Trojan zero access rootkit in assembly Gac32 & Gac64.tried some steps still there

[ashleydellingerphoto]

I read several of your posts to other people with this issue & tried some of the steps but I still have it. It was also highjacking my webpages & the firewall was off but those two things are fixed now. The remaining problem is the trojan file stuck in my assembly folder thats hidden. When I run Microsft Security Essentials it catches it but Malware & TDSS killer arent finding it. Malware & MSE upon reboot will show the trojans there again. When I have MSE activly scanning for threats, and it finds that file hidden in assembly I get a popup that says my computer is going to shut down in one minute (its a computer popup wondow & not something from MSE saying to reboot to final clear), as it trys to remove that trojan file it gets 1/16th of the way in before that window pops up that the computers had a problem & is restarting. So far I ran CC Cleaner per instruction listed on similiar thread, I have cleared all my temp files & caches, ran combofix 2 times, ran TDSS, ran maleware several times & tweaking.com Attached is my first & second log from combofix & TDSS & CC CLeaner

[chaslang]

Welcome to Major Geeks!

You did not attach anything.

The instructions that we will need you to follow are below.


Please follow all the instructions in the below link and attach the requested logs from this procedure. Attach them whether anything is found or not. Also do not expect this to fix your problem, we need the logs in order to give you a fix.

READ & RUN ME FIRST. Malware Removal Guide

[ashleydellingerphoto]

here are the logs:

[chaslang]

I'm sorry but those are not the logs requested in the READ AND RUN FIRST. You need to run that procedure and attach the proper logs.

[ashleydellingerphoto]

Here are the requested logs, sorry about that. I had read the Read Me First but apparently didnt pay enough attention the first time around.

[ashleydellingerphoto]

heres the zipped one too, it didnt attatch on the last becuase it had saved as a rar

[chaslang]

Is Webfetti something you knowingly installed and use? Like all other Funweb type products, this is not recommended and frequently tends to slow PCs down.
If you did not install it or don't want it, you should uninstall it now.

There are a few more left overs from your Zero Access infection to remove.
Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

Folder::
c:\windows\Installer\{a5e51ced-1681-3d6d-8dde-57416694685d}\@
C:\Windows\installer\{a5e51ced-1681-3d6d-8dde-57416694685d}\L
C:\Windows\installer\{a5e51ced-1681-3d6d-8dde-57416694685d}\U
C:\Users\user\AppData\Local\{a5e51ced-1681-3d6d-8dde-57416694685d}
c:\windows\Installer\{a5e51ced-1681-3d6d-8dde-57416694685d}

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[ashleydellingerphoto]

I didnt install Webfetti, it either downloaded itself, was an accident or someone using my computer, likely my sister, is to blame. Ive tried deleting it several times but cant completely get all signs of it off. I dont see signs of it on my Chrome browser but stumble across it in files sometimes and when I right click to delete it says its missing or cannot delete. Can I also add that what you guys are doing here with this is nothing short of amazing. Taking time out of your day to help people who usually did something pretty dumb to be in this situation, my case downloading a keygen....shady keygen i might add....so dumb. Honestly thank you so much. This sure as hell beats unplugging a thousand cords and hauling my crap pc to some store to 'possibly' be fixed. & undoubtedly we are doing the exact same thing they would be doing for $200. The Zip didnt attach so im making a second post to see fit will.

[Kestrel13!]

Sorry for the delay in a response. Chas lang has been extremely busy.

You forgot to attach this that Chas requested: C:\MGlogs.zip

[chaslang]

Quote:

Originally Posted by ashleydellingerphoto

The Zip didnt attach so im making a second post to see fit will.

You cannot attach the same ZIP file until it has changed. You need to run the C:\MGtools\GetLogs.bat program as I requested which will update the MGlogs.zip file with new info. Then you will be allowed to attach it.