Rootkit.0Access on Win 7 Home Premium

Hello,

I'm new to this great forum. I'm no native speaker. So please be patient, if my English seems to be poor. It is!

My private Laptop (Aspire 5742G running Win 7 Home Premium in 64-bit-mode) was infected by some Trojans which were deleted by Malwarebytes Anti-Malware program before I found this useful site. But it still detects a Rootkit.0Access and isn't able to remove it. It says so but after the requested restart it finds it again.

I'm still unable to reinstall Microsoft Security Essential or to re-activate my Windows Firewall. Even the Microsoft FixIt for Firewall don't work.

Now I performed the requested actions and logs I found here. Please see the attached files for details. I hope anybody can help. Any advice would be appreciated!

Thanks in advance!
Horibo

 

Welcome to MajorGeeks, horibo

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

• [ZeroAccess][FILE] n : c:\windows\installer\{ea97edbb-2bca-d692-e7a7-6626c6425dd9}\n --> FOUND
• [ZeroAccess][FOLDER] U : c:\windows\installer\{ea97edbb-2bca-d692-e7a7-6626c6425dd9}\U --> FOUND
• [ZeroAccess][FILE] @ : c:\users\horst\appdata\local\{ea97edbb-2bca-d692-e7a7-6626c6425dd9}\@ --> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

_


http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

 

Thanks thisisu for your reply. One more question:

The three detections, you mentioned, are shown in the tab "files". They can't be checked but can be deleted. Is this, what you asked me to do?

Or should I check these both entries in tab "registry":
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

and leave the files as they are?

horibo

 

Yes and sorry for the confusion.

Leave these two detections alone. They are just part of UAC being disabled.

 

Done! And anything seems to be fine now! But see attached files for details.

Thanks a lot for your help!

horibo

 

Great

Can you check to see if these folders are still present:

• c:\windows\installer\{ea97edbb-2bca-d692-e7a7-6626c6425dd9}
• c:\users\horst\appdata\local\{ea97edbb-2bca-d692-e7a7-6626c6425dd9}

If they are, let me know but try to delete them if they are present.

Are you having any other malware related problems?

 

The folders were still present but deletable. After reboot they don't reappear again. So I think, that's good news.

The problems have gone completely. Reinstall of Microsoft Security Essentials was successfull. All Scanning-Tools now create empty logs with no errors or warnings. The Windows-Firewall was not fixable and can't be started anymore. I left it as is and tried a fresh Privatefirewall install successfully.

So, for me all things seem to be fine!

Thanks a million again!

horibo

 

You're welcome.

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe