Zero Access removal

Hello and thank you for your time, ive managed to get myself infected, i thought i had removed it a while back but with the lingering problems I rechecked and combo says its there in my tcp ip stack.

I ran superantispyware and mbam before combo as instructed, but then on running combofix it told me i have the rootkit, then restarted then hung, i left it to try and complete overnight but that didnt work so had to force restart, that then stopped me getting onto desktop normally (loaded but couldnt do anything), so no combo logs

managed to get into safe mode with network and thats working, so ill post any logs i have from here.

thank you again

 

managed to get a sas and mbam report, last nights before the combofix fail and this morning, is now booting into normal mode

 

Hi and welcome to Major Geeks, septimus00!

Did you have trouble running RootRepeal? See -> Running RootRepeal

After you attempt the above, I'd like you to also run the following:

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

 

yeah I had a problem with RootRepeal crashing on me, but it seems to have sorted itself and i'll post the log, ran the other two aswell, posting them. Thank you

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

http://img805.imageshack.us/img805/9659/rktigzy.gif Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and find: C:\Users\Special\AppData\Local\Temp\iope0.8266190324015513.exe
Place a checkmark in this box, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

 

ok, done and done.

 

http://img194.imageshack.us/img194/4930/combofix.gif Start ComboFix using this command:

Press the WinKey (http://img849.imageshack.us/img849/4325/windowkey.gif) + R to open a run box:

Copy/paste the following text into the open run box > Click OK

ComboFix /nombr

 

ok, it completed this time without crashing, halfway through told me PEV.exe had stopped running though, whatever that is.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Free Ram Optimizer XP 1.0
• Java(TM) 6 Update 22
• Java(TM) SE Runtime Environment 6 Update 1
• Java(TM) SE Runtime Environment 6

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Collect::[/COLOR]
C:\ProgramData\ql59Ex5fe2v6ds
C:\Users\Special\AppData\Roaming\Microsoft\Windows\Templates\8037qims01b053x2e7521t65425
C:\Users\Special\AppData\Roaming\Microsoft\Windows\Templates\85yw0s80l85q07y82yemg8v447xyn7n67745ob208g2
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = *.local
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\users\Special\AppData\Roaming\Mozilla\Firefox\Profiles\346l1pry.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63495
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
[COLOR="DarkRed"]File::[/COLOR]
C:\Users\Special\AppData\Local\Temp\iope0.8266190324015513.exe
C:\Users\Special\AppData\Local\{BA3A905E-AE2C-474F-B9B3-43F33C81A0A2}
C:\Users\Special\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iope0.8266190324015513.exe.lnk
C:\ProgramData\NOTEPAD.EXE-x.txt
C:\ProgramData\REGSVR32.EXE-x.txt
C:\ProgramData\RUNDLL32.EXE-x.txt
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\Users\Special\Desktop\this.exe
C:\Users\Special\Desktop\this.PIF
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\$NtUninstallKB808$
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-1388683016-795605006-4103470048-1000\Software\SecuROM\License information*]
"datasecu"=hex:b0,1e,8f,a1,ce,33,49,c5,92,59,ab,5b,96,58,30,0e,05,5d,51,f7,8d,
   9c,d2,3c,0e,40,fe,20,16,ff,79,d4,d7,55,18,d5,13,b1,d5,16,99,40,a7,da,da,51,\
"rkeysecu"=hex:53,f4,d6,53,23,cd,b0,d5,b0,30,a8,c3,9c,85,99,61
[COLOR="DarkRed"]RegNull::[/COLOR]
[HKEY_USERS\S-1-5-21-1388683016-795605006-4103470048-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CC9AECCB-EF9F-FFFE-2AC7-178F7C4C4F7C}*]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

/!\ Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

pev.exe is part of ComboFix. Nothing to worry about

Let me know how the PC is running after you have completed the above steps.

 

combofix crashed on the creating log stage, should i try running it again?

 

Explain what you mean exactly by ComboFix crashed.

ComboFix crashing when producing a log very highly unlikely. After it completes all 50 stages, it can take a while (20+ minutes) for it to produce the log.

Where are you at currently with the PC? Is ComboFix still running or did you manually restart the computer?

 

everythin was ok, combofix auto restarted my computer, started itself to produce the log, then after a while the computer locked up, spinning mouse, frozen screen ect, i left it for a while to see if it would right itself but it didnt so manually reset it.

 

Ok, go ahead and try the same CFScript w/ ComboFix once more.

 

It seems to still be hanging at the preparing log part, it's just been sat there for ages, not sure what's causing this, I have left it to its devices this time and have posted this off my phone, but what do you suggest? Just leave it and hope it finishes?

 

Give it another 30 minutes. It should complete.

Make sure that you are not running any other programs. You may want to turn your AV/Firewall off again if you can.

 

Just checked it again, still doing the same, tried to see if antivirus/firewall had turned itself on and it won't let me do anything, can move the mouse but that is all

 

I would say just be patient. What is ComboFix is saying exactly? If you are able to move your mouse, the system has not frozen.

 

took long enough, but managed to get combo fix to finish. logs attached

 

That's because Comodo was automatically reenabled when the PC was rebooted.

Do you know what these files are for:

• c:\users\Special\Desktop\this.exe
• c:\users\Special\Desktop\this.PIF

If not, please delete them.

Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

no idea, ill remove them. Thank you for all your help, been very helpful.

 

You're welcome. Surf safely