Help with possible trojan

I think I may have ZeroAccess or a similar infection on my Windows 7 Ultimate 64 bit laptop.

I had ZoneAlarm anti virus and firewall installed and it picked up a problem with some files after I ran a downloaded executable. It seemed to clear things up, but after a reboot I have problems connecting to the internet. (Due to uninstalls and other installs I have since done to try to fix the problems, I no longer have the log files that say what was infected or with what, but I think I saw something like GAC64/desktop.ini and some other files).

The laptop can now see the router and can see that the router can see the internet, but cannot connect to anything itself. If I turn off the ZoneAlarm firewall then everything works. If I try to turn on the windows firewall, I get a screen with Use Recommended Settings, but clicking that comes up with 80070424 error.

I have run a ZoneAlarm scan, a Sophos Scan, a MalwareBytes scan, and none of them pick anything up (and I have since uninstalled Sophos as per the instructions so I only have one AV installed).

I have noticed that my services.exe in c:\windows\system32 has a modified date and time of around the time of the infection, and that Windows Firewall does not appear in my list of services.

I have also found that my registry has one of the entries that Google suggests are related to ZeroAccess (HKCU/Software/Classes/CLSID/{42aed.......feabec1} which is set to look at a locally downloaded file.

I am working through the process if getting my logs to attach, but when I try to run RogueKiller my laptop complains that "The version of this file is not compatible with the version of Windows you are running. Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version" (though I have downloaded the version from the READ & RUN ME FIRST post which did not have a 32 bit and 64 bit version).

I am generating the other logs, but I am not sure if it is important to run them in the exact order specified, but I have attached them all anyway so as to give as much information as possible.

Although I can get internet access (by disabling the firewall) I ran all the scans without internet access, as I am too alarmed by the possibility of further infections or bot activity.

All files have been transferred to and from the laptop to another fully working laptop on a USB key.

Please help!

 

Hi chaslang, thanks for the reply.

Before I get onto the results, some more information from the original state oif the machine that I forgot to include in the first post (sorry!).

I tried doing a system restore to a date before the infection, but this failed as it was "unable to update some files". I tried it in Safe Mode too and had the same error. My firewall and antivirus were off at the time of trying.

OK, so I tried following your instructions below, and had a few problems. I downloaded the windows repair zip on my working laptop and put in on a USB to transfer to the bad one. When unzipping it to the desktop I got a an error copying msinet.ocx, and it refused to copy it at all (even in Safe Mode). To get round this, I unzipped things on the USB on the good laptop, and then copied all the unzipped files over to the bad laptop.

I then ran it as instructed. On stage 1 I had problems with subinacl.exe stopping working (with the choice to search for a solution or close the program). I chose to Close it. This happened 4 times in stage 1.

The rest of the process completed without errors and very quickly, about 10 minutes at most for the whole thing.

My firewall was off after the reboot, and when I tried the Turn Firewall On or Off thing again I got just a page with Use Recommended Settings. Pressing this then gave me "Can't change some of your settings" and 80070042c, which is I think the same message as before but with 42c rather than 424.

Looking in my services, Windows Firewall is there now, which it wasn't before the repair. Base Filtering is also there, though I didn't check before to see it was there or not. Both are listed as Automatic, but neither is running. I have not hit Start on either of them, as I thought I would wait for further instructions.

C:\windows\system32\services.exe is still showing as last modified on the date and time of the original infection.

My laptop is now running with (I think) a plain scheme, it is not my customized Aero scheme, nor the default one, so some elements of my customization have been applied. I think it is running in non Aero mode. Again I have not tried resetting it back to my theme yet.

I have not yet tried the internet access or turned on ZoneAlarm firewall, as much of the above still suggests (to me at least!) that I may still have problems, and the repair was suspiciously fast (after your warnings that I should go to bed while it ran!)

New logs attached.

Thanks.

 

Hi.

Sorry, don't know happened with the zip file. I have checked this one before uploading it and it seems fine.

I have done as requested, and again it all ran in about 5 mins.

No noticeable changes after running it.

Firewall is in the the Services list as before, as Automatic but not running. Trying to Start if from Services gave "Error 1068 The dependency service or group failed to start".

The Base Filtering Engine is also listed as Automatic but not Started. Trying to run it from Services gives "Error 5. Access is denied"

Trying to start the firewall from Windows Firewall in Control Panel still gives "0x8007042c" error.

services.exe still has a modified date/time of around the time of infection.

Thanks for your help so far.

 

OK. I just mentioned the services.exe timestamp as I don't think it has ever changed since the infection, (so it had this timestamp before we started dealing with it), so I assumed the modification was caused by the infection, not by attempts to fix it.

I have done as you requested. Whilst running the cmd file I could see lots of fails in the permission resetting. Just in case it doesn't remain on screen when done, it has currently done 42000, and failed on about 9000 of them, give or take.

Now it is up to Done 185000 Failed on 47561.

Had to take a phone call and missed the screen changing to show something else, but now it is back to the red banner and counting up registry entries again. Possibly doing a different branch of the registry. It is now on HKCR, didn't notice what it was on before.

It is currently on Done 78000, Failed 21600

OK, that pass has finished, and there was briefly a screen of normal white next on black, which did have an "error 5" displayed. I didn't catch it for long enough to read more.

Now started on setting file permissions.

(You probably don't need or want any of this stuff, sorry!)

Missed out on watching the rest.

After reboot, Base Filtering Service is running, and so is Windows Firewall!

New logs attached. Hey, SteelWerX WhoAmI didn't stop working this time!

I still haven't tried accessing the internet, with or without firewall, even though things seems to have improved.

Thanks

 

Brilliant!

Things all seem to be working again.

Thank you very much indeed!

Quick question about the "Protect yourself from malware" post. As you know, I have Zonealarm Free AntiVirus + Firewall, version 10.x I think. This is not mentioned on that post, and the Zonealarm version that is there is not recommended. Is the version I have good enough to keep, or should I switch to an AV and a Firewall mentioned in the post?

Thanks so much for getting things sorted.