ZeroAccess virus...???

Run Hitman Pro again and this time allow it to remove the Malware Remnants of ZeroAccess and also allow it to perform the Repairs on Microsoft Esseential Securities and Windows Defender. Those junctions are the cause of your problems.

Then immediately reboot your PC.

After reboot, run a new scan with Hitman Pro, save a new log and attach it to your next message. Also tell me if things are working any better.

 

• Exit any programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Rerun RogueKiller ( if running Vista,Win7, or Win8 user right-click and select Run as Administrator to run ) for WinXP and Win 2K just double click to run
• Wait until Prescan has finished
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and attach the content of the Notepad into your next reply.
• The log should be found in a new RKreport[x].txt on your Desktop
• Exit/Close RogueKiller and reboot your PC.

Any change?

 

Well per your logs it did not even show as installed anymore. See if you can even find it to uninstall it. If you can then uninstall it. But do not try to reinstall yet.

First I want you to run a new scan with Hitman Pro and attach the new log. I want to double check that RogueKiller was successful.


Other than the problem with Microsoft Essential Security, how are things working.

 

Well it is better than it was before but still not all fixed.

Please run the below anti-rootkit tool from Malwarebytes.

http://blog.malwarebytes.org/news/2013/05/malwarebytes-anti-rootkit-beta-1-06/

Attach a log from the above.


Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\$RECYCLE.BIN\S-1-5-18\$cfe03e2d765475ba7fa69eb3d6b04dc3\L
C:\$RECYCLE.BIN\S-1-5-18\$cfe03e2d765475ba7fa69eb3d6b04dc3\U
C:\$RECYCLE.BIN\S-1-5-18\$cfe03e2d765475ba7fa69eb3d6b04dc3
C:\$RECYCLE.BIN\S-1-5-21-3197802315-1125251100-3617295894-1000\$cfe03e2d765475ba7fa69eb3d6b04dc3\L
C:\$RECYCLE.BIN\S-1-5-21-3197802315-1125251100-3617295894-1000\$cfe03e2d765475ba7fa69eb3d6b04dc3\U
C:\$RECYCLE.BIN\S-1-5-21-3197802315-1125251100-3617295894-1000\$cfe03e2d765475ba7fa69eb3d6b04dc3
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• The Malwarebytes AntiRootkit log
• the C:\_OTM\MovedFiles log
• the JRT.TXTlog
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to download OTM not OTL.

 

Don't really know. What browser were you trying to use to do your downloading?

Your logs are looking pretty good now. Let's double check on the junctions we have been trying to remove. Please run new scans with both RogueKiller and Hitman Pro and attach new logs.

 

You could be blocking EXE downloads. Have you tried downloading them with another browser? Also try disabling your firewall temporarily to see what happens.

Please complete what I requested in my last message.

 

Okay so we have at leaste proved that this issue is not related to malware. You have somehow managed to configure your firewall to block this.

The junctions to Microsoft Security Client still appear. Let's try a few things.

First shutdown ALL protection software before continuing. Now we are going to try using RogueKiller and Hitman Pro again.

• Exit any programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Rerun RogueKiller ( if running Vista,Win7, or Win8 user right-click and select Run as Administrator to run ) for WinXP and Win 2K just double click to run
• Wait until Prescan has finished
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and attach the content of the Notepad into your next reply but do not send this reply until later at the end of the below.
• The log should be found in a new RKreport[x].txt on your Desktop
• Exit/Close RogueKiller and immediately reboot your PC.

Shutdown protection software again.

Now rerun Hitman Pro and if the below still appear, allow Hitman to repair these

Code:

 
   Redirection: Backup -> c:\windows\system32\config
   Disables Microsoft Security Essentials (C:\Program Files\Microsoft Security Client)
   Redirection: Drivers -> c:\windows\system32\config
   Disables Microsoft Security Essentials (C:\Program Files\Microsoft Security Client)
   Redirection: en-us -> c:\windows\system32\config
   Disables Microsoft Security Essentials (C:\Program Files\Microsoft Security Client)

If Hitman Pro found those and your tried to repair then immediately reboot your PC.



Now please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Now we need to rerun Hitman Pro and create another new log.



Attach the log below logs now:

• the new log from RogueKiller
• the Win32kDiag.txt log
• the new Hitman Pro log

 

Perhaps it does not want to let you save it to your root folder? Is that what you mean? If so then save it to your Desktop and then copy it to the root folder afterwards.

 

Did you shutdown ALL protection software? Try a different browser instead of IE.

 

Okay it looks like those junctions were finally removed. How are things working now?

 

Can you uninstall it now?

Try the below to uninstall it if necessary:

Revo Uninstaller 1.95

 

They all have good points and bad points. And they are constant works in progress. What is the best this month, could be the worst next month. Sadly they are all extremely far from perfect. Security begins and ends with the end user as you will see in my final instructions.

Yes.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome and thanks! Surf safely!