zaccess infection

Welcome to Major Geeks!

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

You have multiple antivirus programs installed. CA Antivirus and Ad-Aware. You need to uninstall both of these immediately. You should never install more than one antivirus protection program. Then reboot your PC. Then continue on.

You also have something from Webroot installed. Exactly what is installed?

Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Did you uninstall CA Antivirus too as I specified? If not, you have to!!! Having multiple AV installed can cause all kinds of problems and the best way to remove all the effects of them is to uninstall ALL of them first. DO NOT reinstall any until requested.



Be patient while doing the below. The fixes can take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I know you are just trying to help get your PC fixed, but please do not do anything that I do not ask you to do. For example, if you try to run something as instructed and it does not work, then stop and report back. If I don't ask you to run something twice, don't run it twice.....etc. Those repeated attempts to run the tool have made things much worse. Let's see if we can recover from this.

Reboot your PC into safe boot mode and see if you can complete the below where I have left off the Reset Registry and File Permissions parts of the fixes.

Be patient while doing the below. The fixes can take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

That may be but at least couple are not running per your logs

Code:

   Base Filtering Service               is NOT running  
===================================================================================== 
Checking Windows Firewall Service -MpsSvc- State
  Windows Firewall Service is NOT running   

Now please click Start and type services.msc into the Search box. Up above, you should see a gear icon appear with services.msc next to it. Right click on it and select Run As Administrator. Click Continue if prompted to allow it to run. This will open up the Services form. Scroll down to the Windows Firewall service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Automatic.

Now if the above service starts continue with the below. If it does not start, stop and tell me exactly what happened.

Now locate the Base Filtering Engine service and Start it and set the Startup type to Automatic, Did this Start?

 

Okay, this time try to start Base Filtering Engine service and tell me exactly what error message you receive.

 

Hmmm! It seems we still have registry permissions issues. Too bad we could not get that first run of Windows Repair to run properly. It may have made this much easier.


Now download SubInACL.msi from Microsoft.

• Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
• Now download the below file and save it to your Desktop:
  • resetperm-x64.cmd
• Now right click on resetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!



Also please download Farbar Service Scanner and run it by using right click and selecting Run As Administrator

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

 

Did the resetperm-x64.cmd run thru to completion?
Did you have any problems running it?
How long did it take?

It did not do what we wanted based on your logs; however, try the below anyway.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

It should take quite a while to run. Please try one more time but this time, reboot your PC into safe boot mode first. Then run it. Let me know if this runs better. A command prompt type window should open where you will be seeing output showing permissions being changed on registry hives and files.

Also do the below.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now rerun Farbar's Service Scanner as previously run and attach a new log.

 

Did you use Right Click and select Run As Administrator?

Download the below file and save it to your Desktop

kciuci.reg

Then right click on it and select Merge. If prompted, allow it to be added to your registry. Then reboot.

After reboot, rerun Farbar's Sevice Scanner and attach a new log.

Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Please try it again after booting into safe boot mode. Even if you get an error continue on, but get the new logs from FSS and MGtools in normal boot mode.

 

Okay I figure out that it is some weird bug in the forum that just started recently. Just right click on the file you downloaded and rename it to be kciuci.reg
instead of kciuci.mp3

Then try the procedure from normal boot mode.

 

Now download and save a current copy of combofix.exe and save it directly onto your Desktop folder. Then right click it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall. After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.

 

This error is normally cleared by simply rebooting your PC again.

You managed to get yourself reinfected again with ZeroAccess.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay that looks much better and the BITS ( Background Intelligent Transfer Service ) is fixed too. I do notice that the Windows Defender service is not running. Are you having problems with Windows Defender? Any other problems? Check to see if Windows Update works.


Also reinstall your protection software now.

 

Please rerun Farbar Service Scanner and attach a new log.


Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System File Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.


Now please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
IE:[B]64bit:[/B] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = [URL]http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF[/URL]
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = [URL]http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF[/URL]
IE - HKCU\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = [URL]http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF[/URL]
IE - HKCU\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = [URL]http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=AD3ADA896EEE2CE8ADA65E4FDB562C0C&q={searchTerms[/URL]}
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = [URL]http://mystart.incredibar.com/mb139/?search={searchTerms}&loc=IB_DS&a=1&i=26[/URL]
FF - prefs.js..browser.search.order.1: "Blekko"
[2012/07/17 18:53:30 | 000,000,000 | ---D | M] (Zynga Community Toolbar) -- C:\Users\Mom's Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\weakgga5.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2012/06/28 09:08:16 | 000,002,185 | ---- | M] () -- C:\Users\Mom's Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\weakgga5.default\searchplugins\MyStart Search.xml
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
[2012/08/07 17:07:57 | 000,011,092 | ---- | M] () -- C:\Users\Mom's Laptop\Desktop\k ciuci.reg
[2012/07/26 06:47:21 | 000,000,087 | ---- | M] () -- C:\Users\Mom's Laptop\Desktop\resetperm-x64.cmd.URL
:Files
C:\Users\Mom's Laptop\Desktop\k ciuci.reg
C:\Users\Mom's Laptop\Desktop\resetperm-x64.cmd.URL
dir C:\Users\Mom's Laptop\AppData\Local\{2BE80C37-7A3D-4077-8971-A2D7690B3EB1} /c
dir C:\Users\Mom's Laptop\AppData\Local\{29AD918C-F336-43E7-AE68-3516F0EB6E51} /c
dir C:\Users\Mom's Laptop\AppData\Local\{FF8BA615-1566-4D51-88FE-BC41E1A44497} /c
dir C:\Users\Mom's Laptop\AppData\Local\{35212DA6-4CEE-4274-AAAA-F1981D4B0BC1} /c
dir C:\Users\Mom's Laptop\AppData\Local\{41448B4A-8662-4617-A50F-B7C846D583D2} /c
dir C:\Users\Mom's Laptop\AppData\Local\{58DB986A-1D43-4D9E-AE21-FF746045A735} /c
dir C:\Users\Mom's Laptop\AppData\Local\{04034552-4DAF-4B4C-94DC-8C310906BE24} /c
dir C:\Users\Mom's Laptop\AppData\Local\{54B9F462-9F21-4AC4-888C-A4B81FC449EA} /c
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"DisplayName"="@%ProgramFiles%\\Windows Defender\\MsMpRes.dll,-103"
"ErrorControl"=dword:00000001
"Group"="COM Infrastructure"
"ImagePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
  32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,73,65,63,73,76,63,73,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%ProgramFiles%\\Windows Defender\\MsMpRes.dll,-3068"
"DependOnService"=hex(7):52,70,63,53,73,00,00
"ObjectName"="LocalSystem"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,65,49,6d,70,65,72,73,6f,6e,61,74,65,50,72,69,76,\
  69,6c,65,67,65,00,53,65,42,61,63,6b,75,70,50,72,69,76,69,6c,65,67,65,00,53,\
  65,52,65,73,74,6f,72,65,50,72,69,76,69,6c,65,67,65,00,53,65,44,65,62,75,67,\
  50,72,69,76,69,6c,65,67,65,00,53,65,43,68,61,6e,67,65,4e,6f,74,69,66,79,50,\
  72,69,76,69,6c,65,67,65,00,53,65,53,65,63,75,72,69,74,79,50,72,69,76,69,6c,\
  65,67,65,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Parameters]
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceDll"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,57,69,6e,64,\
  6f,77,73,20,44,65,66,65,6e,64,65,72,5c,6d,70,73,76,63,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Security]
"Security"=hex:01,00,14,80,04,01,00,00,10,01,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,d4,00,07,00,00,00,00,00,28,00,ff,01,0f,00,01,06,00,00,00,00,00,\
  05,50,00,00,00,b5,89,fb,38,19,84,c2,cb,5c,6c,23,6d,57,00,77,6e,c0,02,64,87,\
  00,0b,28,00,00,00,00,10,01,06,00,00,00,00,00,05,50,00,00,00,b5,89,fb,38,19,\
  84,c2,cb,5c,6c,23,6d,57,00,77,6e,c0,02,64,87,00,00,14,00,fd,01,02,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,00,00,14,00,9d,01,02,00,01,01,00,00,00,00,00,05,\
  04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,\
  00,28,00,15,00,00,00,01,06,00,00,00,00,00,05,50,00,00,00,49,59,9d,77,91,56,\
  e5,55,dc,f4,e2,0e,a7,8b,eb,ca,7b,42,13,56,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend\Enum]
"0"="Root\\LEGACY_WINDEFEND\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"CheckForSignaturesBeforeRunningScan"=dword:00000000
"AutomaticallyCleanAfterScan"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
"SpyNetReporting"=dword:00000000
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No yet!

 

Okay we have done all we can do to repair Windows Defender. It still is not running. You could try just installing Microsoft Security Essentials ( MSE ) which has built-in antivirus and antispyware and the antispyware is just a form of Defender and normally Microsoft will disable Defender when MSE is installed anyway.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Make sure you still check out the below for you basically freshly installed system

How to Protect yourself from malware!