Worried about weird services after ZeroAccess infection

Hi, I have a friends pc that booted into a police popup wanting ukash (http://www.met.police.uk/pceu/cyber_crime.html) and had disabled safe mode. I booted off kaspersky rescue cd which cleaned off a lot of zeroaccess rootkit and allowed me to import safe mode registry key so i could boot into safe mode.
Ran ComboFix (apologies for out of sequence) but it said that it was infected with ZeroAccess and had infected the tcpip stack and ask to reboot (which appeared to be correct as i had no internet access)

So i have ran all the tools on malware removal guide, but there's still lots of services that have weird names that run svchost -k netsvc.
here's a list from that reg key-
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Value 3
Name: netsvcs
Type: REG_MULTI_SZ
Data: 6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
EU3_USB
sis315
cimnotify
JRAID
s217mdfl
papycpu2
vwd
NWSLP
SaiH040B
nwlnknb
ooclevercacheagent
ufdsvc
DVDVRRdr_xp
mlkkbdntdriver
avsinc
ZTEusbmdm6k
BRGSp50
M2500
se2Cunic
CTEDSPIO.DLL
mcproxy
ASDR
qkbfiltr
acdservice
sbiesvc
rvscc
RMSvc
dot4scan
com0com
QWAVEDRV
npptnt2
superproserver
NxSysMon
btwrchid
Exportit
mwlsvc
cltnetcnservice
dwusbdnt
snare
belmonitorservice
SE26bus
a016mgmt
ptbsync
diskperf
CTEDSPFX.DLL
sonicwall_netextender
yats32
oracleorahomeagent
sony_ssm.sys
cyberpowerups
webdriveservice
slapd-config52
statusagent4
dvd-ram_service
proxyhostservice
cmdmon
mldserv
SSFS0BB9
slip
mod7700
issm
sfrem01
k750mdfl
fsaa
vtserver
autocomplete
{d31a0762-0ceb-444e-acff-b049a1f6fe91}
cwafnotesservice
lxrsge10s
anbmservice
lvpopflt
pelmouse
amdk7
usbbus
eamon
db2das00
PCDRSRVC
NWADI
pdlnctdl
hprfdev
VICESYS
acprfmgrsvc
oracleorahome811cman
qcdonner
wlankeeper
maxbackserviceint
SE2Dmgmt
pctavsvc
roammgr
TdmService
DynDNS_Updater_Service
MSFWDrv
vsapint
AR5416
vpcnets2
avfilter
slabser
AsuhfivrO
DniVad
mhndrv
remotelyanywhere
dlbu_device
regservice
Cap7134
cqmghost
sffdisk
FETNDIS
cmudau
w800mdfl
se59mdm
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
napagent
hkmsvc
BITS
wuauserv
ShellHWDetection
helpsvc

These are all set to automatic and have not yet booted into normal windows mode as worried what they are.

Any help would be appreciated. Logs attached.

Many thanks
J

 

and the rest.

Thanks

 

Hello J,
Welcome to Major Geeks

They're the mess that the latest variants of ZeroAccess create. However, not all of those you listed are bad. In fact, many of them are essential in order for Windows to function properly.

Let me have you run one more custom scan so we can remove these. You can run this scan while in Safe Mode.

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Hi,
Thanks very much for your help.

Attached are the OTL and extras logs (not sure if you need the extras log, but thought i'd attach anyway)

Cheers
Jane

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• ALOT Toolbar
• AOL Toolbar
• Java 2 Runtime Environment, SE v1.4.2_06
• Java(TM) 6 Update 11

__

I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

Attached is OTLfix.txt
Download and save this to your desktop.


http://img205.imageshack.us/img205/1894/otl.gif Now reopen OTL
Then drag OTLfix.txt into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
You should see a bunch of text transferred over into the text-field.
Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know what problems remain after you have run these steps.

 

Hiya,

Thanks for your time with this.
I've done everything you've said and attached the logs.
Everything looks pretty good - all those bad services have gone.

let me know if you see anything nasty still in the logs that you want me to fix , but thanks again for all your help.

Thanks again.

Much appreciated.
Jane

 

You're welcome.
Your latest logs are clean :cool

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thats great - many thanks again for your time and help.

Regards
Jane

 

You're welcome, Jane