Rootkit.ZeroAccess inserted itself into the tcp/ip stack

I have spent literally hours and hours trying to remove this horrid virus but to no luck. I have ran combofix which informs that Rootkit.ZeroAccess inserted itself into the tcp/ip stack. I see that this is quite difficult to remove so Im in desperate need of you guys!

It is basically redirecting my searches in firefox and explorer and has made the performance of my laptop unbearable with postgres.exe always running at 50% +. It also has disabled network Discovery, not allowing me to switch it on to backup files to another pc.

I have some log files so I will attach these and then take it from there.

These are the things that I have done so far:

1) Ran Combofix
2) Ran Malwarebytes
3) Ran TDDS Killer
4) Ran Dr Cureit
5) Ran Superantispyware
6) Ran Avira Antivirus Free
7) Ran MBR Check


I notice that I have an unkown account that seems to have taken ahold of my computer also.

It will not allow me to install hijackthis or rootkit buster. It says it does not have the privilages to access roaming/microsoft/installer/(then shows a big long number)

 

It will not allow me to upload the drcureit file and it still will not allow me to install hijackthis nor rootkill buster.

For hijackthis it says the following message:

The installer has insufficient privilages to access this directory:
C:\Users\Ali\AppData\Roaming\Microsoft\Installer\{45A6-6726-69BC-466B-A7A4-12FCBA4883D7}
The installer cannot continue, log on as administrator contact your system administrator.

 

Here is the Gooredfix log.

I have un-installed java and have re-installed it.

This line

{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} wants to be allowed to use in firefox extensions but I did not tick to allow it.

I cannot locate the java icon within the control panel to flush it.

 

I have spent almost 24hrs trying to rid this root kit but its still there although the postgres eating up all of the cpu has stopped for now. Please can someone help me with this issue, it's driven me insane!

Thanks in advance.

 

140 views yet nobody can help me with this? Please someone, if you can help me it would be so greatly appreciated because I have tried literally everything I know and it's still infected.

 

Hello,

I need to also see the logs from:

• SUPERAntiSpyware
• ComboFix
• MGlogs.zip (from running MGtools)

Attach these so we can begin

Read the following if you have not already: READ & RUN ME FIRST Malware Removal Guide

 

Hi

The postgres issue has cleared up and the computer is performing so much better, although Im sure it is still there as I cannot install hijackthis and still cannot turn on network discovery, nor my windows firewall.

I will attach the latest reports for you to read through. Thank you in advance for helping me with this horrible issue.

 

Here is the latest Malwarebytes report.

For some reason it will not allow me to upload the DR Cureit report even though Imoved it to the desktop etc.

I cannot locate the MGTools report. Where should this be located or named as?

 

c:\MGlogs.zip - attach this entire archive full of logs.

 

Here you go. Thank you once again for taking the time to help me with this very frustrating issue. Oh something I feel I should add, sometime back in March I had a similar problem but I was able to revert to a restore which resolved the problem however this time the restore that I had dated 4th April was corrupt apparently.

I must also add that I had unticked a couple of viruses that were showing up before in msconfig (before knowing the rules/guidelines here) and then I manually removed them from the registry location.

 

No problem. Iwill be able to review these later this evening.

 

Okay thank you.

 

I want to remove the rest of the malware from your PC before we begin trying to repair Windows Firewall and network discovery.

From Programs and Features (via Control Panel), please uninstall the below:

• Sophos Anti-Rootkit 1.5.23

__

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[/color]
C:\Users\Ali\AppData\Roaming\Microsoft\Windows\Templates\uwqj6cf36dcw5g8s8d
C:\ProgramData\1863w61.dat
C:\Windows\System32\drivers\gdccpe.sys
C:\Windows\System32\drivers\utm5otex.sys
[COLOR="DarkRed"]DDS::[/COLOR]
IE: Free YouTube to MP3 Converter - c:\users\Ali\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: msn.com\webmessenger
Trusted Zone: taobao.com
[COLOR="DarkRed"]Driver::[/COLOR]
mcvsrte
GoToAssist
btserial
comhost
NVR0FLASHDev
macformatservice
lxbu_device
SE27obex
backupclientsvc
roxwatch
mr2kserv
nisvcloc
useraccess
cbidf
avfilter
rbfilter
utm5otex
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\Ali\AppData\Roaming\Mozilla\Firefox\Profiles\695b9z1e.default\
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
[COLOR="DarkRed"]File::[/COLOR]
C:\Windows\System32\dds_trash_log.cmd
c:\windows\system32\D336.tmp
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\Windows\System32\drivers\netbt.sys
C:\Windows\System32\drivers\tmcomm.sys
C:\Windows\System32\drivers\tmrkb.sys
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\$NtUninstallKB62280$
C:\Users\Ali\AppData\Roaming\Azmef
C:\Users\Ali\AppData\Roaming\Gaoba
c:\users\Ali\AppData\Roaming\Buoqb
C:\Program Files\DAEMON Tools Lite
C:\Program Files\Sophos
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[COLOR="DarkRed"]NetSvc::[/COLOR]
rtl8029
tangoservice
DVDVRRdr_xp
FiltUSBEMPIA
ipsec
mcvsrte
GoToAssist
btserial
comhost
NVR0FLASHDev
macformatservice
lxbu_device
rksample
npkcusb
mssql$soshome22
ATWPKT2
W700obex
etoksrv
cpqarry2
nipxirmu
msftpsvc
AVerTV
palmusbd
nvcap
n3900
ProcObsrv
oraclewebassistant
armoucfltr
artdhcp
sbpci
SE2Emdfl
se26nd5
db2licd
SE27obex
backupclientsvc
roxwatch
mr2kserv
nisvcloc
useraccess
cbidf
avfilter
tsircsrv
scanexplicit
protexislicensing
rbfilter
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[COLOR="DarkRed"]RegNull::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCT"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rbfilter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"virtualKeyboard@kaspersky.ru"=-
"linkfilter@kaspersky.ru"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi I please find all of the files that you requested. I would also like to add that since just before you came to help, the google/yahoo redirection had stopped although as I stated it still feels like it is infected.

 

Quick update

Laptop seems to be running worse (cpu hitting 60%+ at times) since I followed the last set of instructions.

 

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

1. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
2. O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
3. O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Download Norton Removal Tool from here and then run it.
Reboot afterwards.

__

Delete these files highlighted in red:

• C:\Users\Ali\AppData\Roaming\Microsoft\Windows\Templates\uwqj6cf36dcw5g8s8d
• C:\ProgramData\1863w61.dat

__

Have you tested Windows Firewall out? According to your logs it is running properly.

Let me know what otherp roblems you are experiencing. The rest of your logs look fine.

 

I will be able to look through your logs a bit more thoroughly later this evening.

I noticed you had traces of Trend Micro, Sophos, and Norton, this may be the reason the CPU is spiking.

 

Trend Micro removal tool here
Instructions are there too on how to run it.

 

Okay I have followed everything that you said for me to do. Firewall and Network Disovery is now working (Big thank you). CPU seems to be running slightly higher than usual 30% when idle with only skype and first loaded up firefox.

I wonder if it has anything to do with Avira free anti virus scanner (have set this to not be in real time protection).

I would like to do a clean up of all the tools that we have downloaded/installed etc, can you please advise me the best way to do this.

Thank you for helping, it's very much appreciated.

 

You're welcome

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Hi I followed all the procedures, however the only one I cannot do is the one of disabling system restore and then enabling it as the link within the guide does not exist.

Please could you direct me on this issue.

Many thanks!

 

I have notified the administrators of this issue.

Thank you for the report. Your patience is appreciated.

Edit: The link was changed to: http://majorgeeks.com/page.php?id=51

 

Thank you I have disabled the system restore however I have a question that may sound a bit stupid but I have 2 drives, C and D, my D drive is labelled HP_Recovery so when enabling do I enable my C drive which is where Windows is installed or do I enable Drive?

 

Only enable System Restore on the C: partition.

 

Okay thank you I will do that. Thank you so much for your help it's greatly appreciated. It seems as though everything is fine, just one file that appears to look strange to me and that is called SYSTEM. It does not have any .exe attached to it and it's in capital letters.

What is this file?

 

You're welcome

Where do you see this file?