0/ZeroAccess rootkit

I am having problems with the zeroAccess rootkit. I started really having problems when I tried to remove it with MBAM, I lost most internet access and had to do these scans in safe mode. All four logs (three of them being done in safe mode) are in one convenient zip file.

 

Welcome to MajorGeeks, Gatysh

http://img827.imageshack.us/img827/1263/frst.gif Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

__


http://img827.imageshack.us/img827/1263/frst.gif While you are still using FRST:
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

__

So in your next message attach both Search.txt as well as FRST.txt

 

Here are the logs.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now reboot normally

__

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Sorry for the long wait, my computer started working better, but I'm not sure if it's clean yet because it keeps resetting my desktop icon settings on rebooting.
NOW FOR OUR FEATURE PRESENTATION: THE ATTACHMENTS! STARRING FARBAR S. S. AND ITS FRIEND THE FIXLOG!

 

Hello

Are you still having difficulties connecting to the internet?

• If not, please update MBAM and attach the latest log from a Quick Scan.

Which desktop icon settings are being changed upon reboot?

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

__

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

I never really had trouble connecting to the internet.
It kept resetting my icon size to medium from classic and ASUS Vibe 2.0 runs on startup and it did not do that before that rootkit.
Also, OTL had an error when it was scanning registry keys, I can't remember the error code off the top of my head, might have been either 1717 or 1747 or something like that.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• 1ClickDownloader
• DAEMON Tools Lite <-- Or run DeFogger as requested by the Read and Run Me First

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
@Alternate Data Stream - 145 bytes -> C:\ProgramData\TEMP:FD9CE1F3
[2012/06/26 09:35:20 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/06/28 09:23:48 | 000,000,000 | -HSD | C] -- C:\found.001
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=-
"Steam"=-
"DAEMON Tools Lite"=-
"RunAIShell"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"RunAIShell"=-
"Adobe Acrobat Speed Launcher"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Icons
  • Repair Winsock & DNS Cache
  • Remove Temp Files
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

It seems Windows Defender is also broken. Let me know if you want help on repairing this or not.

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I don't have a _OTL folder on my C:\ Drive or my Downloads folder (location of the otl executable), yes I did as you instructed for the custom fix.
Edit: Nevermind, the _OTL folder was in the D:\ Drive, or my data partition.

 

Hello,

How are things running now?

 

The icon size still changes to medium, but it's running fine now. I would like to have instructions for repairing windows defender though for when I do actually need windows defender since I currently have Kaspersky 2012 (installed after finding out about the rootkit). Thank you for the help .

 

You're welcome.

I'm really not sure about the icon size changing upon reboot.

Let's try to repair Windows Defender.

First run this scan:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)