Combofix is unable to remove Rootkit.Zeroaccess

I followed the Majorgeek spyware removal process and combofix keeps telling me that Rootkit.Zeroaccess is installed. I have also tried to read the other threads where "thisisu" troubleshoots individual logs and have failed. Can you please help me?

 

Hi and welcome to Major Geeks, mekkers!

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• AVG 2011 (should have been done before running ComboFix)

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\$NtUninstallKB60484$
xcopy /h /i /s /y "C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\TEMP\smtmp\1" "%allusersprofile%\start menu" /c
xcopy /h /i /s /y "C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\TEMP\smtmp\2" "%userprofile%\application data\microsoft\internet explorer\quick launch" /c
xcopy /h /i /s /y "C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\TEMP\smtmp\3" "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
xcopy /h /i /s /y "C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\TEMP\smtmp\4" "%allusersprofile%\desktop" /c
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\86WJZ050\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\9UQCNJD1\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\BTBQL71W\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\PTJK4RO6\*.xml
C:\Documents and Settings\Administrator\Application Data\aF4amH5sJfLgZjC
C:\Documents and Settings\Administrator\Application Data\aviFpaJE8R9YwUe
C:\Documents and Settings\Administrator\Application Data\DuS2ibF3pGaJdKf
C:\Documents and Settings\Administrator\Application Data\F4162
C:\Documents and Settings\Administrator\Application Data\FycA1uvD2n4m5W7
C:\Documents and Settings\Administrator\Application Data\gjVBtP0ycvoFaHs
C:\Documents and Settings\Administrator\Application Data\H8gTZqhYCkVlNx0
C:\Documents and Settings\Administrator\Application Data\JxA1uvD2oFpHs7E
C:\Documents and Settings\Administrator\Application Data\ramH6sWJ7E9T
C:\Documents and Settings\Administrator\Application Data\UelIBtzP0c1v3n
C:\Documents and Settings\Administrator\Application Data\VkIVrzONtAuSiFp
C:\Documents and Settings\Administrator\Application Data\x7fRL9gTXjCkBzN
C:\Documents and Settings\Administrator\Application Data\yhYXwjUVeOtPySi
type "C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 02-09-2012 - 15-20-56.log" /c
type "C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-02-08 (16-05-37).txt" /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)
Note: This file could be too large to attach as a log file. If this is the case, .zip it first and then attach the .zip.

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the computer is running after you have completed the above steps.

 

I didn't see AVG running on the computer before I ran combofix and I couldn't find it in Add/Remove Programs now.

I have ran the steps below and attached the logs. Should I run Combofix again?

Could you give me some incite on how you figured out that these files need to be ran through OTL? You had other users run files similiar to these through combofix and I tried that as you can see from my combofix log, but failed. I'm trying to figure this out how I can do this myself next time.

Thanks for your quick response and help on this.

 

Yes you can.

Will answer your other questions a bit later after work.

 

It's still in Add/Remove according to your logs. I'd like you to download and run the following to remove any traces of it: avg_remover_stf_x86_2012_1796.exe

It didn't have to be OTL. I just chose OTL because I wanted to utilize some DOS commands as well and ComboFix can't do that.

Yes I noticed. It is very dangerous to implement someone else's fixes onto your machine as each infection is slightly different. You could have made things even worse.

In order to do this you would have to know quite a bit about the infection itself first. As I mentioned earlier, everyone's ZeroAccess infection is slightly different. For example, the bad NtUninstallKBXXXXX type folder in c:\Windows is always different.

Good news, your latest logs are clean!

If you planned on running ComboFix please do so now, before you complete these final steps. Also let me know if you are missing any shortcuts from the desktop, start menu, or quick launch.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe