Backdoor.Multi.ZAccess.gen

Welcome to Major Geeks!

Download this >> View attachment fixlist.txt

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Immediately continue with the below

READ & RUN ME FIRST. Malware Removal Guide

 

Yes. And please do not do anything else on your own. You need to only do what we ask you to do and nothing else. Don't download/install...etc unless we ask you to do so.

So run the fixlist.txt and then run the READ & RUN ME first.

 

Okay keep going. Attach the fixlog.txt file and run the READ & RUN ME FIRST.

 

You need to continue on with the rest of my instructions.

 

Some additional items from the ZeroAcces infection still need to be removed. We will run another FRST fix.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} - (no file)
O3 - Toolbar: (no name) - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - (no file)
O9 - Extra button: Download videos by Ant.com - {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - (no file)

After clicking Fix, exit HJT.


Download this >> View attachment fixlist.txt

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Uninstall Chrome and reboot. After reboot delete all Chrome related folders ( like: C:\Program Files (x86)\Google\Chrome ). Do not reinstall it yet. Just use Internet Explorer for now.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\FixWFW.bat file by right clicking on it selecting Run As Administrator

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The last fix did not work at all. Avenger was blocked from running. Shutdown Spyware Doctor and any other protection and repeat the whole last fix (beginning to end) again.

Also don't worry about SpywareDoctor detecting anything. We know your PC is still infected which is why we are still working on it. If SpywareDoctor worked properly, you we would not have to do this manual fixing.

 

Okay then let's try something different. Make sure you shutdown Spyware Doctor before doing this.


Now download Yorkyt.exe Disinfection Tool See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Save the file to your hard disk; to your Desktop
• Double click the yorkyt.exe file to run it (if running Vista or Win 7 right-click and select Run as Administrator)
• A reboot will be requested to install a driver. Immediately allow it to reboot. You can close anything you have open first.
• After reboot, you will notice a Panda icon in your tray and the scan will start to run. Do not do anything. Just allow the scan to run.
• When it finishes, another reboot will be requested complete the disinfection. Allow it to reboot again.
• When the disinfection is completed, accept the message that will be displayed.
• The log will be save to your Desktop as yorkyt.exe.log. Attach this log to you next message.
• Now continue on with the below.

Please download aswMBR to your desktop.

• Double-clickaswMBR.exe to run (if running Vista or Win 7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the yorkyt.exe.log file
• the log from aswMBR
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay now that we got rid of the heart of the infection, a few hidden .sys files showed themselves. Let's get rid of them.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Well they are missing the remaining parts. Now that we removed the files, we need to remove the left over registry entries for the drivers.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!