Could be Zero Access Rootkit... Please Help

bom123 · Jan 2, 2012

Hi There!

ComboFix log shows that my computer is infected with Rootkit.Zeroaccess. I tried diffrent things but not lucky. I have access to internet but its very slow and sometime even page does not load and have to refresh it again.

Any help would be appreciated. I have attached log files for references. Let me know if you need anything else.

TIA

chaslang · Jan 2, 2012

Welcome to Major Geeks!

Whose instructions have you been following???

Apparently you are not following our cleaning procedures because

You did not attach a log from SUPERAntiSpyware

You did not attach a log from Malwarebytes

And you delete registry entries and files with TDSSkiller that are required for your PC. The below should not have been touched. You will have to reinstall your SAMSUNG USB Driver for Mobile Phones software

17:27:42.0078 0696 HKLM\SYSTEM\ControlSet002\services\FsUsbExDisk - will be deleted on reboot
17:27:42.0078 0696 HKLM\SYSTEM\ControlSet003\services\FsUsbExDisk - will be deleted on reboot
17:27:42.0078 0696 HKLM\SYSTEM\ControlSet004\services\FsUsbExDisk - will be deleted on reboot
17:27:42.0078 0696 C:\WINDOWS\system32\FsUsbExDisk.SYS - will be deleted on reboot
17:27:42.0078 0696 FsUsbExDisk ( UnsignedFile.Multi.Generic ) - User select action: Delete
Click to expand...

When did your problems begin?

chaslang · Jan 2, 2012

Based on what I'm seeing in your logs Zero Access is the least of your problems. It appears that you have a Virut infection, or Ramnit infection or another similar PE file infector. I have to post the below notice which is a generic post for Ramnit but the same statements apply for Virut

Ramnit infections have really become quit nasty and dangerous. We could attempt to remove it, and we have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also note that we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected. What would you like to do?
Click to expand...

Even your installed McAfee program is no longer trust worthy since there is a very high probability it is infected too and scanning with it will just spread the infection more.

bom123 · Jan 2, 2012

chaslang said: ↑

Based on what I'm seeing in your logs Zero Access is the least of your problems. It appears that you have a Virut infection, or Ramnit infection or another similar PE file infector. I have to post the below notice which is a generic post for Ramnit but the same statements apply for Virut

Even your installed McAfee program is no longer trust worthy since there is a very high probability it is infected too and scanning with it will just spread the infection more.
Click to expand...

So what you sugget? Also, I deleted those files before visiting your site. Now I have reinstalled Samsung mobile driver and also can provide Malwarebytes log. Let me know and thanks for your help.

chaslang · Jan 3, 2012

bom123 said: ↑

So what you sugget?
Click to expand...

Actually due to the stability issues that the effects of this kind of infection typically cause, I would actually recommend that you reinstall and be extremely careful what files you backup from this infected PC. Any executable file may be infected and if you put just one of them back on to a clean system and run it, you will start the whole cycle all over again. In addition, if you have plugged flashdrives into this PC and those flashdrives have any kind of executable on them, they may also be infected. And even worse, any PC you plugged those flash drives into may also be infected. Hence you see the potential problems this type of infection may cause.

Log in or Sign up

Could be Zero Access Rootkit... Please Help

bom123 Private E-2

Attached Files:

MGlogs.zip

TDSSKiller.2.6.25.0_02.01.2012_19.27.42_log.txt

MBRCheck_01.02.12_19.40.49.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bom123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Log in or Sign up

Could be Zero Access Rootkit... Please Help

bom123 Private E-2

Attached Files:

MGlogs.zip

TDSSKiller.2.6.25.0_02.01.2012_19.27.42_log.txt

MBRCheck_01.02.12_19.40.49.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bom123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches