trojan generic.27 zeroaccess infection

Welcome to Major Geeks!

We are going to need to run some more scans and collect some additional info.


Please goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.



See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

 

Okay the only issue I'm seeing is that your 74GB disk drive may have an infected Master Boot Record. See the red highlighted info below taken from the MBRcheck log

Code:

      Size  Device Name          MBR Status
  --------------------------------------------
     69 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   RE: Windows XP MBR code detected
            SHA1: 31D100779DE502702C374F7C15687B56FCFD5528
[COLOR=red][B]     74 GB  [/B][/COLOR][URL="file://\\.\PhysicalDrive1"][COLOR=red][B]\\.\PhysicalDrive1[/B][/COLOR][/URL][COLOR=red][B]   RE: Unknown MBR code
[/B][/COLOR]            SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
    931 GB  [URL="file://\\.\PhysicalDrive3"]\\.\PhysicalDrive3[/URL]   RE: Windows 2008 MBR code detected
            SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Do you have your Windows XP boot CD so that we can use it to boot to the Recovery Console to fix this MBR?

 

Follow the procedure in the below link to create a bootable CD and test it to be sure you can get to the Recovery Console

 

Sorry about that! I forgot to add the link.

Using ARCDC to get the Recovery Console Command Prompt

Let me know if you are able to make this CD and that you were successful at booting into the Recovery Console command prompt with it.

 

I know you do not have a Gateway PC but see if the concept of what is mentioned in message #3 of the below link works:

http://www.techspot.com/vb/topic18329.html