
CltMngSvc
 
:Files
C:\Documents and Settings\ARSIMS5\Local Settings\Temporary Internet Files\Content.IE5\GYIC2NZ9\SPSetup[1].exe
C:\Documents and Settings\ARSIMS5\Application Data\PriceGong
C:\Documents and Settings\ARSIMS5\Application Data\SearchProtect
C:\Documents and Settings\ARSIMS5\Local Settings\Application Data\Conduit
C:\Documents and Settings\All Users\Application Data\Conduit
C:\Program Files\Conduit
C:\Program Files\SearchProtect

:Reg
[-HKEY_USERS\S-1-5-21-1887795725-247674877-3292285946-1005\Software\Conduit]
[-HKEY_USERS\S-1-5-21-1887795725-247674877-3292285946-1005\Software\Smartbar]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{70D6D89D-919E-4D15-97CE-76818771D422}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6ec74131-08b2-4f67-a9bc-5914ef1edb97}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SearchProtectAll"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXTlog
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No it did not remove it. That is what we fixed in my first fix to you. And it was successfully removed along with all the junctions it created.


Now even though OTM did not run properly, the other steps finished removing the other junk.

They should not be the same. According to your logs, things should be significantly better now because the infection had been removed. If it is not better then we have to check to make sure that some how you did not get reinfected. Please run new scans with both Hitman Pro and also RogueKiller and attach the new logs.


There is still some apparent damage to the Windows Firewall service and some other services. So let's run the below in an attempt to fix these problems.


Run the C:\MGtools\NetFWfix.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator). This will run very quickly and you may just notice a quick flash of a black command prompt window.

Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.


Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Uninstall Microsoft Security Essentials and then reboot your PC into safe mode to do the below. NOTE: If it does not install stop right here and tell me. Do not continue until it is uninstalled.

Now in safe boot mode rerun Windows Repair as previously requested. Only run the repairs I ask for and nothing else. If it does not run properly, do not try it a second time. Just stop and tell me the exact word for word errors ( if any ) that you see.

If Windows Repair ran okay, make sure that you have rebooted after running it but reboot in normal mode now and continue with the below.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {6ec74131-08b2-4f67-a9bc-5914ef1edb97} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

After clicking Fix, exit HJT.


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• FSS.txt
• C:\MGlogs.zip

 

Okay then let's skip trying to uninstall MSE for now but do you have problems installing programs in general?


Let's continue with the below steps.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {6ec74131-08b2-4f67-a9bc-5914ef1edb97} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

After clicking Fix, exit HJT.


Now boot in safe boot mode rerun Windows Repair as previously requested. Only run the repairs I ask for and nothing else. If it does not run properly, do not try it a second time. Just note the exact error messages and tell me the exact word for word errors ( if any ) that you see. However still continue with the below.

Reboot your PC now into Normal Boot mode.


Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.

Please attach this log to your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• FSS.txt
• C:\MGlogs.zip

​