ZeroAccess, Agent3, Sirefef, Win64/Patched.A

djonma scratchpad 11-22-12

Welcome to MajorGeeks!

Please disable Spybot's TeaTimer as instructed in the NOTES: at the beginning of the Malware Removal/Cleaning Procedure.
How to disable Spybot's TeaTimer

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button, then select the Registry tab and then select any of the below that exist and then click the Delete button.

• [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
• [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

Then select the Files tab and if the below exist, click the Delete button again.

• [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
• [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
• [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

When it is finished there will be a log on your desktop called RKreport[6].txt, attach it to your next reply. (*Noting multiple previous log numbering.)
Then immediately reboot your PC.

After reboot, run new scans with both RogueKiller and Hitman Pro, attach those new logs to your next reply.

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
• RKreport[6]
• updated HitmanPro log.
• JRT.txt

 

You're welcome.

You must uninstall all but one antivirus program. Choose which you want to keep and uninstall the other one:
C:\Program Files (x86)\Ad-Aware Antivirus
C:\Program Files (x86)\AVG

*Other than the tools (and their generated logs) our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Users\Rob\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

Your Mozilla FireFox version (16.0.2) is outdated, as the latest is v.17.0
Uninstall these outdated Java versions:
Java(TM) 6 Update 22
Java(TM) 6 Update 7

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished). *Make sure TeaTimer is dis-abled:


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Now copy the bold text below to notepad. (Do not include any space above the word "REGEDIT4")Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" . Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me whether or not you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work.

Download this to your desktop and double click it to allow it to merge with the registry. Let me know if you receive a success
message or not.

BITS.reg

*Note:The fixes performed by the following tool can sometimes take quite awhile to run, so please be patient. Do NOT run anything else while the repairs are going on.

Now downloadWindows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Go to Start Repairs tab.
• Then click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Register System Files
  • Repair WMI
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now download and install the latest Sun Java Runtime Environment

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the new C:\MGlogs.zip file... also the last created RogueKiller log -> C:\Users\Rob\Desktop\RKreport[9]_S_11242012_02d2042.txt to your next reply.

* Make sure you tell me if you had any problems running this procedure and how your machine is working now.

 

You're welcome, Nicola

Please refer to my instructions that state "Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished)."
Tell me the filepaths that AVG is alerting on.

Please attach the new RKreport.txt and C:\MGlogs.zip to your next reply.

dr.m

 

Hi, Nicola
Sorry to hear that you're fighting off a virus - I'm abit under the weather myself.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished).

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button, then select the Registry tab and then select any of the below that exist and then click the Delete button.

[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> FOUND​

Then select the Files tab and if the below exist, click the Delete button again.

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND​

When it is finished there will be a log on your desktop called RKreport[9].txt, attach it to your next reply.

*Please do the below so that we can boot to System Recovery Options to run a scan while Windows is offline.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Type the below bolded text in the edit box after "Search:".
  
  services.exe
  
  
• It will make a log (Search.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

 

I'm sorry to hear about the hardware failure, Nicola.

I have not used VirtualBox but have used Puppy Linux with an external USB hard-drive with good results. Here's a tutorial guide that shows the basic steps:

http://www.geekstogo.com/forum/topic/274691-use-puppy-linux-live-cd-to-recover-your-data

Best Wishes, dr.m

 

You're very welcome, Nicola.

My "Best Wishes for the New Year",
dr.m