ZeroAccess cleaned; now 0 access to Internet

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST​

 

In one of the MGtools logs we can see the reasons for no internet access

Code:

=====================================================================================  
Checking DHCP, AFD, NetBT, tdx, TCP/IP, NSI and nsiproxy Service States 
   Dynamic Host Control Protocol -DHCP-     is NOT running  
        C:\Windows\System32\dhcpcsvc.dll exists  
   AFD Networking Support Environment -AFD- is NOT running  
        C:\Windows\System32\drivers\afd.sys is missing  
   NetBios over Tcpip -NetBT-               is running  
   NetIO Legacy TDI support driver  -tdx-   is running  
   TCP/IP Protocol Driver -TCP/IP-          is running  
   Network Store Interface Service -nsi-    is running  
   NSI Proxy Service  -nsiproxy-            is running  

There could be additional services that are broken. This is quite common with ZeroAccess infections which can cause considerable damage. Let's see if we can fix this and also fix a bunch of other nuisance/junkware which we don't recommend having installed.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=ad...tBtCtDtN1L2XzutBtFtCtFtCtFtAtCtB&cr=384149704
O2 - BHO: InfoAtoms - {103089DA-0F31-4A8B-843F-7D24A7FE8345} - C:\Program Files (x86)\InfoAtoms\IE32\InfoAtomsClientIE.dll
O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - (no file)
O2 - BHO: PriceGong - {1631550F-191D-4826-B069-D9439253D926} - C:\Program Files (x86)\PriceGong\2.6.4\PriceGongIE.dll
O2 - BHO: EpicPlay - {56E4076B-A42B-4745-BA35-34DA8AC4C2F2} - (no file)
O2 - BHO: StartNow Toolbar Helper - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll (file missing)
O2 - BHO: Freecause Shopping BHO - {91917DC6-93B9-4E62-B2D6-D39C9618C418} - C:\Program Files (x86)\Shop to Win 4\Shop to Win 4.dll
O2 - BHO: Coupon Savings - {C3F62D94-EEBB-11E1-B88F-CBBD4CC15727} - C:\Program Files (x86)\Coupon Savings\toolbar.dll
O2 - BHO: A Free Ride Games Bar - {f92a9fe4-2850-4198-b9d5-279880e49b16} - C:\Program Files (x86)\A_Free_Ride_Games_Bar\prxtbA_Fr.dll
O3 - Toolbar: StartNow Toolbar - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll (file missing)
O3 - Toolbar: A Free Ride Games Bar Toolbar - {f92a9fe4-2850-4198-b9d5-279880e49b16} - C:\Program Files (x86)\A_Free_Ride_Games_Bar\prxtbA_Fr.dll
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup (User 'Default user')

After clicking Fix, exit HJT.


Now please uninstall the below ( combofix which you ran already started deleting some of this junk ):
A Free Ride Games Bar Toolbar
Best Buy Software Installer
Coupon Savings
DefaultTab
Free Ride Games Player
InfoAtoms
PriceGong 2.6.4
Shop To Win
StartNow Toolbar



Now we will use ComboFix that you already downloaded to fix a bunch of issues.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

This is not a malware problem. You can work this in the Software Forum is necessary. This process is related to your Microsoft IntelliType keyboard. The below are loading at startup. You may just need to reinstall.

Code:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"itype"="\"c:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"IntelliPoint"="\"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""

Try using the below to uninstall them:

Revo Uninstaller

The combofix.txt log is right where the instructions said it would be which is C:\combofix.txt I can even see it in your MGlogs.zip file.

You have a load of things in MSConfig registry keys but you don't appear to be directly using Msconfig to control startup processes. What are you using that is putting information into Microsoft's MSconfig registry keys? I know Glary Utilities and CCleaner do this? Are you using them to do this? If so, you should not because they should not be using registry keys that do not belong to them.

You also have some other junkware to remove.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.