Repeated attempts by Zeroaccess.b Trojan today

Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Option1: Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

Option2: Enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Running MGTools.

 

Logs did not attach.

 

Please run CCleaner and clean out your temp folders.

Tell me what issues you may still have, if any.

 

Extract bfe.reg to your desktop.
Double-click BFE.reg and allow it to merge into the registry. If you get a "successfully merged into registry" type of message, reboot your PC and see if you can turn on BFE, or if it is already turned on.

You can run these commands from the command prompt.

• net start bfe
• sc qc bfe

Now re-run RogueKiller and attach the log.

 

Delete the BFE.reg file that exists on your desktop. Download this one to the same location.
BFE.reg


Now, boot into safe mode please to carry out the next set of instructions.

• Now please click Start, and type regedit into the search box.
• You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
• Right click on regedit.exe and select Run As Administrator
• Then in the Registry Editor menu click File and select Import.
• Navigate to the BFE.reg file saved to your Desktop and double click it. Allow it to be added to the registry.

Back into normal mode now -
Download Windows
Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

After reboot, check to see if your firewall is working.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this

 

Your logs look good. All the services are now running. Use RogueKiller to remove that last item. Then tell me how things are running for you.

 

That should have worked. Re-run RogueKiller and attach the new log.

 

Hello there. This is looking quite a mess. According to the rkill log you have lots of missing services. Then when I check other logs, it says some of those services are ok, so let's do this for now please.

(You have been running rkill, not RogueKiller!!!)

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :reg
  HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 /s
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

We are going to have fun and games mending all that is broken, and I can tell you, there will not be a nice easy quick fix, we may have to keep trying a few times before the fixes implement. Anyway, it might be easier once all the malware is gone.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

-------------------------------

• Re run FRST normally - no fix just a scan and attach log.
• Follow my steps again to do the systemlook, exactly the same as before please.
• Run ROGUEKILLER - (See instructions in the Read and Run Me First) and attach it's log too please.

 

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

• [HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
  [HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
  [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
  [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
  [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
  [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
  [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
  [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
  [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
  [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
  [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
  [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
  [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Joseph\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\n.) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

Now click the Files/folders tab and locate these detections:

• C:\Users\Joseph\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\n

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)


Farbar log:
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

You are not running Farbar as instructed. Please run it properly.
.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Attach the new MGLogs.zip also.