MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 03-10-12, 06:01
MiuGu MiuGu is offline
Private E-2
 
Join Date: Mar 2012
Posts: 9
Thanks: 6
Thanked 1 Time in 1 Post
Default zeroaccess infection

I have had a zeroaccess trojan on my computer since yesterday. I first tried nortons own removal tool but that did not work and since then the virus has disabled access to norton 360 completely. As of this morning I haven't had any access to my windows in normal mode, all I see is the wallpaper and the virus has had my task manager disabled from the get go.

I have however been able to run norton npe in safe mode, which found one iteration of the virus but didn't remove it completely. I've also followed your instructions apart from two, that I can think of, exceptions.

#1: I couldn't disable my norton 360 because I've no access to it in normal mode and in safemode seems to prevent the running of the program

#2: Also I can't uninstall java, I've 6.0 update 26, when I try to uninstall it it says windows installer coulnd't be accessed. I can uninstall other programs

The required logs should be all attached

RRlogs.txt

MGlogs.zip

ComboFix.txt

SUPERAntiSpyware Scan Log - 03-10-2012 - 09-57-07.log
Reply With Quote
Sponsored links
  #2  
Old 03-10-12, 06:04
MiuGu MiuGu is offline
Private E-2
 
Join Date: Mar 2012
Posts: 9
Thanks: 6
Thanked 1 Time in 1 Post
Default Re: zeroaccess infection

mbam-log-2012-03-10 (10-00-07).txt

and there's the final log.

Thanks in advance for any help.
Reply With Quote
  #3  
Old 03-10-12, 15:14
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,167
Thanks: 269
Thanked 1,436 Times in 1,355 Posts
Default Re: zeroaccess infection

Hi and welcome to Major Geeks, MiuGu!

I want you to read and follow these instructions: TDSSKiller - How to run


Please download aswMBR to your desktop.
  • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
  • Select No when asked "Would you like to download latest Avast! virus definitions?"
  • Click the [Scan] button.
  • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Please update MBAM.
Run another Quick Scan.
Attach the latest log. (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
MiuGu (03-11-12)
  #4  
Old 03-11-12, 04:16
MiuGu MiuGu is offline
Private E-2
 
Join Date: Mar 2012
Posts: 9
Thanks: 6
Thanked 1 Time in 1 Post
Default Re: zeroaccess infection

Thanks for the quick reply.

Ran all the checks, but the problem still persists. Didn't do anything with the roguekiller check results since you only specified a scan.
Attached Files
File Type: txt mbam-log-2012-03-11 (10-46-34).txt (2.1 KB, 4 views)
File Type: txt RKreport[1].txt (1.3 KB, 2 views)
File Type: txt aswMBR.txt (1.6 KB, 3 views)
File Type: txt TDSSKiller.2.7.19.0_11.03.2012_10.32.11_log.txt (51.8 KB, 6 views)
Reply With Quote
  #5  
Old 03-11-12, 15:24
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,167
Thanks: 269
Thanked 1,436 Times in 1,355 Posts
Default Re: zeroaccess infection

Re-scan with TDSSKiller with the parameters you used before.
This time if sptd appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the text-field.
    Code:
    activex
    netsvcs
    /md5start
    afd.sys
    i8042prt.sys
    ipsec.sys
    netbt.sys
    svchost.exe
    tcpip.sys
    /md5stop
    %windir%\$ntuninstallkb*. /30
    %windir%\system32\drivers\*.sys /lockedfiles
    %windir%\*.* /mp
    %windir%\*.* /rp
    %windir%\*.* /sl
    %systemdrive%\mgtools\*.*
  • Now click the button.
  • One report will be created:
    • OTL.txt <-- Will be opened
  • Attach OTL.txt to your next message. (How to attach)
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
MiuGu (03-11-12)
Sponsored links
  #6  
Old 03-11-12, 16:06
MiuGu MiuGu is offline
Private E-2
 
Join Date: Mar 2012
Posts: 9
Thanks: 6
Thanked 1 Time in 1 Post
Default Re: zeroaccess infection

Thanks for an other quick reply. Ran both scans, deleted the file and windows booted in normal mode. Taskmanager opens normally. Malwarebytes detected and blocked outbound traffic almost as soon as I started IP-BLOCK 222.64.16.59 (Type: outgoing)

Also removed java
Attached Files
File Type: txt OTL.Txt (298.3 KB, 6 views)
File Type: txt TDSSKiller.2.7.20.0_11.03.2012_22.34.50_log.txt (48.0 KB, 2 views)
Reply With Quote
  #7  
Old 03-11-12, 17:07
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,167
Thanks: 269
Thanked 1,436 Times in 1,355 Posts
Default Re: zeroaccess infection

Hi,

Are you having trouble with PS/2 keyboard and mouse?

Your logs are clean for the most part as I am not seeing any actual malware to remove.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
MiuGu (03-11-12)
  #8  
Old 03-11-12, 17:29
MiuGu MiuGu is offline
Private E-2
 
Join Date: Mar 2012
Posts: 9
Thanks: 6
Thanked 1 Time in 1 Post
Default Re: zeroaccess infection

Both my keyboard and mouse are usb and there's no trouble at my end either.

Thanks for all the help
Reply With Quote
  #9  
Old 03-11-12, 17:36
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,167
Thanks: 269
Thanked 1,436 Times in 1,355 Posts
Default Re: zeroaccess infection

Quote:
Originally Posted by MiuGu View Post
Both my keyboard and mouse are usb and there's no trouble at my end either.

Thanks for all the help
No problem.

Here are a few things I recommend doing before we cleanup.

Please download Disable/Remove Windows Messenger to your desktop.
  • Double-click MessengerDisable.exe to run it.
  • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
  • Click Apply
  • Click Exit

Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

As far as the PS/2 keyboard and mouse goes, the service and files required for it are missing. This is most likely due to the rootkit. We could restore them if you wanted to (just incase you ever needed to use PS/2 kb/mouse), I leave this decision up to you.

__

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis if it present
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
    related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work through the below link:
Be safe
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
MiuGu (03-11-12)
  #10  
Old 03-11-12, 22:41
MiuGu MiuGu is offline
Private E-2
 
Join Date: Mar 2012
Posts: 9
Thanks: 6
Thanked 1 Time in 1 Post
Default Re: zeroaccess infection

I doubt I'll ever use a PS/2 mouse/kb so installing the drives would be pretty pointless.

I presume using combofix means when you drag&drop a text file on it? Even though I didn't do that do I still have to uninstall combofix?

I think that's about it thanks a lot for your help.
Reply With Quote
The Following User Says Thank You to MiuGu For This Useful Post:
iivanita (04-03-12)
Sponsored links
  #11  
Old 03-11-12, 22:44
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,167
Thanks: 269
Thanked 1,436 Times in 1,355 Posts
Default Re: zeroaccess infection

Quote:
Originally Posted by MiuGu View Post
Even though I didn't do that do I still have to uninstall combofix?
Yes.

Quote:
Originally Posted by MiuGu View Post
I think that's about it thanks a lot for your help.
You're welcome
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
MiuGu (03-12-12)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ZeroAccess Rootkit Infection and Possible Trojans Mitchle Malware Removal 24 03-05-12 16:45
Another Rootkit.zeroaccess infection raritan01 Malware Removal 10 02-19-12 15:58
Please help, Zeroaccess Rootkit Infection suntzu83 Malware Removal 4 12-05-11 01:51
Need help finishing removal of ZeroAccess rootkit infection NukeMan Malware Removal 26 11-09-11 12:47
trojan.zeroaccess!inf infection ThrAsh4u Malware Removal 1 09-18-11 14:29


All times are GMT -5. The time now is 16:52.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger