Help with w32.malware.gen, w32.zeroaccess, others

Last night I seemed to have picked up something bad when I installed the latest version of Audacity and its plug-ins. My Microsoft Security Essentials stopped working, and I shut down as usuall think it was just than error, but then I checked back and realize all of Window 7's system services have been disabled.

I used a copy of WebRoot to scan and remove any possible malware/webkit infection. It didn't do its job as well as I'd expect as it kept detecting it after being "cleaned". Worse, it made my computer shut down every minute after being detected. I succesfully stopped it from doing it by uninstalling WebRoot in Safe Mode.

So I tried doing what these forums said and here are my logs.

 

Malware Bytes did some additional scanning of its own automatically and here are its extra logs.

Edit: I forgot to run CCleaner prior to using Malware Bytes, RogueKiller Report, Hitman Pro and MGTools.

 

Is anyone here to help? Also forgot to mention my system is a 64-bit Windows 7 Professional.

 

Is there anyone to help me? It would be much appreciated.

 

Welcome to MajorGeeks, sfried

__

http://img805.imageshack.us/img805/9659/rktigzy.gif Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
Attach the latest RogueKiller log of the deletion when you are finished (it should be RKreport[3].txt) - (How to attach)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Leave any other detections alone (Ignore them).
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

_

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

__

Do this first while I review the rest of your logs. I will post further instruction in another post.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 7 Update 4 (outdated)

__

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{6CAE6703-1615-428A-A613-035F0E5A8B31}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6CAE6703-1615-428A-A613-035F0E5A8B31}]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

__

/!\ Manually delete these two folders:

• c:\users\sig\appdata\local\{2685e44c-b488-51fe-d6be-b40c54d18706}
• C:\Windows\installer\{2685e44c-b488-51fe-d6be-b40c54d18706}

Let me know if you were successful or not.

__

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Remove Temp Files
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed these steps.

 

I've uninstalled Microsoft Security Essentials and deleted the said folders without problems. However, I am still unable to access Windows Update.

While using Repair_Windows.exe, I noticed some files were being modified but all of them were said to have failed (I did not run it as Admin. Should I have done that?).

 

Yes but it looks like it repaired all the items we set out to including Windows Firewall.

Try this for Windows Update repair: http://support.microsoft.com/kb/971058
Use the automated troubleshooter (MicrosoftFixit.wu.MATSKB.Run.exe) in the above link

 

I used the Microsoft Windows Update repair as specified, and despite applying its fix it still says there is still a problem:
http://fixitcenter.support.microsof...ails/200/58dfb128-f5e5-49e2-ae51-0343988e07fa

Windows Update now displays available updates, but it gives me an Failed with an Error code of 80246008 when I try to update.

I also ran sfc /verifyonly and it says there is an integrity problem too.

I've attached the log file and I'm not sure whether I should do sfc /scannow .

 

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Done. It seems Background Intelligent Transfer Service is not found.

 

http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Attached is BITS.zip
• Inside is BITS.reg
• Extract BITS.reg onto the desktop of the compute with the issue.
• Now double-click BITS.reg and allow the registry patch to merge into the Windows registry.
• If successful, reboot the computer and test if Windows Update is now working.

 

If that works, let me know if you want to repair Windows Defender too.

 

Thanks, it worked out great. Let's fix Windows Defender as well.

Would it be safe to reinstall Java 7 (with the latest version) after the fixes?

 

http://img205.imageshack.us/img205/4783/regeditb.gif NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

• Attached is WinDefend.zip
• Inside is WinDefend.reg
• Extract WinDefend.reg onto the desktop of the compute with the issue.
• Now double-click WinDefend.reg and allow the registry patch to merge into the Windows registry.
• If successful, reboot the computer and test if Windows Defender is now working.

Yes, Java 7 update 5: Download

 

Windows Defender initially did not want to update and remained turned off, so I uninstalled Malware Bytes and restarted my computer. I turned Windows Defender back on and updated it, and now everything runs smoothly.

Thanks for your help. Should I uninstall/delete Hitman Pro, Roguekiller and the MGTools folder/zip file?

 

You're welcome.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

A scan from Microsoft Security Essentials came out clean, but I did a sweep with SpyBot Search & Destroy and it found 4 registry changes on Microsoft.Windows.ActiveDesktop. Should I go ahead and fix these?

Thanks again for all the help.

 

I would just leave these detections alone. We've already deleted any malicious policies via Windows Repair => Remove Policies Set By Infections