Rootkit ZeroAccess still present. Completed Steps 1 & 2

Hi. Having a difficult time trying to start a new thread in "Windows XP Malware Removal/Cleaning Procedure" even after closing ZoneAlarm, allowing all cookies and popups, links don't work. Thus, posted here.

Computer infected with "Rootkit ZeroAccess Inserted into tcp/ipstack" per many ComboFix scans for 6+/- months.

No other malware found by quick & full scans by Malwarebytes , Superantispyware, ZoneAlarm Extreme Security. I've been using ComboFix scans to clean up for months, but computer continues to work fast but slows down, since Rootkit ZeroAccess still present. Perhaps ZeroAccess enters via Adobe Flash since I watch movies, tv shows on computer.

May 13 Uninstalled all old Combofix with Revo Uninstaller using "Advanced", highest removal setting.

May 16 Began downloading cleaners but made mistake and started MGlogstools by accident. Let it run and then forgot what I did, dysfuntional memory. Will post that log if necessary.

May 19 Completed all MG scans in sequence. Computer working fast, but it'll slow down in 3 or 4 days and I'll have to run ComboFix.

May 20 Ran ComboFix. ZeroAccess still present. Scanned 1 to 50 stages in 15 minutes, total 25 min. Computer speed varies since comcast 1.5 mps speed varies.

Remaining Problems

1. ZeroAccess still present.

2. CAPTCHA and Security Check boxes are not showing, probably a IE8/google setting problem.

3. May 21, day after completing all MG removal programs I got some popups for phony Flash programs that look like Adobe but aren't. Thus, I never okayed them.

4. May 21 got 3 official? pop-up notices for installing IE8 indicating that even though I get notices about Microsoft Updates and install them, evidently my IE8 is not always recognized as present.

I went to http://www.microsoft.com/en-us/download/internet-explorer-8-details.aspx and was told:

"You already have this download installed. Click "Next" to download Internet Explorer 8 again or use the navigation above to continue searching for downloads." I didn't click the next of the official? pop-ups since I'm paranoid and per MG, don't install new programs until cleaning completed. Suggestions? IE8 reinstallation may solve CAPTCHA problem.

Pop-Up:
"Set Up Windows Internet Explorer 8
Welcome to Internet Explorer 8
Internet Explorer 8 helps you use the Internet even faster than before.
Read the Internet Explorer Privacy Statement online"

Tried my best. Thanks, john


HELP.

 

Thanks for the quick response.

Rootkit ZeroAccess still present.

May 23, Per instructions, deleted the 6 files at:

C:\Documents and Settings\johnt\Templates\2509137411
C:\Documents and Settings\johnt\Templates\3367619789
C:\Documents and Settings\johnt\Templates\3469191438
C:\Documents and Settings\johnt\Templates\50vGiJ1FW7x2
C:\Documents and Settings\johnt\Templates\58G3tyIDc
C:\Documents and Settings\johnt\Templates\jrNYi6G

Started using shift-delete on jrnyi6g and thought it would be better to use CyberScrub(US Dept of Defense 3 passes).

Is shift delete sufficient or 3 passes better?

After the above deletions I rebooted computer, ran Internet Options Browsing history delete-delete, CCleaner default with advanced overwrite 3 passes and Registry Mechanics Clear Windows History and Clear Browsing History. Usually I clean computer out monthly using CyberScrub Schneier's algorithm (7 passes) and every 3-6 mths using Gutmann's slow 35 passes to sanitize.

I reboot again, repeated CCleaner and Registry Mechanics and then Auslogics Disk Defrag.

Next, I ran ComboFix which indicates Rootkit ZeroAccess still present.
The final "scanning of the 50 Stages" took 17 minutes, total time of 42 minutes for the updating, backing up, initial scanning and 2 reboots due to presence of ZeroAccess. With a clean computer the ComboFix "scanning of the 50 Stages" takes 6 to 9 minutes vs infected computer scanning of 15 minutes or more.

Templates for system files are not the same as system files.
Assume template has to do with form, access, use, location?? Too confusing.
System Files also found and still at locations All, johnt and/or NetworkService

A C:\Documents and Settings\All Users\Application Data
j C:\Documents and Settings\johnt\Local Settings\Application Data
N C:\Documents and Settings\NetworkService\Local Settings\App Data

50vGiJ1FW7x2 at A,j,N Cre 4/14/10 1:16:40 PM Mod 4/14/10 2:12:05 PM
GDIPFONTCACHEV1.DAT Cre 4/14/10 1:21:25 PM Mod 4/14/10 1:21:26 PM
at john & WINDOWS\sys32\config\systemprofile\Local Settings\App Data
2509137411 at j CRE 4/14/10 1:22:29 PM MOD 4/14/10 1:24:37 PM
3469191438 at j CRE 4/14/10 1:23:03 PM MOD 4/14/10 1:25:15 PM
jrNYi6G at A,j CRE 4/16/10 6:20:32 PM MOD 4/16/10 6:59:59 PM
3367619789 at j CRE 4/16/10 6:28:28 PM MOD 4/16/10 6:28:35 PM
58G3tyIDc at j CRE 4/17/10 10:04:02 PM MOD 4/1810 7:10:00 AM

Perhaps some of the system files need to be deleted since I still have Rootkit ZeroAccess present and since MG deleted some of the above system files and/or their Templates on a 4/26/10 case. I googled "2509137411" and found the following 4/26/10 MG case of at: http://forums.majorgeeks.com/showthread.php?p=1488039#post1488039

You can find the deletion files by searching the MG case 4/26/10 for "2509137411".

Minor information: GDIPFONTCACHEV1.DAT appears to be a font cache that was created during the creation of the above files. There's some web discussion about it being risky.

No other files on my computer have Created or Modified times within 10 minutes of the 7 files, but the files before and after the 7 files are Macromedia Flash files, except when one of the 7 were the last file of the day, the next day has a Macromedia Flash files within minutes of bootup. Flash files are suspicous!

GDIPFONTCACHEV1.DAT was created in the middle of the first 5 files above and was modified right before the 5 files were modified. Somethings fishy.

Perhaps some more with the 6 files?

thanks, john

 

Hi. Thanks for fast response. Without CAPTCHA ability, I'm limited.
I might be getting hacks since my combo logs are getting messed up or I'm messing them up. I'm attaching 2 logs, one from yesterday and from today.

ComboFix took 24 minutes to do the May 24 final scan of stages 1 to 50, about the same as that of the May 23 scan. Lost the early scan from May 23. Will search for it and send if found.

Senile with a dysfunctional memory.

thanks

Looks like I have to submit both this reply and the additional options

 

Hi.

Have I violated the Malwre Removal Guide Important Notices?

Reread instructions today, May 25 since I didn't print instructions (printer broke) nor save them in Wordpad. Specifically, "Once you start this cleaning process to remove your malware please do not do anything to your PC except what is requested in this procedure. Do not install anything on your own and do not run other scans."

1. I assumed that deleting files and browsing histories with Internet Properties-Browsing History-delete, "CClean Windows" using default settings and Registry Mechanics 'Clear Your Windows and Browsing Histories' are not running scans since they delete specific files.

2. And, since I don't have cable TV, I stream TV and movies on computer, NO downloading.

Does streaming movies/TV and specific file deletion violate the MG instructions?

I assume "--please do not do anything to your PC--" refers to any repair and downloading.

Thanks, john

 

Thanks for all the help.

You said: "There is no Zero Access infection showing in those logs."

Thus, I have to conclude:

1. That the ComboFix installed on my desktop, May 16 is corrupted and is giving a false negative alert of being infected with the Rootkit Zero Access during the scanning of my computer.

If this is true, why the long actual stage 1 to 50 scanning time of 24 minutes with total time of about 50 minutes for the last two scans? Because ComboFix is corrupted ??????? Without infections, ComboFix scanning completes in 6 to 9 minutes.

2. That the missing CAPTCHA and Security Check boxes on some web sites is a IE8 and/or google problem.

3. That the official popups for installing IE8 are due to IE8 errors, corruption.

Thus, I will ignore the above 3 items, wait until Sunday evening, May 26.

If all is okay, I'll proceed to Step 4 of Malware Removal/Cleaning Procedure:

1. Remove ComboFix with Revo Uninstaller using "Advanced", highest removal setting.
2. Uninstall MG req'd programs excluding Malwarebytes & TDSSKILLER, used since 1998.
3. Enable disk emulation software. cidaemon.exe and APSDaemon.exe in my system.
4. Disable and Enable System Restore and create a system Restore Point.
5. In a week, install a new ComboFix and run.

Thanks for all your speedy help.

 

Hi chaslang.

Thanks for assistance. My problem explanation is not to clear: 'Computer's fast but slows down in a few days or more and I use ComboFix, CCleaner, "PC Tools Registry Mechanics" and Auslogics Disk Defrag to clean and speed up. Computer's 9 years old.

Completed 3 programs - Logs attached.

OTM Safe Mode with Networking.
Could not link nor get "large button" in: "Now click the large http://forums.majorgeeks.com/chaslan...es/MoveIt!.png button." Nothing happened, there was no large button.

Copied files, returned to OTM box, pasted files and clicked the small "CleanUp!" box. Program ran.

Tried everything: Normal Mode and Safe Mode with Networking with and without ZoneAlarm Extreme Security and set Intnet Properties to "Accept All Cookies" and unchecked " \Turn on Pop-up Blocker", etc. Then checked Task Manager and found 2 program exe files in Processes that I could not "End Process" or "End Process Tree": one for ZoneAlarm and one for Superantispyware(free).

Junkware Removal Tool Ran fine.
Did not reset my homepage of "about:blank".

C:\MGtools\GetLogs.bat Normal mode without protection software.
Should I have ran this at Safe Mode with Networking without protection software?

Important Question
Registry Mechanic in one of the things removed in JRT.
Is it possible that Registry Mechanic is not the same as "PC Tools Registry Mechanic"?

The icon has changed but not all the programs for "PC Tools Registry Mechanic" have been removed, only some.
Thus, I'm supposed to stop using it.
Am I to remove all Registry Mechanic folders?
I paid for it, it's on CNET and listed as an excellent reg cleaner.

Suggest advising specifically running: Normal, Safe Mode or Safe Mode with Networking without or with protection software.

Too tired to edit, it's been over 4 hours.

thanks, john

 

editing

 

Chaslang:

Had a display problem with Adobe Flash Player 11 ActiveX. Couldn't download online, no graphics on some links in Adobe.com and on some other websites - www.juancole.com videos work okay with some eratics.

Used Safe Mode with Networking and default MSN home page to downloaded new Flash Player, working okay with some hesitations. Don't know what caused the display problem, possibly surfing the web.

MAJOR PROBLEM
When I link with "http://forums.majorgeeks.com/forumdisplay.php?f=35", once connected to MR, the web page starts recognizing my computer and beneath the: "Welcome, johneangel. You last visited: Today at 01:52" a white rectangular box popsup with a blue world sphere with "Internet Explorer c" which is the beginning of "Internet Explorer cannot connect to---".

1. Rt click the blue sphere and rt or lf click properties, you get: res://ieframe.dll/noConnect.png <<----Chaslang, note the ".png" on the Left

My ZoneAlarm Extreme Security default setting for Public and Trusted Zones is not to Allow Incoming & Outgoing pings(ICMP Echo).

I'll adjust Zone settings to whatever is necessary to stop the blocking.
I have "forums.majorgeeks.com" in"Trusted Zone".

2. Rt click Welcome and rt or lf click properties: http://forums.majorgeeks.com/showthread.php?t=276812

3. Rt click Explorer and rt or lf click properties: res://ieframe.dll/dnserrordiagoff.htm#http://www.facebook.com/plugins/lik...show_faces=true&extended_social_context=false

Assume you'll want some new scans.

After I do the scans you'll give me today, will it be time to toggle System Restore off and on since all of ComboFix was removed from my computer with the 3 programs ran yesterday, May 26?

I just ran Internet Properties Delete Browsing history, CCleaner windows default, Auslogics Disk Defrag and saved a Restore Point.

Watched: http://www.juancole.com/2013/05/humiliation-palestinians-documentary.html Fair, not too shabby.

Would it be okay to do the following which normally speeds up my computer and does include scans. Or whatever you suggest.

1. Run the scans/programs you give me today and include off and on of System Restore someplace below.

2. Run: sfc /scannow Which includes placing Reinstallation CD in D: for the req'd sys files. I haven't yet loaded them permanently in my system.

3. Do a few things: ck mail and read/watch videos at www.juancole.com and a tv show, Revolution. No scanning.

4. Run Internet Properties Delete Browsing history, CCleaner windows default, Auslogics Disk Defrag.

5. Reboot and type in Command Prompt: "chkdsk /r" Reboot.

6. Do a few things, no scanning.

7. Run Internet Properties Delete Browsing history, CCleaner windows default, Auslogics Disk Defrag.,

8. Reboot, save another Restore Point.

Enough for the day, john

 

Performance, Problems Update

1. Movies, videos, Tv shows, email and some web surfing info working perfectly.

2. On starting computer, within a few minutes got official Windows screen to install IE8. Will do once cleaning completed. This will probably resolve missing CAPTCHA and Security Check boxes on some web sites.

3, Won't work on ping problem until cleaning is done.

4. PC Tools Registry Mechanic--Basically, computer working fine without using PC Tools Registry Mechanic. I believe I caused corruption of it by not heeding all warnings from ZA, ZoneAlarm that "Unless you trust this site, avoid entering personal information or downloading anything from it." I've had this warning during web searching on healthy food such as stevia and only "link to additional info".

john

 

Hi.

I thought I had attached the logs for the 3 programs to my reply to your post of 05-26-13, 23:59. Evidentlly I didn't. Instead of attaching the those old logs, I'll run the 3 programs tomorrow and attach the new logs.

OTM program problem. I could not link nor get "large button" in: "Now click the large http://forums.majorgeeks.com/chaslan...es/MoveIt!.png button." Nothing happened, there was no large button.

I copied the log files, returned to OTM box, pasted files and clicked the small "CleanUp!" box. Program ran. Is this okay? I'll try again.

john

 

Chaslang,

Attached today's OTM log and May 26 logs of Junkware Removal Tool and MGlog.zip.

I'm a wee senile and forget things if I don't write them down. Apology for my confusion and mistakes.

OTM's 3rd lind of log: "No active process named explorer.exe was found!" This is why I keep getting Microsoft's Install IE8 page. MS Updates keep loading.

I didn't read your yesterday post until after I spent over 6 hours today reruning the original 5 programs in normal mode excluding MGTools. I forgot today that your last instructions pertained to the 3 programs, OTM, Junkware Removal Tool and the C:\MGtools\GetLogs.bat.

I reran OTM with ZoneAlarm shut down and tried normal mode. It worked and I did exactly what you instructed. But when the "command prompt type" black screen said something about rebooting, I may have accidently hit a key that caused it to reboot. Anyway I attached the OTM file. But have not done anything else untill I hear from you.

My desktop is getting crowded. So and I put two new folders to c: and made them hidden and read only. Is this safe until cleaning done?

What's next?

Kitchen sinks needs repairing and I'm tired.

Thanks, john

 

Chaslang,

Computer is working slow. Bootup takes 5m 30secs, normally 2.5 to 3.5 min.
Movies, tv shows, videos on http://www.juancole.com/ are playing, but some movies loading slow and sometimes with pauses. Email, Outlook Express working but not as fast. I may have caused the slowness due to my mistakes, repeated scan of the 5 programs and not closing down ZoneAlarm.

Moved most folders and files in "C:\Documents and Settings\johnt" that were not system programs installed, system updates and others to My Computer. But did not move .dat, .db, .reg, .ini, .log files to default location: C:\Documents and Settings\johnt\My Documents. This move helped computer work a little faster, but still slow.

Was going to move programs, scans and logs of RogueKiller, TDSSKiller and Hitman back to desktop as original saved, but didn't since you said not to do anything and that they would be removed. MGtools was downloaded to C:\ per directions.

A copy of the MGlogs.zip was installed on the desktop and also in C:\ by the C:\MGtools\GetLogs.bat program. I'll leave in both places unless instructed otherwise.

I'll attach a quick reply tomorrow after using computer at least 3 times.

thanks, john

 

Chaslang,

Thanks for your continued thorough, patient service and for putting up with my mistakes.

The end is here. Time to remove programs, files and to re-enable CD Emulation programs if I have them. Don't really know. The fact that I was never asked to reboot may be a false negative since I may have run DeFogger with my ZoneAlarm active. Do the clean scans indicate I have no Emulation programs? Or I need to rerun it?

Time to remove the MajorGeeks' scan programs and files. I'd also like to remove the "old programs and files" of ComboFix, HiJackThis, SystemLook, Checkup and of others. What are the best and safest way to remove them?

The .exe files without removal options can be dragged and dropped into Revo Uninstaller's Hunter Mode box. Other files/folders into CyberScrub window using B.Schneier' algorithm 7 passes or more. Or will you provide a desktop garbage can for disposal?

My 7-zip program evidently automatically extracted the log files from MGlogs.zip file into my root folder. I'll read its instructions and correct the settings.

Prior to running MG's scan programs, I unchecked all auto functions and disabled all protection of SuperAntiSpyware free edition, disabled "all SpywareBaster protection" and returned Malwarebytes' settings to default. For ZoneAlarm Extreme Security, one must select "exit" and click "yes" "BEFORE YOU CONNECT TO MAJORGEEKS, NOT AFTER".

Computer is still slow. But, always after removing malware I RUN: sfc /scannow, bootup a couple times and then load Command Prompt screen and type in: "chkdsk /r" which makes computer faster, if not the fastest. Can't wait to do this.

I will continue using PC Tools Registry Mechanic. But I will only use the default settings and only in Safe Mode and never when online, infected or have signs of infection. I will totally remove it and start anew after using 35 passes, "Erase Beyond Recovery" to clean previously deleted files beyond forensic recovery, I think.

I've been using PC Tools, ZoneAlarm, Malwarebytes, SuperAntiSpyware and SpywareBlaster since 1998. This was a moderate infection and only got worst because of my mistakes. You did a great clean.

john

 

Chaslang,

Started final cleanup but confusion and desktop too crowded to get all copies of MG programs and others onto it. Don't know if the MGclean.bat file will clean, delete itself such that I won't be able to clean two or more times. Or does it seached my whole computer, not the just desktop? How should I remove old copies of same and other cleaning programs that include .exe file?

Confusion with steps:

4. ""If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry."" It doesn't say what to do if your running XP. I assumed it's directions are similar to Step 5?

So being tired, I single clicked and nothing happened, then double clicked C:\MGtools\enableUAC.reg, was asked "Are you sure you want to add the information in C:\MGtools\EnableUAC.reg to the registry?" and said no.

Then read Step 5 and assumed that Step 4 has to be completed before running Step 5. So I double clicked in Step 4 and clicked yes.

Have not done Step 5 until I hear from you.

thanks, john