Google Desktop ZeroAccess HIDSVC Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by rjordan, Aug 29, 2013.

  1. rjordan

    rjordan Private First Class

    Hey guys

    Been working with alot of clients with this new and very nasty version of the zeroaccess.

    I have been able to successfully remove all parts so far completely manual removals mainly using AutoRuns and RogueKiller.

    I have been seeing on a few cases where I have been unable to remove these last few entrys no matter what I tried.

    RogueKiller of course finds them, but cannot delete. Tried searching the registry manually, (cannot find path/file) as well as with autoruns, RegDelNull, spybot deep root scan and a multitude of other methods.

    Any advice would be great.

    Log file attached

    Thanks
     

    Attached Files:

    rjordan, Aug 29, 2013
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Aug 29, 2013
    #2
  3. rjordan

    rjordan Private First Class

    While I do appreciate the reply...

    My post is more of one tech to another seeking advice.
     
    rjordan, Aug 29, 2013
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You could try running a scan with FRST.

    (link to instructions just for your ref.)

    http://img827.imageshack.us/img827/1263/frst.gif For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
    Kestrel13!, Aug 29, 2013
    #4
  5. rjordan

    rjordan Private First Class

    I work remotely on client PC's, it would be very difficult if not impossible to perform those requested actions.

    I understand you guys work only with logs and what not to debug entire issues but this case is different....

    I am a technician asking for ideas to remove Hidden From API Services as shown in the roguekiller logs.

    Simply looking for advice on those three items or a general "how would you find and remove hidden services". I have googled around to no avail, figured I would try here as a last ditch effort to see if you guys happened to know of a way.
     
    rjordan, Aug 29, 2013
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm sorry, without all the logs we usually have users supply us with, I wouldn't be much help.
     
    Kestrel13!, Aug 29, 2013
    #6
  7. rjordan

    rjordan Private First Class

    Yea I realize that...

    Was more hoping for someone to stop by who just happened to know extensively OS sort of things...

    The whole PC is completely cleared out, I am pretty much an expert on virus/malware removal and general OS troubleshooting, but this one has me stumped lol
     
    rjordan, Aug 29, 2013
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'll point Chaslang in your direction.
     
    Kestrel13!, Aug 29, 2013
    #8
  9. rjordan

    rjordan Private First Class

    Awesome thanks.

    If I can get this last part figured out, that will be the final piece to the puzzle to manually remove this new version of zeroaccess.

    In the process of putting together a removal guide for this specific one as well.

    90% of it can be removed while still in normal mode too, and it will not require a re-format or any special boot disks to be used (unless of course an FBI virus hijacking safe mode is attached but yea...)
     
    rjordan, Aug 29, 2013
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds