Over 1 million tech questions and answers.

ZeroAccess Rootkit - Elevated help please

Q: ZeroAccess Rootkit - Elevated help please

Referred here from the "Am I Infected?" forum,
thanks to BC Advisor .
 
In this link you will see several initial logs from Security Check, Farbar, etc.
http://www.bleepingcomputer.com/forums/t/494838/mse-closed-fake-security-infection/
 
 
 
I had Microsoft Security Essentials on my IE7.
I had an "update Java" type prompt that I tried to close.
(Would never open that!)
 
Suddenly MSE closed, I don't seem to have it available anymore.
A fake Security program tried to run, but I closed it.
 
I haven't observed any problems, other than the fact that MSE is disabled.
 
------
 
This may/may not be relevant: I had a some major problems several months
ago with viruses - I tried to repair them on my own - I accidently
deleted part of the MasterBootRecord, so I had to re-format my drive
and start over.
 
Gringo helped me through that.
 
DDS logs:
 
 

RELEVANCY SCORE 200
Preferred Solution: ZeroAccess Rootkit - Elevated help please

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: ZeroAccess Rootkit - Elevated help please

DDS + Attachment
-------------------
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514
Run by HAL at 17:46:04 on 2013-05-16
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2942.1646 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\HAL\AppData\Roaming\PC-Gizmos\PC_136519.en_76.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uURLSearchHooks: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\7.0\ytdToolbarIE.dll
mWinlogon: Userinit = userinit.exe,
BHO: PC Gizmos BHO: {A817C286-3D6B-4ECD-A99C-E44E50DBC523} - C:\Users\HAL\AppData\Roaming\PC-Gizmos\PCGizmosBHO.dll
BHO: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\7.0\ytdToolbarIE.dll
TB: YTD Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\7.0\ytdToolbarIE.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [PC_GIZMOS] "C:\Users\HAL\AppData\Roaming\PC-Gizmos\PC_136519.en_76.exe" --update
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRunOnce: [Z1] cmd /c "C:\Users\HAL\Desktop\Downloads\mbar\mbar.exe" /cleanup /s
StartupFolder: C:\Users\HAL\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
TCP: NameServer = 66.90.139.210 66.90.130.10
TCP: Interfaces\{F4ACD421-1D49-49B2-B84C-49D7EBE4D845} : DHCPNameServer = 66.90.139.210 66.90.130.10
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\HAL\AppData\Roaming\Mozilla\Firefox\Profiles\y4frfkdf.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2013-2-23 805752]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-2-8 1255736]
.
=============== Created Last 30 ================
.
2013-05-16 18:06:19 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-05-16 18:04:02 -------- d-----w- C:\Windows\TempE226ED41-49E7-44E7-AA85-87E142487A19-Signatures
2013-05-15 04:46:04 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-05-15 04:46:04 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-05-15 04:46:04 144384 ----a-w- C:\Windows\System32\cdd.dll
2013-05-15 04:46:00 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-04-24 16:32:20 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
.
==================== Find3M  ====================
.
2013-05-02 15:29:56 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-10 05:51:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2013-04-10 05:08:12 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-04-09 16:31:33 145 ----a-w- C:\Users\HAL\AppData\Roaming\uninstall.bat
2013-04-04 19:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
2013-03-02 02:50:18 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-02 02:50:18 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-28 12:03:52 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-28 11:38:43 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-02-27 06:02:44 111448 ----a-w- C:\Windows\System32\consent.exe
2013-02-27 05:47:10 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-02-27 04:49:24 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
.
============= FINISH: 17:46:18.53 ===============
 
 

Read other 44 answers
RELEVANCY SCORE 89.2

Originally had posted for help to remove csrss.exe and was being instructed on removal.  I had originally posted here http://www.bleepingcomputer.com/forums/t/577117/infected-with-csrssexe-and-spyhunter-4/
 
 I get error messages that say I have corrupt files in my recycle bin.  The recycle bin is empty. While in safemode I realized that I was looking at a fake desktop.  When I saved the scans to my real desktop they worked.   I was able to run most of the scans that I was asked to run.  I couldn't run rkill.  I was then informed that I was infected with ZeroAccess rootkit and needed elevated help. 
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-05-2015
Ran by Jackie (ATTENTION: The logged in user is not administrator) on JACKIE-PC on 31-05-2015 16:28:48
Running from C:\Users\Jackie\Downloads
Loaded Profiles: Jackie & Admin (Available Profiles: Jackie & RosettaStone Spanish & Admin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
Failed to access process -> sm... Read more

A:infected with ZeroAccess rootkit- need elevated help!

  to BleepingComputer! 
My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.
 
Ground Rules:
First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
When you post your reply, use the button.
In the upper right hand corner of the topic you will see the butto... Read more

Read other answers
RELEVANCY SCORE 68

http://www.bleepingcomputer.com/forums/t/517675/infected-with-zeroaccess-rootkit/
 
Top posted in Malware Removal. I'm getting redirects when I click on a link in yahoo.com.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16526
Run by GESWEIN03 at 17:12:45 on 2013-12-16
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8136.6057 [GMT -5:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SysWO... Read more

A:infected with ZeroAccess - need elevated help

Hello and welcome.  Please follow these guidelines while we work on your PC:
Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean! 
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
  Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Read other 16 answers
RELEVANCY SCORE 66.4

this was the other thread http://www.bleepingcomputer.com/forums/t/537927/windows-login-screen-flashing/
 
possible ZeroAccess rootkit, dds logs attached
 
thanks!

A:possible ZeroAccess, elevated help suggested from am i infected section

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if you want to ru... Read more

Read other 7 answers
RELEVANCY SCORE 60.4

Hello- I started out just thinking I had Scorpion Saver on the computer and started a thread here.... http://www.bleepingcomputer.com/forums/t/616295/scorpion-saver/page-2#entry4014917
 
After getting some assistance from Broni- he advised me that "There are some signs of ZeroAccess rootkit so you'll need elevated help."  And that I needed to follow this guide : http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
As he advised I started at step six on the guide posted above.
 
My computer is running rather slow.  I need my computer for work as I am working from home for Uhaul.   Whatever is going on is interfering with the VPN connection I have to have for work. Any assistance would be greatly appreciated.  
 
thank you
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:03-06-2016
Ran by Randi (administrator) on RANDI-PC (04-06-2016 17:40:59)
Running from C:\Users\Randi\Downloads
Loaded Profiles: Randi (Available Profiles: Randi & DefaultAppPool)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the p... Read more

A:elevated help- Zero Access Rootkit?

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to a new file. 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Remove this process via the Control Panel > Programs > Programs and Features applet.
[b]ScorpionSaver [/b] (HKLM-x32\...\{9B65F9A3-9D24-452A-B6EF-1457D65E4259}) (Version: 1.0.0.0 - Adpeak, Inc.) <==== ATTENTION

===

SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
Toolbar: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-4265505565-2887419862-550575693-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - No File
FF DefaultSearchEngine: AVG Secure Search
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Fi... Read more

Read other 0 answers
RELEVANCY SCORE 54.4

Hello,
I had a massive File Restore infection that you helped me fix using MalwareBytes, unhide.exe, rkill, etc. <http://www.bleepingcomputer.com/virus-removal/remove-file-restore>
I found during that process that I also had TDSS and a couple of other issues which you helped me fix with some combination of Stopzilla, HitmanPro, and Kapersky TDSS killer.
I also had a lot of windows services that weren't working (including firewall and update) that I fixed using the processes here: <http://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-0x80070424-the-windows-security-center/077f0b46-03ab-4787-85b8-dccebb66d91c>
I went back and installed 6 months worth of Windows 7 Premium updates (I have Windows 7 SP1) that I had previously been unable to install.
After all this, I removed the McAfee product I had and installed Symantec Endpoint Protection that work provides me. Ran a complete scan and didn't find any further problems.
However, when I run rkill (actually eXplorer.exe) upon startup I get the following:

Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/03/2012 12:36:57 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes t... Read more

A:RootKit ZeroAccess Infection RootKit

Hi swindlersb, to Bleeping Computer.My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code boxes (unless asked to)Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster. Multiple Antivirus Programs InstalledI do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it a... Read more

Read other 19 answers
RELEVANCY SCORE 52.4

Original Post from Jun 9, 2013: Windows Firewall Missing
 
 
---------------------------------------------------------------
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by Madeline at 22:29:13 on 2013-06-12
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4009.2095 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\Apple... Read more

A:ZeroAccess Rootkit

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the dis... Read more

Read other 21 answers
RELEVANCY SCORE 52.4

Hello. Avast keeps stoping malware-gen from trying to do things and Sirefef-AHF [Trj] from trying to do things. Ive run a virus scan and it caught many files with names such as [email protected], [email protected] and [email protected] I have been moving them to the virus chest of avast and deleting them. Broni told me he thinks its a ZeroAccess rootkit. Thank you for any help. Am I infected topicMy linkLogsDefogger DDS Log.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by family at 20:18:01 on 2012-09-02Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3063.1322 [GMT -7:00].AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Program Fil... Read more

A:ZeroAccess rootkit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 21 answers
RELEVANCY SCORE 52.4

Hello

I have a Toshiba Laptop, Windows Vista Ultimate SP2, 32-Bit OS. After running TDSSKILLER, it shows rootkit.win32.zaccess.e. Is this the ZeroAccess Rootkit?

Thanks

A:rootkit zeroaccess

Hello ,let's look at that log.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).Copy and paste the contents of that file in your next reply.b]Next run MBAM (MalwareBytes):[/b]Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-c... Read more

Read other 1 answers
RELEVANCY SCORE 52.4

Parents computer has detected zeroaccess rootkit. Please help removing it.
 
Windows vista 32 bit
sp2

A:zeroaccess rootkit

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Download Malwarebytes' Anti-Malware from HereDouble-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).The scan may take some time to finish,so please be patient.If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Log... Read more

Read other 0 answers
RELEVANCY SCORE 52.4

I was instructed through this thread http://www.bleepingcomputer.com/forums/t/497422/browser-problems-after-suspicious-software-use/ to post a link to the thread and te DDS file as well a summary of issues.
So here we go, The other day a suspicious file was opened on my computer and now (when I did have access to the internet) I would try openning a secure link wesbite (Https://Google.ca) and it would tell me the security certification has been revoked but it did it for every secured site. Shortly after this I had issue connecting to the internet period it shows my local network is fine and every other device works fine but I can't connect to the internet. I was told by Broni that I had the newest ZeroAccess rootkit and honestly I have no idea what that is how I got it or what to do about it so here is the requested files.
 

Upon request I have the Attach file as well.
Thank you in advance and Thank you to Broni for all his help.

A:ZeroAccess rootkit.

Hello DarkImpulses I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

Read other 28 answers
RELEVANCY SCORE 52.4

I hear random audio ads while browsing (IE) also i get randomly redirected while browsing, I've ran Rkill a couple of times and im pretty sure its zeroaccess proplem is im pretty inexperienced at handling this sought of thing. So what do I have to do to deal with this?

A:Zeroaccess rootkit? What do i do?

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Read other 18 answers
RELEVANCY SCORE 52.4

Hi,I am in the process of cleaning up an infected computer.It originally had Malware Doctor, rouge AV.I booted to safemode installed MBAM, updated, and preformed a full scan.It cleaned up 86 files and forced me to reboot.I did I then ran ccleaner to clean temp files.I ran hijack this and cleaned up what I could.I then ran TDSS killer and it found a tdss 4 rootkit. I cleaned up the rootkit and rebooted the comp.I had a problem getting online so I had to uninstall/reinstall the tcp/ip settings within my network card properties window. This allowed me online after I removed the proxy server as well.I also realized that i had no host file what so ever, so i had to create one in its place.But I was still getting redirected every other link I would click.So I ran hitman Pro and it found 5 tracking cookies and 3 malware pieces. After a reboot I was still getting redirected. So I ran GMER rootkit remover and it found nothing.I then ran combofix and it told me that I was infected with the rootkit.Zeroaccess! so combofix completed and rebooted BUT IM STILL GETTING redirected!Also one thing to mention is that SOMETIMES when I go to execute an EXE like processexplorer or gmer it tells me that I do not have access or permissions to that file. (But this is because of the rootkit infection, or so I've read)I've updated and re run MBAM as well as TDSS killer with both end results coming up "clean".I am so frustrated and am about to format this machine, any help woul... Read more

A:rootkit.zeroaccess

HiWhen you run this ComboFix Script, please allow ComboFix to download and install the Recovery Console as we are going to need to use it.Please do the following:Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Copy/paste the text inside the Codebox below into notepad:Here's how to do that:Click Start > Run type Notepad click OK.This will open an empty notepad file:Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')http://www.bleepingcomputer.com/forums/topic411785.html

File::
c:\windows\Vqizahemilek.bin

Folder::
c:\documents and settings\All Users\Application Data\oC01602LjIeM01602

Collect::
c:\windows\system32\dmbandw.dll
c:\windows\iganezonusohomat.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ecekokofatahixow]
DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: motive.com\patttbc.att
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')Save this file to your desktop, Save this as "CFScript"Here's how to do that:1.Click File;2.Click Save As... Chang... Read more

Read other 2 answers
RELEVANCY SCORE 52.4

i have a virus on my computer that wont let me open the scanner and if i get it open by the alternate start up it stops it and closes it out. what do i do? ive tried everything. im about to just throw this laptop out the window.

A:zeroaccess.rootkit

How do you know it's zero access anyway try running MalwareByte Donwload Locationhow to use MalwareByte

Read other 11 answers
RELEVANCY SCORE 52.4

Typical ZeroAccess error messages. Now it will not allow to enable windows defender.

A:ZeroAccess Rootkit

Hello tarheel3185,

Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

   Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  I will be analyzing your log. I will get back to you with instructions.  Do you have a USB Flash Drive you can use?

Read other 10 answers
RELEVANCY SCORE 52.4

Oh man I think I have a pretty bad virus. At first I was getting an odd file running in the format of 23594733: 22905201.exe. I ran Combofix and it said I had a zero access rootkit and it was in the tcp/ip stack. I couldnt run other virus scanners or anything and my firewall was disabled. Now I can enable my firewall but the scanners all do not work, unless I reinstall them under a different name. Also the first time I ran gmer it was ok, but I tried to get a more updated version and it went to a blue screen. So the attached gmer is not the most recent. Can someone please help me out?

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Compaq_Owner at 23:07:27 on 2011-10-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1081 [GMT -4:00]
.
AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Progra... Read more

A:Help I think I have a ZeroAccess Rootkit

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===The notice to not run the ComboFix tool unless advised by a trusted helper is not there for nothing.I hope we can restore this computer.Lets start with this.Please download DummyCreator.zip and unzip it.Run the tool.Copy and paste the following into the edit box:

C:\WINDOWS\23594733
Press Create button and post the content of the Result.txt.

Important: Restart the computer.===Please let me know what problem persists.

Read other 5 answers
RELEVANCY SCORE 52.4

Hi,
 
Here's my old thread -  http://www.bleepingcomputer.com/forums/t/497156/ie9-and-firefox-this-file-contained-a-virus-and-was-deleted/
 
I hadn't been able to download any files and after posting my problem in the forums, I was suggested to run FSS, I did that and discovered I was infected with the newest version of ZeroAccess Rootkit. I was directed here.
 
Here are the DSS logs:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.4.1
Run by EVIE at 11:21:49 on 2013-06-09
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2813.1704 [GMT 1:00]
.
AV: BitDefender Antivirus *Enabled/Updated* {982ADE23-275B-0766-37C5-DE01A484098E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: BitDefender Antispyware *Enabled/Updated* {234B3FC7-0161-08E8-0D75-E573DF034333}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device... Read more

A:ZeroAccess Rootkit

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully.First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up any importan... Read more

Read other 52 answers
RELEVANCY SCORE 52.4

Windows 7, 64bit, Firefox (latest as of 09-09-13)
Hi. I clicked on a link an an email, and something popped up saying Adobe was trying to make changes to my computer. I clicked the cancel button, and it closed the window, but instantly reappeared with the same message. I tried clicking 'X' with the same results. I did NOT click 'allow'. I rebooted my system. Then AVG popped up saying:
! AVG Detection
AVG blocked several threats. Please select how to deal with these threats.
Threat name..................................................Result
 
Trojan horse Generic34.BDPQ......................Infected
...c:\Users\Dodge\AppData\Local\Google\D...
 
Trojan horse Crypt_s.CCD.............................Infected
...c:\Users\Dodge\AppData\Local\Google\D...
 
Found Luhe.Sirefef.A.....................................Infected
...c:\Users\Dodge\AppData\Local\Google\D...
 
?  [View details ]........[ Remove selected ].......[ Remove all ]
 
I tried 'remove all'.
It tries, then changes 'Infected' to 'Cannot be removed Access is denied.
I tried System Restore, but that failed. Unfortunately I don't remember why it said it failed.
 
I then created an account here and posted in the 'Am I Infected?' forum. This is the topic. I followed the instructions given, and was told to post here with a DDS log and attachment. Here is the DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660  BrowserJavaVersion: 1.6.0_30
Run by Dodg... Read more

A:ZeroAccess Rootkit

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with aswMBRPlease download aswMBR ( 4.5MB ) to your desktop.Double click the aswMBR.exe icon, and click Run.There will be a short delay before the next dialog box comes up. Please just wait a minute or two.When asked if you'd like to "download the latest Avast! virus definit... Read more

Read other 16 answers
RELEVANCY SCORE 52.4

Hello all
I have used a lot of the info in these forums to try and remove ZeroAccess malware. I am now at the stage where the firewall is running again, security center service re-established and windows update is working.
 
Unfortunately RKill logs are still showing some issues with ZeroAccess and I cannot launch Windows Defender. However I have now installed Microsoft Security Essentials and this is running and up to date.
 
I still cannot download files in Internet Explorer due to false positives, as the download completes I receive a message that the download has a virus and the file is automatically deleted.
 
I would be incredibly grateful if anyone can assist!
Cheers
 
Rkill 2.5.3 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 07/01/2013 06:20:44 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * ALERT: ZEROACCESS Reparse Point/Junction found!
    ... Read more

A:ZeroAccess rootkit

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)Run FRST. Don´t change one of the checkboxes and hit Scan. Logfiles are created on your desktop. Poste ... Read more

Read other 12 answers
RELEVANCY SCORE 52.4

Hi Techsupportforum!

I'm going to break the rules a bit here... I don't have the requisite logs/files to start a thread:(. My attachment contains the ARK.txt file created out of the GMER scan only. Unfortunately, I am not able to provide the attach.txt or dds.tx files because DDS.SCR will not run on my machine:(.

Yesterday morning AVG blocked a series of trojans in quick succession before Internet Explorer started getting hijacked. I ran Malwarebytes which identified and supposedly removed a number of threats. Nevertheless, Internet Explorer continued to be hijacked.

I ran Combofix hoping something would work. Combofix identified "rootkit.zeroaccess!" and indicated it is a pretty nasty virus. The Combofix scan wouldn't complete either, but at least I got the name of the rootkit.

I Googled "rootkit.zeroaccess", and found that it is fairly difficult to remove. I attempted to follow removal instructions from another website. Most of those instructions begin with running TDSS Killer from Kaspersky. I ran TDSS Killer, which found no threats!?

I came to Techsupportforum to see what my next steps should be. I ran
attempted to run DDS.SCR to no avail. I moved on to GMER, which worked, but only after a few tries. I tried running DDS.SCR a few more times without luck.

Any suggestions you can make would be greatly appreciated!

A:ROOTKIT.ZEROACCESS!

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

Read other 4 answers
RELEVANCY SCORE 52.4

I recently received a Windows XP computer to fix for someone, and I think it is infected with the zeroaccess rootkit. I suspect this because some of the malware scan results show trojan.0access. What exactly does this rootkit do? 

Read other answers
RELEVANCY SCORE 52.4

If reply is on Nov 14 or later, please do not delete topic due to my non-response. I will be out of town with no internet access until the evening of Nov 18I recently removed the System Restore program using the guide found here at bleepingcomputer. I had some luck with the guide, but actually Microsoft Security Essentials ended up finding and removing it. Ever since then, I am still getting the redirects from google or bing links, iexplore.exe randomly opens (although no browser window opens, only in Task Manager...I end the process, but it just comes back after a few mins), and Firefox seems to use up quite a bit more system memory than it did before. I am running windows 7 home premium 64-bit. I have run full scans with Malwarebytes, Adaware and MS Security Essentials. They all found and removed a few things, but I am still having the same problem.Something that may be related is that I can't get my Windows Firewall to come back on. I dont have any other firewall program. My Windows Firewall Authorization Driver seems to be corrupted. There is a topic here that addresses all the details here. If this is unrelated, my apologies for putting two problems in the same postPosted first here http://www.bleepingcomputer.com/forums/topic426598.html/page__gopid__2469442Since i am running 64-bit Windows, I was not able to run gmer.DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29Run by wmcknight at 21:20:29 on 2011-11-09Microsoft... Read more

A:possible zeroaccess rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427177 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 28 answers
RELEVANCY SCORE 52.4

Hey guys like the title says my computers been acting a little funky the past couple days with explorer.exe crashing along with chrome. Figured id stop by and see if guys dont mind helping me out to see if anythings up. At the moment im running x64 8.1, and have scanned with mbam, tdsskiller, avast, and roguekiller which did pop up with a zero access processed it killed, but i wasn't able to see what the process actually was since it was out of date and closed it. And after the update i nvr saw it kill that process again even tried restarting the computer.  Thats pretty much why im posting now cus i know zero access is a nasty rootkit if i have it. Would be a bit weird tho since nothing else like tdsskiller or mbam anti-rootkit didnt pop up with anything.
 
Any help would be great, heres the FRST log. And the additional. txt attached.
 
Colin
 
 
Ran by ColinR (administrator) on COLIN on 25-04-2015 20:00:12
Running from C:\Users\ColinR\Desktop
Loaded Profiles: ColinR (Available profiles: ColinR)
Platform: Windows 8.1 Pro (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVI... Read more

A:possible zeroaccess rootkit

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===ATTENTION: System Restore is disabled.Important.Turn System Restore on - Windows Helphttp://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

CloseProcesses:

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-05]
R3 cpuz138; \??\C:\Users\ColinR\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\Steam\steamapps\common\Driver Fusion Premium\DriverFusion.sys [X]

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.The location is listed in the 3rd line of the Farbar log you have submitted.Run FRST and click Fix only once and wait.Restart the computer normally to reset the registry.The tool will create a log (Fixlog.txt) please post it to your reply.===The rest of the logs are clean.

Read other 5 answers
RELEVANCY SCORE 52.4

Hello everyone I was reading on a few forums and came across a great guide to remove and it instructed me to download DDS and post my logs here in the instance someone can help!  I'm having issues running windows defender and I always get the error code 0x80073b01.  I'm still able to use my machine but it's a little aggravating that I can't ditch this thing!  Any help would be appreciated!
 

 dds.txt   17.27KB
  5 downloads

 attach.txt   14.64KB
  1 downloads
 

A:ZeroAccess Rootkit

Hello Tim20637,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.I will be analyzing your log. I will get back to you with instructions.1.Download AdwCleanerDouble click on AdwCleaner.exe to run the tool.***Note: Windows Vista and Windows 7 users:Right click in the adwCleaner.exe and select "Run as administrator"Click the Clean button.A logfile will automatically open after the scan has finished.Please post the content of that logfile in your next reply.Or you can fin... Read more

Read other 9 answers
RELEVANCY SCORE 52.4

Hello all!! I want to thank first all that can help and it will be highly appreciated!! Sorry for the Long Post!!

This PC belongs to a colledge student (Daughter of a friend) and needs this computer as soon as possible. I (the friend who builds computers as a hobie) find my self always cleaning up other peoples pc's from there mistakes. Let's get to the nitty gritty here!! This machine would not boot!! When starting up it would go as far as Win XP logo scan and then "BLOSD", restart and same thing. I was able to boot into into Safe Mode and from my own pc was able to download Kaspersky Virus Removal Tool. It found several infected files. I saw during it's scan a Rootkit, after it was done scanning it cleaned what it saw so then I rebooted. Since I saw the rootkit virus (was not sure which one) I uninstalle Malewarebytes and downloaded a fresh version and scanned pc with it and ir found nothing. Eset smart securit would not work and attempted to delete it to no avail. I downloaded Gmer and ran it in safe mode and it found nothing. System was still unstable (Google redirect) every time I would google to each malware or virus sit on this pc and click on it, it would redirect me to a different site during this process the Microsoft Security Virus pop up scan started to happen, so I disconnected from internet by diconnecting ethernet cable from pc restarted pc into safe mode and scanned using Kaspersky Security Scan an... Read more

A:Rootkit.ZeroAccess

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461804 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 29 answers
RELEVANCY SCORE 52.4

Due to not knowing the new rules I am repostingthis thread, since I posted it in the wrong section. (I removed as much as I could form the old post.)This post is broken down into NEW POST and OLD POST!The new post includes all steps in the preparation guide.The old post contains an explanation of the problem and all steps I had taken.Thank you for any and all assistance, it is greatly appreciated.NEW POST///////////////////////////////////////////////////////////////////////////////////////////////////////////////Preperation Guide Steps taken1. Backup your data. --> Not possible when dealing with ZeroAccess Rootkit, as any attached device will most likely be compromised.2. Not all slow computers are caused by Malware -->My computer is not slow3. Create a free account --> To my knowledge this account was registered years ago4. Enable topic reply notification by default --> Enable5. Enable a firewall --> Already Running Comodo6. Disable your CD Emulation Software --> Currently do not have one running7. Download and Run DDS which will create a log of programs running on your computer --> Attached and Copy and pasted Below.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Yoshi at 20:26:55 on 2012-07-25
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.12279.10229 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A4... Read more

A:ZeroAccess Rootkit and more

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462474 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 57 answers
RELEVANCY SCORE 52.4

I have same problem as member in this post http://www.bleepingcomputer.com/forums/topic402589.htmlI have ran combofix which saidAny help you can give would be much apprciatedcombofix log attachedkind regardsComboFix 11-06-09.06 - user 10/06/2011 11:09:18.2.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1720 [GMT 1:00]Running from: c:\documents and settings\user\Desktop\ComboFix.exeAV: ZoneAlarm Security Suite Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point..((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))..2011-06-07 14:15 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll2011-06-07 14:15 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll2011-06-07 14:13 . 2001-08-17 11:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys2011-06-07 14:12 . 2001-08-17 13:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys2011-06-07 14:11 . 2001-07-21 13:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys2011-06-07 14:10 . 2008-04-13 17:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys2011-06-07 14:09 . 2001-08-17 21:36 60480 -c--a-w- c:\windows\system32&... Read more

A:Rootkit ZeroAccess

Good evening. Please download Rootkit Unhooker from here and save it to your Desktop - you will need to unzip it before you continue.To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again. In the final window, click on Finish Disable your anti-virus real-time protection as it may interefere with the scanner. Open the RKUnhookerLE folder and double click RKUnhookerLE.EXE to begin. Click the Report Tab at the top right and then the Scan button at the bottom. Ensure that Drivers, Stealth, Files and Code Hooks are checked and the rest aren't and then click OK. Put the kettle on while you wait for the first part of the scan to complete. When prompted to Select Disks for Scan ensure that only C:\ is checked and then click OK. Open the biscuits while you wait for the second part of the scan to complete. Once complete, click File > Report and save the file somewhere handy - the Desktop is as good a place as any. Click Close to... well...close the scanner and confirm it in the next Window.Let me have the contents of the log that you saved in your next reply.

Read other 27 answers
RELEVANCY SCORE 52.4

Hello,

I was sent here from the 'Am I Infected' forum.

I have used ComboFix on my machine before I knew about this forum.

It detects a ZeroAccess RootKit, but never seems to complete.

If I run again, it detects again, but again never completes.

I'm looking for help going forward.

Thanks!

A:ZeroAccess Rootkit

I tried to run DDS but it hangs after putting about 40 # characters across the screen.

GMER puts up an error message about a driver error and then brings up the main screen with most of the boxes on the right side grayed out.

It did produce a log based on services, registry, and files:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-16 23:34:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pfryrpoc.sys
---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT... Read more

Read other 4 answers
RELEVANCY SCORE 52.4

I ran combofix and when it was scanning it said "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack." It then says it needs to reboot because it detected rootkit activity. After it got done I couldn't get internet, so I ran combofix again and I still get no internet. My internet connection says "Wireless Network Connection" doesn't have a valid IP configuration.

I've already tried resetting the modem and turning it off and back on.

Any help on this would be really appreciated.

Here's this: DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_07
Run by BBY at 21:27:22 on 2011-12-30
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2046.1169 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Win... Read more

A:Rootkit.ZeroAccess!

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435447 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 31 answers
RELEVANCY SCORE 52.4

I have a Google redirect problem,annoying popup, no sound and can't scan with malwarebytes without it crashing. I also have malwarebytes (in my system tray) constantly blocking malicious sites. I was sent to this forum from another and have done the DDS scan and tried doing GMER, but it crashes before it gets done. I can't paste the DDS report from this PC, because it won't let me send it. So all I can do for now is send the attach.txt file. I'll have to try a different PC to send the rest.

You can go to this topic if you want more information on this:

http://www.bleepingcomputer.com/forums/topic422818.html

A:possible zeroaccess rootkit

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger:Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appea... Read more

Read other 29 answers
RELEVANCY SCORE 52.4

Have a hp xp pro sp3 machine with the zero access rootkit. I have worked on other machines that have also had this virus but this one doesnt want to leave. I have tried combofix, malwarebytes, tdds, fixtdds, hitman pro, and rouge killer. Any help would be amazing.

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 17:05:22 on 2012-11-28
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DataVault Bar: {0D792CB2-2654-4E99-A597-7FC317F04D61} - c:\program files\datavault\ie.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkg... Read more

A:Need help with ZEROACCESS rootkit

Please run the following:Please download aswMBR.exe and save it to your desktop.
Double click aswMBR.exe to start the tool. When asked if you want to download Avast's virus definitions please select Yes.
Click Scan

Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Read other 2 answers
RELEVANCY SCORE 52.4

Hello, I have scanned my computer with malewarebytes today, and have found that I have a rootkit.zeroaccess Trojan on my PC. I would very much appreciate any help of removing this virus.
 
Here are the logs.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 1.6.0_03
Run by Family at 19:30:09 on 2013-12-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4087.2130 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files (x86)\... Read more

A:Zeroaccess rootkit

Hello bleggerjeg I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

Read other 18 answers
RELEVANCY SCORE 52.4

I have the same problems as others here with the Rootkit.Zeroaccess. I tried to post on these other threads but it says I'm not allowed to do so. I guess users aren't supposed to contribute to threads. Anyways, nothing seems to be able to clean this. TDSkiller, combofix, mbam...

This is on a user's netbook running XP home premium.

I'm figuring this machine will need to be re-installed, but I'm wanting to learn more about what can be done in case this happens to other users that I support. I am by no means an expect in cleaning these things out, so if someone would like to try anything I am also willing.

Thanks all.

A:Rootkit.Zeroaccess

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Larry at 8:00:31 on 2011-09-08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.686 [GMT -5:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6�... Read more

Read other 29 answers
RELEVANCY SCORE 52.4

Hello,

i have a workstation infected with the Rootkit ZeroAccess.
It has NOD32 Antivirus v4 installed but the ESET Service dont have the permission to start.
I have no connection to the Windows 2008 Server but to the internet.

I run Maxlook and Maxhandle they nothing found.

Than i run Kaspersky Tdsskiller and it founds the Win32.Zaccess Rootkit
I have no report from the TDSS but the Rootkit was on C:\windows\system32\drivers\serials.sys
and i Cure it.

Please Help

A:Rootkit ZeroAccess

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/412796 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the low... Read more

Read other 2 answers
RELEVANCY SCORE 52.4

So I thought I was just having issues hooking up with my router. furthur investigation trned up a Zeroaccess and then even FURTHER analysis leads to some form of disturbiong malware/adware on IE wich I never use... except Im hearing Wendy's commercials for Flatbread over and over again in like , some kind of Audio Cascade ... like the second one starts  after the first one gets to the second sentacne , then the third after it gets to the third, etc.... so I can hear 5-10 versions of wendy's flatbread commerciuals, and then what sounds like a daytime chat show giving me cooking tips...
 
Tried System Restore (no restore points exist for the history of my machine of course) Tried most of the usual suspects, (MBAM, etc) but they find nothing wrong, couldnt get anything to really get me back online, and the only way I can get Internet now is through PDANet on my cellphone tethered. Dunno why that works but it does,
 
HOWEVER... when I reboot there is a BRIEF window wherein I have a glimmer of IP4 connectivity. It never lasts 5 minutes.
 
And as I was attacking this as a Networking Issue I am going to put down the Mouse and Slowly Back Away until someone that knows what the HELL is going on in my haunted machine tells me what's up.
 
Thanks in advance.
 
Jim

A:Zeroaccess AND a Rootkit? really?

Oh yeah, Vitals...
 
AMD athlon 64bit windows 7 home premium SP1

Read other 2 answers
RELEVANCY SCORE 52.4

Windows 7 Home Premium 64 Bit PC is infected with ZeroAccess Rootkit.
(consrv.dll issue, Google redirect)
I am fairly tech savvy. Let's roll. Logs are included.

Original thread: http://www.bleepingcomputer.com/forums/topic417314.html/page__pid__2395616#entry2395616

Here's the SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 23:48 on 03/09/2011 by Lia
Administrator - Elevation successful

========== filefind ==========

Searching for "consrv.dll"
C:\Windows\System32\consrv.dll --a---- 31744 bytes [23:31 13/07/2009] [01:39 14/07/2009] EFC97D330E6295DE859B06F661390A6D
C:\Windows\system64\consrv.dll --a---- 31744 bytes [23:31 13/07/2009] [01:39 14/07/2009] EFC97D330E6295DE859B06F661390A6D

Searching for "winsrv.dll"
C:\Windows\System32\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\system64\winsrv.dll --a---- 214528 bytes [23:53 09/08/2011] [05:34 24/06/2011] EB6A48CC998E1090E44E8E7F1009A640
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16385_none_12738849b6063c52\winsrv.dll --a---- 214016 bytes [23:38 13/07/2009] [01:41 14/07/2009] 457B44AB6D502E55F64A867D4F35C76C
C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7600.16723_none_12b26ed5b5d7569a\winsrv.dll --a---- 214016 bytes [03:50 11/02/2011] [06:16 21/12/2010] B2... Read more

A:ZeroAccess Rootkit

Sorry for my impatience, but I ran ComboFix and it solved the redirect problem. If you see any other issues that need addressing, I'm all ears.
I've used that awesome tool for years, and Bleeping Computer was the first place I heard about it.

Read other 3 answers
RELEVANCY SCORE 52.4

Good evening, I  was sent here from the Am I infected forum. I was having a lot of functionality issues with my pc. I Microsoft essentials on my pc and it would always pick viruses but never resolved them. I then downloaded malwarebytes and Bit defender to my computer. I started to receive messages from Bit Defender stating that it could not work properly due to something being wrong with installation and folders. I uninstalled Bit Defender and reinstalled Microsoft security essentials and again it picked up viruses. I came to Bleeping Computer and posted my issue to Am I infected forum. Broni helped me and I have done security check, Minitool box, and MBAM Anti malware and rootkit scans. I was told that I am infected to with a Zero Access Rootkit and I need elevated help and was sent here. I will now post my logs. Thanks very much for the help. Here's the link to the topic to the Am I infected forum? http://www.bleepingcomputer.com/forums/t/491445/microsoft-security-essentials-is-picking-viruses/http://www.bleepingcomputer.com/forums/t/491445/microsoft-security-essentials-is-picking-viruses/page-2    DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 1.6.0_32Run by Lorna at 20:26:27 on 2013-04-15Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3839.1619 [GMT -4:00].AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}SP: Windows Def... Read more

A:ZeroAccess Rootkit

.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Home PremiumBoot Device: \Device\HarddiskVolume1Install Date: 10/28/2011 8:28:01 AMSystem Uptime: 4/15/2013 1:51:17 AM (19 hours ago).Motherboard: Hewlett-Packard | | 2AACProcessor: AMD Athlon™ II X2 245e Processor | CPU 1 | 783/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 682 GiB total, 601.132 GiB free.D: is FIXED (NTFS) - 16 GiB total, 1.999 GiB free.E: is CDROM ()F: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP409: 3/30/2013 4:58:20 PM - Installed Java 7 Update 17RP411: 4/3/2013 7:43:59 PM - Windows UpdateRP412: 4/8/2013 9:40:20 AM - Windows BackupRP413: 4/9/2013 6:49:45 AM - Windows UpdateRP414: 4/9/2013 9:21:08 PM - Restore OperationRP415: 4/10/2013 6:24:39 PM - Windows UpdateRP416: 4/14/2013 10:54:19 AM - Windows UpdateRP417: 4/15/2013 10:29:21 AM - Windows BackupRP418: 4/15/2013 11:55:09 AM - Removed StuffIt 2010.RP419: 4/15/2013 11:55:52 AM - Removed StuffIt 2010.RP420: 4/15/2013 11:56:38 AM - Removed StuffIt 2010.RP421: 4/15/2013 11:57:10 AM - Removed StuffIt 2010.RP422: 4/15/2013 11:58:35 AM - Removed StuffIt 2010.RP423: 4/15/2013 11:59:02 AM - Removed StuffIt 2010.RP424: 4/15/2013 11:59:36 AM - Removed StuffIt 2010.RP425: 4/15/2013 1:11:33 PM - Removed StuffIt 2010.RP426: 4/15/2013 1:13:43 PM - Removed StuffIt 2010.RP427: 4/15/20... Read more

Read other 38 answers
RELEVANCY SCORE 52.4

Hello,
 
I have run rkill by using a USB drive from a clean computer and found that I have ZeroAccess Rootkit.
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\wind... Read more

A:ZeroAccess Rootkit

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

Read other 25 answers
RELEVANCY SCORE 52.4

Hi all,
I created this topic: http://www.bleepingcomputer.com/forums/t/531316/virus-or-vista/
 
Broni told me to follow steps 6, 7, and 8 in this guide: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
 
I have done that, and here is the DDS.txt log. Attach.txt is attached.
 
 
DDS.txt:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16540  BrowserJavaVersion: 10.5.1
Run by Christopher at 20:32:24 on 2014-04-21
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2942.1883 [GMT -6:00]
.
AV: Norton Security Suite *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\Network... Read more

A:ZeroAccess Rootkit DDS log

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if you want to ru... Read more

Read other 28 answers
RELEVANCY SCORE 52.4

Laptop infected with Rootkit.ZeroAcess in the TCP/IP Stack according to ComboFix. I am attaching anwMBR log and TDSKiller (which found no infections). In a nutshell, computer connects to networks but does not get an IP address. Laptop has tons of other infections that have been removed but this one is a tough one. aswMBR logTDS logEdit: Moved topic from Am I infected? What do I do? to the more appropriate forum, due to the request for a ComboFix log. ~ Animal

A:Rootkit.ZeroAccess

Hello Digital Minds ,Could you please post me up the ComboFix report? Thanks,tea

Read other 4 answers
RELEVANCY SCORE 52.4

Hello, a friend brought me his computer to look at. He apparently already found his way to combofix, ran it, and it said he had Rootkit.Zeroaccess. He says that immediately after running it, internet access was restored to the computer, but after running windows updates, it was back to no network access, and running combofix again said tdx.sys was missing. He also said that the Windows Malicious software removal tool delivered via Update found 1 item, and claimed to remove it.
 
The computer is a little Eee mini-laptop running Win 7 starter edition. I've looked it over, and found it to be clean of obvious problems, but the only way currently to get files on the machine is via USB CDROM.
 
How should I proceed?
 
Edit: I've generated a log file for this computer, but am having a hard time getting it off  of the pc... Not only will it not connect to network/internet, but it also will not allow USB thumbdrive. It reads from the USB CDROM, and I'd try an RW disc in there, but I don't have one handy... I have a USB hdd, but I don't want to risk it getting infected. Ideas?

A:Rootkit.ZeroAccess

Okay, cool, CDRW did the trick! I don't see how to attach attach.txt, though...
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17207
Run by Owner at 16:38:23 on 2014-09-08
Microsoft Windows 7 Starter   6.1.7601.1.1252.1.1033.18.1015.362 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Windows\System32\AsusService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Boingo\Boingo Wi-Fi\Boingo Wi-Fi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Micr... Read more

Read other 17 answers
RELEVANCY SCORE 52.4

(Windows XP SP3) Malwarebytes is telling me that i have been infected with Rootkit.Zeroaccess! I have heard about how nasty this rootkit is, I've tried to quarantine it, but i read the Malwarebytes log and it told me it could not be quarantined (Error Code 2)! I have run Combofix out of sheer paranoia, as I know about the keyloggers and proxy redirects that come with it, but after I ran it, (and it told me that it removed it) I got a popup from Malwarebytes that it had re-installed itself into a different named folder in the TEMP section of C/:WINDOWS. Please help me! I have no idea how to get rid of it now!

A:Rootkit.ZeroAccess

Hi JacobE and welcome to BC.

Please read the preparation guide: http://www.bleepingcomputer.com/forums/topic34773.html
Post the logs when ready and we will begin from there. Thanks.

Read other 4 answers
RELEVANCY SCORE 52.4

Help! I cannot access the internet but I can access my wireless printer? I have run some scan's for you. Hijackthis, gmer, dds. I could not get system info to run. Thank you for your help.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:01:43 AM, on 12/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RFA\rfagent32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Fil... Read more

Read other answers
RELEVANCY SCORE 52.4

First the XP Antivirus 2012 started popping up with the fake scans and asking for money. The computer constantly had windows popping up running some sort of program that the dialog box said Hello4 and if you could get taskmanager to run, you'd see numerous instances of cvp.exe constantly running.

I've tried various methods to get rid of this but none have been successful. Right now I've got it booted in safe mode with the gmer and ddr programs downloaded from another computer onto a flash drive.

Please help!

Here are the logs:

DDS:
.
DDS (Ver_2011-06-23.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Administrator at 18:23:52 on 2011-08-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.3030 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\... Read more

A:ZeroAccess rootkit

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this linkDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agr... Read more

Read other 27 answers
RELEVANCY SCORE 52.4

after i scanned with rkill i got this.
 
 
Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 09/02/2014 11:04:34 PM in x64 mode.
Windows Version: Windows Vista ™ Ultimate Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Users\användaren\AppData\Local\{e0835e5f-12a3-b613-4e76-39b26fe0f14d}\ [ZA Dir]
     * C:\Users\användaren\AppData\Local\{e0835e5f-12a3-b613-4e76-39b26fe0f14d}\L\ [ZA Dir]
     * C:\Users\användaren\AppData\Local\{e0835e5f-12a3-b613-4e76-39b26fe0f14d}\U\ [ZA Dir]
     * C:\Windows\installer\{e0835e5f-12a3-b613-4e76-39b26fe0f14d}\ [ZA Dir]
     * C:\Windows\installer\{e0835e5f-12a3-b613-4e76-39b26fe0f14d}\L\ [ZA Dir]
     * C:\Windows\installer\{e0835e5f-12a3-b613-4e76-39b26fe0f14d}\U\ [ZA Dir]

A:zeroaccess rootkit

Hi there,these are just remnants of an old infection. Please run a FRST scan to check the current state of your computer:Please download Farbar Recovery Scan Tool and save it to your Desktop.Start FRST with administator privileges.Make sure the option Addition.txt is checked and press the Scan button.When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.Please copy and paste these logs in your next reply.

Read other 11 answers
RELEVANCY SCORE 52.4

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

A:ZeroAccess Rootkit

Results of screen317's Security Check version 0.99.56 Windows 7 x64 (UAC is enabled) Out of date service pack!! Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Security Center service is not running! This report may not be accurate! avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Ad-Aware Malwarebytes Anti-Malware version 1.65.1.1000 Adobe Flash Player 11.5.502.135 Adobe Reader XI Mozilla Firefox (17.0.1) Google Chrome 21.0.1180.83 Google Chrome 21.0.1180.89 Google Chrome 22.0.1229.79 Google Chrome 22.0.1229.92 Google Chrome 22.0.1229.94 Google Chrome 23.0.1271.64 Google Chrome 23.0.1271.91 Google Chrome 23.0.1271.95 Google Chrome 23.0.1271.97 Google Chrome plugins... ````````Process Check: objlist.exe by Laurent```````` Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! Ad-Aware Antivirus AdAwareService.exe Ad-Aware Antivirus SBAMSvc.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````

Read other 63 answers