Zero Access

Discussion in 'Malware Help (A Specialist Will Reply)' started by Lev621, May 6, 2013.

  1. Lev621

    Lev621 Private E-2

    Hey all,

    So, I got a note from my ISP that there was activity coming from my IP address that resembled that of a bot and that I should take immediate action. I ran TDSS Killer, Malwarebytes, Super Antispyware, and then a full virus scan. I picked up a couple small items like cookies and such, but nothing that really jumped out. A couple days later I got another email from my ISP, so I figured I missed something. So I came on here and ran the full stickied procedure on my computer and it seems it's a ZeroAccess virus.

    Attached are all the requested logs.

    If anyone can walk me through getting rid of this virus, I'd appreciate it. Thanks in advance.
     

    Attached Files:

    Lev621, May 6, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [RUN][SUSP PATH] HKCU\[...]\Policies\Explorer\Run : fcbabcdfddfad (C:\Users\My PC\AppData\Roaming\f029cbab-431c-4df7-966d-113131727df9ad\fcbabcdfddfad.exe) [x] -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-645918269-1410636302-4215378621-1000[...]\Policies\Explorer\Run : fcbabcdfddfad (C:\Users\My PC\AppData\Roaming\f029cbab-431c-4df7-966d-113131727df9ad\fcbabcdfddfad.exe) [x] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click the Files/folders tab and locate these detections:


    • [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$f899aa5628fb96ad7658fff184028725\@ [-] --> FOUND
      [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-645918269-1410636302-4215378621-1000\$f899aa5628fb96ad7658fff184028725\@ [-] --> FOUND
      [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$f899aa5628fb96ad7658fff184028725\U --> FOUND
      [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-645918269-1410636302-4215378621-1000\$f899aa5628fb96ad7658fff184028725\U --> FOUND
      [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$f899aa5628fb96ad7658fff184028725\L --> FOUND
      [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-645918269-1410636302-4215378621-1000\$f899aa5628fb96ad7658fff184028725\L --> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Now rerun Hitman and remove all the items in the Malware remnants.

    Reboot and rescan with both RogueKiller and Hitman and attach those two logs as well.

    Be sure to tell me how things are running.
     
    TimW, May 7, 2013
    #2
  3. Lev621

    Lev621 Private E-2

    Thanks for your help, TimW.

    Attached are my logs from this procedure.

    RogueKiller notes:

    When I deleted the items listed, my desktop icons disappeared momentarily and came back. When it came back, my "libraries" folder was open on the screen but I didn't open that myself. This happened while RK was deleting the 2 files.

    There's still 2 files in the log marked as "ZeroAccess"

    Hitman notes:
    Your post asked me to delete "Malware Remnants" but nothing popped up labelled as such. There was one item only labelled "Host" and delete was not an option (ignore or repair were the options) so I assumed this was not the item you were after and ignored it.
     

    Attached Files:

    Lev621, May 7, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:


    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$f899aa5628fb96ad7658fff184028725\n.) [x] -> FOUND
      [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$f899aa5628fb96ad7658fff184028725\n.) [x] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Now reboot and rescan with RogueKiller and attach that log as well.

    Do let me know how things are running now.
     
    TimW, May 8, 2013
    #4
  5. Lev621

    Lev621 Private E-2

    New logs attached. Looks good as far as Rogue Killer is concerned. No more warnings. Out of curiosity, what are all the other detections it's seeing?

    As far as the computer, it's running good. But the performance wasn't noticably impacted by the virus so I can't really use that as an indicator. I only found out about the virus because my ISP saw strange activity.

    Thanks again, TimW.
     

    Attached Files:

    Lev621, May 8, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, May 8, 2013
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds