zeroaccess infection

[MiuGu]

I have had a zeroaccess trojan on my computer since yesterday. I first tried nortons own removal tool but that did not work and since then the virus has disabled access to norton 360 completely. As of this morning I haven't had any access to my windows in normal mode, all I see is the wallpaper and the virus has had my task manager disabled from the get go.

I have however been able to run norton npe in safe mode, which found one iteration of the virus but didn't remove it completely. I've also followed your instructions apart from two, that I can think of, exceptions.

#1: I couldn't disable my norton 360 because I've no access to it in normal mode and in safemode seems to prevent the running of the program

#2: Also I can't uninstall java, I've 6.0 update 26, when I try to uninstall it it says windows installer coulnd't be accessed. I can uninstall other programs

The required logs should be all attached

RRlogs.txt

MGlogs.zip

ComboFix.txt

SUPERAntiSpyware Scan Log - 03-10-2012 - 09-57-07.log

[MiuGu]

mbam-log-2012-03-10 (10-00-07).txt

and there's the final log.

Thanks in advance for any help.

[thisisu]

Hi and welcome to Major Geeks, MiuGu!

I want you to read and follow these instructions: TDSSKiller - How to run


Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Please update MBAM.
Run another Quick Scan.
Attach the latest log. (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

[MiuGu]

Thanks for the quick reply.

Ran all the checks, but the problem still persists. Didn't do anything with the roguekiller check results since you only specified a scan.

[thisisu]

Re-scan with TDSSKiller with the parameters you used before.
This time if sptd appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

[MiuGu]

Thanks for an other quick reply. Ran both scans, deleted the file and windows booted in normal mode. Taskmanager opens normally. Malwarebytes detected and blocked outbound traffic almost as soon as I started IP-BLOCK 222.64.16.59 (Type: outgoing)

Also removed java

[thisisu]

Hi,

Are you having trouble with PS/2 keyboard and mouse?

Your logs are clean for the most part as I am not seeing any actual malware to remove.

[MiuGu]

Both my keyboard and mouse are usb and there's no trouble at my end either.

Thanks for all the help

[thisisu]

Quote:

Originally Posted by MiuGu

Both my keyboard and mouse are usb and there's no trouble at my end either.

Thanks for all the help

No problem.

Here are a few things I recommend doing before we cleanup.

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

As far as the PS/2 keyboard and mouse goes, the service and files required for it are missing. This is most likely due to the rootkit. We could restore them if you wanted to (just incase you ever needed to use PS/2 kb/mouse), I leave this decision up to you.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

[MiuGu]

I doubt I'll ever use a PS/2 mouse/kb so installing the drives would be pretty pointless.

I presume using combofix means when you drag&drop a text file on it? Even though I didn't do that do I still have to uninstall combofix?

I think that's about it thanks a lot for your help.

[thisisu]

Quote:

Originally Posted by MiuGu

Even though I didn't do that do I still have to uninstall combofix?

Yes.

Quote:

Originally Posted by MiuGu

I think that's about it thanks a lot for your help.

You're welcome