Over 1 million tech questions and answers.

Trojan.Zeroaccess!inf4 detected in services.exe, also Bitcoinminer is repeatedly detected/blocked

Q: Trojan.Zeroaccess!inf4 detected in services.exe, also Bitcoinminer is repeatedly detected/blocked

Today Norton Antivirus began to block threats from Trojan.Zeroaccess.B, Trojan.Gen, Trojan.Gen.2, and Trojan.Zeroaccess.C. I have been prompted to do a manual removal of Trojan.Zeroaccess!inf4 from c:\windows\system32\services.exe. Additionally, Bitcoinminer is being repeatedly detected, blocked and quarantined. I'm not sure if Norton is having a problem deleting/quarantining Bitcoinminer, or if it is actually being downloaded over and over. I suspect that these two problems are related, as they started at the same time.

From what I gather, the fix seems to be quite complicated and I would appreciate some help.

My system is running 64 bit Windows 7 Home Premium w/ SP 1. Looking at similar threads, it looks like I'll need to use a flash drive to run removal tools. I do not currently have a flash drive on hand, but I do have an 4 GB SD card. Will that be a sufficient replacement?
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by Ii-chan at 21:49:01 on 2013-01-23
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.6060.2045 [GMT -8:00]
.
AV: Norton AntiVirus *Enabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Windows\system32\HPSIsvc.exe
C:\Program Files (x86)\Google\Update\1.3.21.123\GoogleCrashHandler64.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.1.33\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Sony\VAIO Control Center\VESMgr.exe
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.1.33\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccSvcHst.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\System32\igfxpers.exe
C:\Users\Ii-chan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\Ii-chan\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Users\Ii-chan\AppData\Local\WideSearch\wsearch.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Users\Ii-chan\AppData\Local\GetBooks\GetBooks.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Vidalia Bundle\Tor\tor.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Vidalia Bundle\Polipo\polipo.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
C:\Users\Ii-chan\AppData\Local\Google\Update\1.3.21.123\GoogleCrashHandler64.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Update\VUAgent.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\explorer.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\splwow64.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\symerr.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\symerr.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\WUDFHost.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Calibre2\calibre.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ii-chan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uProxyServer = 127.0.0.1:8118
uProxyOverride = localhost; 127.0.0.1; <local>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ips\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Norton Identity Protection: {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.1.33\coieplg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} -
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Norton Identity Safe Toolbar: {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.1.33\coieplg.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [Best Buy pc app] C:\Users\Ii-chan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
uRun: [Google Update] "C:\Users\Ii-chan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Vidalia] "C:\Program Files (x86)\Vidalia Bundle\Vidalia\vidalia.exe"
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
uRun: [Free Download Manager] C:\Users\Ii-chan\AppData\Roaming\Free Download Manager\fdm.exe -autorun
uRun: [WideSearch] C:\Users\Ii-chan\AppData\Local\WideSearch\wsearch.exe
uRun: [GetBooks] "C:\Users\Ii-chan\AppData\Local\GetBooks\GetBooks.exe" a1690a988b8442db3cce70eaf88c1ae3
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun: [PMBVolumeWatcher] C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
mRun: [BCSSync] "C:\Program Files (x86)\Office14\BCSSync.exe" /DelayServices
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [RemoteControl11] "C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} -
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{D6902170-4215-41CA-B9D1-9BBD15F1A144} : DHCPNameServer = 202.100.128.68 202.100.138.68
TCP: Interfaces\{E9CDFEE0-A30F-4642-8B0A-9FB2D955C2A6} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{E9CDFEE0-A30F-4642-8B0A-9FB2D955C2A6}\24167656C6E45647 : DHCPNameServer = 208.67.222.123 208.67.220.123
TCP: Interfaces\{E9CDFEE0-A30F-4642-8B0A-9FB2D955C2A6}\353686F6F6C6 : DHCPNameServer = 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} -
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [Apoint] C:\Program Files (x86)\Apoint\Apoint.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVBg_Dolby] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} -
x64-DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NAVx64\1402000.013\symds64.sys [2012-10-20 493216]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NAVx64\1402000.013\symefa64.sys [2012-10-20 1133216]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\BASHDefs\20130116.013\BHDrvx64.sys [2013-1-15 1388120]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;C:\Windows\System32\drivers\NAVx64\1402000.013\ccsetx64.sys [2012-10-20 168096]
R1 ccSet_NST;Norton Identity Safe Settings Manager;C:\Windows\System32\drivers\NSTx64\7DD02010.021\ccsetx64.sys [2013-1-4 168096]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-12-22 279616]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.1.0.24\Definitions\IPSDefs\20130123.001\IDSviA64.sys [2013-1-23 513184]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NAVx64\1402000.013\ironx64.sys [2012-10-20 224416]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NAVx64\1402000.013\symnets.sys [2012-10-20 432800]
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2011/12/30 11:49:11];C:\Program Files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [2011-12-30 148976]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-6-29 204288]
R2 AMPPALR3;IntelR CentrinoR Wireless BluetoothR + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-3-15 659976]
R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-4-23 135952]
R2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [2011-12-30 83240]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [2011-12-30 70952]
R2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe [2011-12-30 312616]
R2 DMAgent;IntelR PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2011-6-14 498688]
R2 HPSIService;HP SI Service;C:\Windows\System32\HPSIsvc.exe [2012-1-1 126520]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-9-26 13592]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-9-26 2429544]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-2-23 212944]
R2 NAV;Norton AntiVirus;C:\Program Files (x86)\Norton AntiVirus\Engine\20.2.0.19\ccsvchst.exe [2012-10-20 143928]
R2 NCO;Norton Identity Safe;C:\Program Files (x86)\Norton Identity Safe\Engine\2013.2.1.33\ccsvchst.exe [2013-1-4 143928]
R2 ntk_PowerDVD;ntk_PowerDVD;C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD_64.sys [2011-12-30 75248]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2011-3-15 428384]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-9-26 2656536]
R2 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2011-9-26 552584]
R2 VSNService;VSNService;C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [2011-9-26 969352]
R2 WiMAXAppSrv;IntelR PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2011-6-14 986112]
R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2012-6-25 3325232]
R3 AMPPAL;IntelR CentrinoR Wireless BluetoothR + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2012-3-15 198144]
R3 bpenum;Intel® Centrino® WiMAX Enumerator;C:\Windows\System32\drivers\bpenum.sys [2011-5-19 84480]
R3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\Windows\System32\drivers\bpmp.sys [2011-5-19 182272]
R3 bpusb;Intel® Centrino® WiMAX 6050 Series Function Driver;C:\Windows\System32\drivers\bpusb.sys [2011-5-19 83968]
R3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\System32\drivers\btwampfl.sys [2011-9-26 344616]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-9-26 39464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-12-7 138912]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-8-23 317440]
R3 intelkmd;intelkmd;C:\Windows\System32\drivers\igdpmd64.sys [2012-9-26 12312832]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2012-4-19 25528]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-10-24 96768]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-10-24 213504]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2012-9-26 340072]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-9-26 425064]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\System32\drivers\SFEP.sys [2010-6-1 12032]
R3 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update\VUAgent.exe [2013-1-23 1286784]
S3 AMPPALP;IntelR CentrinoR Wireless BluetoothR + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2012-3-15 198144]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2009-6-10 281088]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2012-4-19 35256]
S3 mvusbews;USB EWS Device;C:\Windows\System32\drivers\mvusbews.sys [2012-9-25 20480]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2012-6-25 272688]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-14 19456]
S3 SOHCImp;VAIO Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2011-2-21 113824]
S3 SOHDs;VAIO Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2011-2-21 67232]
S3 SpfService;VAIO Entertainment Common Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-1-20 286936]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-14 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-14 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-1-20 887000]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2011-5-19 549616]
S3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2011-2-18 385336]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2011-2-18 99104]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-24 1255736]
S3 wdkmd;Intel WiDi KMD;C:\Windows\System32\drivers\WDKMD.sys [2011-6-21 42392]
S3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [2012-11-13 14544]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-01-24 01:33:41 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys
2013-01-24 01:23:00 -------- d-----w- C:\Users\Ii-chan\AppData\Local\GetBooks
2013-01-24 01:23:00 -------- d-----w- C:\Users\Ii-chan\AppData\Local\Babylon
2013-01-24 01:22:49 -------- d-----w- C:\ProgramData\Babylon
2013-01-24 01:22:48 -------- d-----w- C:\Users\Ii-chan\AppData\Roaming\Babylon
2013-01-24 01:22:35 -------- d-----w- C:\Users\Ii-chan\AppData\Local\WideSearch
2013-01-24 01:22:30 -------- d-----w- C:\Users\Ii-chan\AppData\Roaming\Free Download Manager
2013-01-24 00:54:41 57436 ----a-w- C:\Windows\DASShp.dll
2013-01-24 00:54:41 217174 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ClearType\ctras.dll
2013-01-24 00:54:38 -------- d-----w- C:\Program Files (x86)\Microsoft Reader
2013-01-24 00:54:31 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2013-01-24 00:54:31 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2013-01-24 00:54:31 221184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2013-01-24 00:54:31 221184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2013-01-24 00:54:30 602244 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2013-01-09 05:00:11 750592 ----a-w- C:\Windows\System32\win32spl.dll
2013-01-09 05:00:11 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-01-09 05:00:03 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2013-01-09 05:00:02 1882624 ----a-w- C:\Windows\System32\msxml3.dll
2013-01-09 05:00:02 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2013-01-09 05:00:02 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2013-01-09 05:00:01 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-01-09 05:00:01 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-01-09 04:58:24 68608 ----a-w- C:\Windows\System32\taskhost.exe
2013-01-09 04:58:23 3149824 ----a-w- C:\Windows\System32\win32k.sys
2013-01-04 08:59:15 168096 ----a-w- C:\Windows\System32\drivers\NSTx64\7DD02010.021\ccsetx64.sys
2013-01-04 08:59:01 -------- d-----w- C:\Windows\System32\drivers\NSTx64\7DD02010.021
.
==================== Find3M ====================
.
2013-01-09 22:12:28 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 22:12:28 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-19 01:37:02 969104 ----a-w- C:\Program Files\uTorrent.exe
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-08 19:29:12 1402312 ----a-w- C:\Windows\SysWow64\msxml4.dll
2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
.
============= FINISH: 21:49:46.78 ===============

RELEVANCY SCORE 200
Preferred Solution: Trojan.Zeroaccess!inf4 detected in services.exe, also Bitcoinminer is repeatedly detected/blocked

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Trojan.Zeroaccess!inf4 detected in services.exe, also Bitcoinminer is repeatedly detected/blocked

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer. NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.-Security Check-Download Security Check by screen317 from here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.-AdwCleaner-Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.Your computer will be rebooted automatically. A text file will open after the restart.Please post the content of that logfile with your next answer.You can find the logfile at C:\AdwCleaner[S1].txt as well.--RogueKiller-- Download & SAVE to your Desktop RogueKiller or from here
Quit all programs that you may have started. Please disconnect any USB or external drives from the computer before you run this scan! For Vista or Windows 7, right-click and select "Run as Administrator to start"For Windows XP, double-click to start. Wait until Prescan has finished ... Then Click on "Scan" button Wait until the Status box shows "Scan Finished"click on "delete" Wait until the Status box shows "Deleting Finished" Click on "Report" and copy/paste the content of the Notepad into your next reply.The log should be found in RKreport[1].txt on your DesktopExit/Close RogueKiller+Gringo

Read other 14 answers
RELEVANCY SCORE 115.2

I recently installed Norton 360 which reported 3 unresolved security risks High,desktop.ini (Trojan.Zeroaccess) detected by Auto-Protect,Restart Required,You must restart your computer.,c:\windows\assembly\gac_32\desktop.iniHigh,desktop.ini (Trojan.Gen.2) detected by Auto-Protect,Restart Required,You must restart your computer.,c:\windows\assembly\gac_64\desktop.iniHigh,services.exe (Trojan.Zeroaccess!inf4) detected by Virus scanner and Auto-Protect,Manual Removal Required,Review risk details on Symantec website.,c:\windows\system32\services.exeAfter attempting all the Symantec solutions, I have discovered that I do NOT have a BASE FILTERING ENGINE service, which generates errors in Norton Removal Tools. This is not good. Does this compromise my machine ? Win7 Pro 64bit Dell Vostro 470Any assistance would be welcome.

A:Trojan.Zeroaccess!inf4 on Services .exe - no BFE

Hello Tim_CSIRO ! Welcome to BleepingComputer Forums! My name is Georgi and and I will be helping you with your computer problems. Before we begin, please note the following:I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.The logs can take some time to research, so please be patient with me.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received. If you can't understand something don't hesitate to ask.Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.Before we continue please read my general warning:IMPORTANT NOTE: One or more of the identified infections is related to the rootkit ZeroAccess. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal mo... Read more

Read other 48 answers
RELEVANCY SCORE 106

hi
my computer has been infected by a malware called Trojan.BitcoinMiner.
a faked dwm.exe procedure is automatically created every time my pc is idle for about 1 minute.
and then self killed right after a key is pressed or mouse moved.
Malwarebytes cant seems to detected it permanently
 
so here i am.
i have followed the instruction and post this request.
below is my attach.txt:
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 企業版 
Boot Device: \Device\HarddiskVolume1
Install Date: 2012/7/12 下午 04:57:44
System Uptime: 2013/10/4 上午 08:25:55 (2 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. |  | EP45-UD3R
Processor: Intel® Core™2 Quad CPU    Q8200  @ 2.33GHz | Socket 775 | 2333/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 270 GiB total, 122.887 GiB free.
D: is FIXED (NTFS) - 300 GiB total, 85.958 GiB free.
E: is FIXED (NTFS) - 932 GiB total, 176.721 GiB free.
F: is FIXED (NTFS) - 1397 GiB total, 825.313 GiB free.
S: is NetworkDisk (NTFS) - 932 GiB total, 90.435 GiB free.
W: is NetworkDisk (NTFS) - 400 GiB total, 256.091 GiB free.
X: is NetworkDisk (NTFS) - 400 GiB total, 292.108 GiB free.
Y: is FIXED (NTFS) - 26 GiB total, 15.323 GiB free.
Z: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {745a17a0-74d3-11d0-b6fe-0... Read more

A:dwm.exe(Trojan.BitcoinMiner) detected by Malwarebytes

Hello painpotato,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.Download RogueKiller on the desktopClose all the running processesUnder Vista/Seven, right click -> Run as AdministratorOtherwise just double-click on RogueKiller.exeWhen prompted, Click ScanA report should open, give its content to your helper. (RKreport could also be found next to the executable)If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in... Read more

Read other 8 answers
RELEVANCY SCORE 91.6

Hello,

It looks like my home PC (Windows 7) may have been infected with the ZeroAccess trojan. It started yesterday with some kind of fake anti-virus software appearing on the desktop saying that the PC was infected with various things and under attack. The IE browser was displaying a page saying the same thing and I was unable to browse to other pages. I have McAfee installed on the PC and then the McAfee warning box popped up saying that it had removed a trojan called ZeroAccess. I then ran a full scan but nothing was found. The McAfee warning box then started popping up continually, referring to three files, ZeroAccess, ZeroAccess.ee and ZerAccess.eh in C:\Installed Applications.

All I have done since is run another scan in safe mode. After I re-started, the McAfee warning boxes have stopped popping up and I am able to use the IE browser. After reading up about this virus on the web, decided it would be best is to leave it at that and hopefully get some advice on the best way to tackle it from someone who knows a lot more about this than me! Any advice would be very gratefully received.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by nicola at 0:03:14 on 2012-06-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3327.1777 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-... Read more

A:ZeroAccess Trojan Detected on PC

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 21 answers
RELEVANCY SCORE 91.6

Hi,

I found out today that my computer was infected with the ZeroAccess Trojan.  McAffee automatically quarantined the Trojan and I used the McAfee RootkitRemover Tool to remove the Trojan and infected file.  After I used the McAfee RootkitRemover Tool I have been unable to download anything in Internet Explorer 10.  I keep getting error messages that every download was detected as a virus and deleted.  I then noticed that McAfee RootkitRemover Tool removed Windows Defender, which I think is the reason why I am unable to download anything in IE 10.
 
To be safe I did a scan with Microsoft Online Safety Scanner and once again the ZeroAccess Trojan was found.  I am kind of at a loss of what else to do to remove this Trojan.  Below is the log from the McAfee RootkitRemover Tool when it removed the infected file and the HiJackThis log. 
 
Does anyone have any suggestions on how to remove this Trojan?
 
Thanks,
Brad

_________________________________________________________________________________

Log from McAfee RootkitRemover Tool

[TimeStamp: 20130703124251]

Rootkit Remover v0.8.9.161 [Apr  5 2013 - 16:14:29]
McAfee Labs.

Windows build 6.1.7601 x64 Service Pack 1
Checking for updates ...

Now Scanning...
    Malware Found --> ZeroAccess trojan detected!!!
    --> Malicious file: C:\Windows\assembly\GAC_32\desktop.ini ( will be deleted after restart )
    --> Maliciou... Read more

A:ZeroAccess Trojan Detected

Hello bkdesign I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

Read other 20 answers
RELEVANCY SCORE 91.6

Hi, My McAfee just detected the ZeroAccess Trojan on my computer.  It says it was quarantined, but this just happened to me 3 weeks ago.  Not sure what to do.
 
Below is the HiJackThis report
 
hihLogfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:01:14 PM, on 8/14/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16635)
Boot mode: Normal
Running processes:
C:\Program Files\Alienware\Command Center\AlienFusionController.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
C:\Program Files (x86)\Adobe\Adobe InDesign CS5\InDesign.exe
C:\Program Files (x86)\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\Program Files (x86)\Adobe\Adobe Photoshop CS5\Photoshop.exe
C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5\Dreamweaver.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Users\Brad\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,... Read more

A:ZeroAccess Trojan Detected

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Read other 12 answers
RELEVANCY SCORE 91.6

Hello all, I recently discovered through my Norton Internet Security software that I have a trojan on my computer. It is located in C>Windows>system32>services.exe
I have Malwarebytes Anti-Malware already installed but it didn't pick up the trojan in a quick scan. The only off thing I noticed about my computer was that all my money was taken from my RuneScape account. I log in about once every 6 months to see what's new but when I last logged in, the game said I had logged in 4 days prior which is untrue. I really don't care about that but I'd like to make sure my other accounts don't get compromised.
 
Any help would be greatly appreciated.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457  BrowserJavaVersion: 10.45.2
Run by Riste at 14:14:54 on 2014-04-05
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4094.1616 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.... Read more

A:Trojan.Zeroaccess!inf4 on my PC

Hello qpr05 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", t... Read more

Read other 16 answers
RELEVANCY SCORE 91.6

I'm running windows 7 64 bit and I can not get Norton to delete the ZeroAccess.inf4.  I have tried the Power Eraser and all the options listed on Nortons fix for the problem.
 
Please help me. Thank You

A:Trojan zeroaccess.inf4 please help me

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)Plug the flashdrive into the infected PC.Enter System Recovery Options.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptSelect Command PromptIn the command window type in notepad and press Enter.The notepad opens. Under File menu select Open.Select "Computer" a... Read more

Read other 16 answers
RELEVANCY SCORE 90.8

My McAfee has been "removing" this virus all day, I keep getting a pop up saying it has been removed but it obviously hasn't or it wouldnt be there anymore. It's a shared laptop so I'm not sure who or what it's from.  -_-
 
 
 
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.15.2
Run by Sammi at 14:04:16 on 2013-05-24
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.2.1033.18.8086.6249 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\n... Read more

A:Detected: ZeroAccess (trojan) (Mcafee)

Also Mcafees firewall is being shut off every 10 mins or so

Read other 20 answers
RELEVANCY SCORE 90.8

I'm running Windows 7 and use McAfee 11.

McAfee scan shows the ZeroAccess virus located in my recycle bin.

My internet connection keeps getting turned off b/c something is changing setting of firewall to "off".

I look forward to advice. Thanks!
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by mfaj5 at 14:16:15 on 2012-09-05
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.4010.671 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k Loc... Read more

A:ZeroAccess Trojan detected; can't remove

McAfee is now popping up non-stop warnings saying trojans have been quarantined. Does anyone have any advice?

Read other 27 answers
RELEVANCY SCORE 90.4

Hi,

I came back from vacation, and my computer would not start correctly. It would start windows 7 home premium edition correctly, and I would be able to log in, but then it would freeze. I tried rebooting twice, but had the same result each time. I then tried rebooting in safe mode with networking, and then I ran MBAM and Norton Full System Scan. MBAM did not pick up anything, but Norton found two viruses which it was able to quarantine and remove, and also found a "Trojan.Zeroacess!inf4" threat that required manual removal. I used this site to help remove a zeroacess rootkit back in July 2012, and I'm back now. I found the beta for the MalwareBytes Anti-rootkit Removal program and ran it, but it did not detect the zeroaccess trojan. Thanks in advance for any help. The files from DDS are attached below.

eyen

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455 BrowserJavaVersion: 10.7.2
Run by Edward at 14:49:44 on 2012-12-12
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.9175.5927 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\... Read more

A:Trojan.Zeroaccess!inf4 infection

Good evening.

Are you able, after running the scans, to boot into Windows normally and use it? Also, do you have a flashdrive of at least 128 Mb that you can wipe clean for a tool to help diagnose the issue?

Read other 7 answers
RELEVANCY SCORE 90.4

Hello, I've recently come cross this virus and I've heard really bad thing about it, Norton says I have to delete it manually, I've tried power eraser and Trojan.Zeroaccess Removal Tool yet nothing happens. I'm running windows 7, 64 bit, any help is appreciated. I was also told to post the following logs:

 dds.txt   29.02KB
  7 downloads
 attach.txt   11.31KB
  0 downloads
 

A:Need help with Trojan.Zeroaccess!inf4 virus

Hi big13oss, Welcome to the forum. Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. 

Read other 9 answers
RELEVANCY SCORE 90.4

Hello, can anyone PLEASE help me remove this Trojan zeroaccess from my laptop? I have had it for 2 days now and Norton cannot remove it or quarintine it. I have been attacked so many times from this trojan and it has been blocked many times, as I am typing this right now I am getting pop up message of it being blocked and needing a restart, I've done that a countless times to no avail.
 
I located where the trojan was coming from and Norton showed me it was in Windows > System32 > services. I tried to delete it myself becuase Norton asks for a manual removal but I'm not able to delete services.
 
I used all the Norton tools to delete it. Nothing happened. I used Malwarebytes, that did not delete it either because once it asked me to restart my laptop, the trojan attacked me again. Any help would be appreciated, I was redirected here by Quads from the Norton Community forum.
 
Alex

A:Trojan.zeroaccess!inF4 removal. Please help

Hello Sasuke92 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

Read other 12 answers
RELEVANCY SCORE 90.4

running windows 7, Norton keeps popping up with this warning I am infected with Trojan.Zeroaccess!inf4, but Norton is unable to remove it. I've also tried Malwarebytes and Microsoft security.
I ran through the preparation guide, disabled CD emulation and attached the files below
I ran Gmer, but most of the options were greyed out, I checked "show All" and only services, registry, files and ADS were selected. I hope the Gmer log has enought info.

Please let me know if you need more information from me.
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.6.2
Run by Owner at 8:53:36 on 2012-08-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3767.1901 [GMT -7:00]
.
AV: Norton AntiVirus *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.e... Read more

A:Infected with Trojan.Zeroaccess!inf4

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

Read other 10 answers
RELEVANCY SCORE 90.4

Hey guys. I'm the IT dept for the my company and an employee has somehow gotten this virus on his computer. I tried the Trojan Removal tool that Symantec recommended but it couldn't find the virus. Anyone else had success in removing this? Thanks in advance.
 

A:Trojan.Zeroaccess!inf4 removal?

Please do the following:
 
Please download DDS from either of these links
 
LINK 1
LINK 2
 
and save it to your desktop.


Disable any script blocking protection


Double click dds to run the tool.


When done, two DDS.txt's will open.


Save both reports to your desktop.


---------------------------------------------------
Please include the contents of the following in your next reply:
 
DDS.txt
Attach.txt.
 
 
NEXT
 
Please download aswMBR  to your desktop.


Double click the aswMBR.exe icon to run it


When asked if you want to download Avast's virus definitions please select Yes.


Click the Scan button to start the scan


On completion of the scan, click the  save log button, save it to your desktop and post it in your next reply.


You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Read other 11 answers
RELEVANCY SCORE 90.4

Hello, I've recently come cross this virus and I've heard really bad thing about it, Norton says I have to delete it manually, I've tried power eraser and Trojan.Zeroaccess Removal Tool yet nothing happens. I'm running windows 7, 64 bit, any help is appreciated

A:Need help with Trojan.Zeroaccess!inf4 virus

Welcome aboard  ZeroAccess rootkit requires elevated help. Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 3 answers
RELEVANCY SCORE 89.6

Hi and thanks in advance for the help.

I believe my computer has recently been infected. First symptom was that my Norton 360 notified me of "An intrusion attempt by 7gafd33ja90a.com (85.12.46.155, 80) was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE.

I scanned my computer with Spybot S&D (quick and full scans), and Norton (quick and full scans). Spybot picked up some malware - sorry, cannot remember the name(s) - while Norton just cleaned up cookies and temporary internet files.

When I tried accessing internet after this, I still got the same Norton notifications about intrusion attempts.

I downloaded Malwarebyte's Anti-Malware, and after doing scans (quick and full), the program found that I had

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack)
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite)

and

Files Infected:
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace)

These entries were removed, and the computer was restarted as requested by MBAM. After restarting, scans with Spybot, MBAM, and Norton detected nothing, but then later on in the day "Trojan.FakeAV" was detected by Norton.

I'm still getting intrusion attempt notifications when I access the internet - it seems the notifications pop up especially when I search something with Google. Also, earlier in the p... Read more

A:Norton repeatedly detects intrusion attempts, Trojan detected

Hello and welcome.Run a full system scan in safe mode with the latest Norton definitions. Then unplug the network connection and reboot the computer. Does the backdoor.tidserv detection come up again? If so, then we need to search for another undetected process on your computer. Now run TDDS Killer Please read carefully and follow these steps. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.It may ask you to reboot the computer to complete the process. Allow it to do so.When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Before you save it rename it to say zztoy.exe alternate download link 1alternate... Read more

Read other 13 answers
RELEVANCY SCORE 89.2

I would greatly appreciate any help I can get with this. Norton 360 has informed me my computer is infected with Trojan.Zeroaccess!inf4, Trojan.Gen, Packed.Generic.382 and also Trojan.Webkit!html     I realized the seriousness of it when any browser I was using would freeze when I'd attempt to login to online banking. Thankfully my bank noticed something was happening too and shut down the online banking before any $ damage was done. No more online banking till this gets fixed
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 1.6.0_31
Run by Owner at 22:30:05 on 2013-02-18
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.2.1033.18.6143.1974 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe ... Read more

A:Infected with Trojan.Zeroaccess!inf4, Trojan.Gen, Packed.Generic.382 + 1 more

Hello ddr12 Welcome to The Forums!!Around here they call me Gringo and I'll be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your... Read more

Read other 32 answers
RELEVANCY SCORE 87.2

Hi my name is Max and I am new on here.

I hope someone can help. I have recently moved and haven't used my PC for a couple of months. I have just started it up and tried to access the internet. I received an error message saying "The Server's Security Certificates Revoked! You attempted to reach [email protected] but the certificate that the server presented has been revoked by its issuer. This means that the security credentials the server presented absolutely should not be trusted. You may be communicating with an attacker. You cannot proceed because the website operator has requested heightened security for this domain"

Also my Avast security keeps alerting me to infected webpages. Malwarebytes have also detected and removed a trojan but still cannot access the internet.

Please can someone help. I am not very computer literate so please bear with my ignorance
I have posted my Malware Bytes log below along with the others you require:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.11.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Max :: MAX [administrator]

11/08/2013 18:25:21
mbam-log-2013-08-11 (18-25-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 258775
Time elapsed: 29 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malici... Read more

A:Trojan detected and Internet Blocked

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Read other 1 answers
RELEVANCY SCORE 84.4

AVG alerted me that services.exe (c:/windows/system32/services.exe) is a trojan horse. Because it's an integral system file, AVG white lists it but I'm still concerned about how it could be affecting my computer. Any instructions on resolving this problem would be greatly appreciate. Thank you for taking the time to read this.

A:Services.exe detected as Trojan horse Dropper.Generic_c.MMI

what is your operating system?Please run the following:Please download DDS from either of these linksLINK 1 LINK 2and save it to your desktop.Disable any script blocking protection Double click dds to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txtAttach.txt. NEXTPlease download aswMBR to your desktop.Double click the aswMBR.exe icon to run itWhen asked if you want to download Avast's virus definitions please select Yes.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

Read other 4 answers
RELEVANCY SCORE 82

Hi, I am completely new to this, so please be patient. All I know is that my new computer has detected the Trojan files listed in the subject and I don't know how to get rid of them. I am running Vista premium and this is my first post, so I need to know what I can do to remove this stuff before it starts wreaking havoc. Thanks!
 

A:Solved: OfficeScan detected WinAntiSpyware2007 file and SpyHunter 2.9 detected Trojan.vundo!

Closing duplicate.

Please continue here:

http://forums.techguy.org/showthread.php?t=610916
 

Read other 1 answers
RELEVANCY SCORE 76.4

AVG Free catches this every time i reboot. Occasionally while the PC is running. It doesn't show up during a regular scan. I've also run Malwarebytes and Spybot-Search and Destroy. I've done root kit and boot sector scans. 
 
I know something is rotten though. Many folders are now "access denied". I've checked folder options... hidden files, etc. I don't see anything obvious, other than being denied access to folders.
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17280
Run by Lynne at 21:36:55 on 2014-10-05
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2039.913 [GMT -7:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
c:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Windows\system32\lxdncoms.exe
C:\Program Files\Ed... Read more

A:Downloader Generic_c is detected repeatedly

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Download Malwarebytes' Anti-Malware from HereDouble-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).The scan may take some time to finish,so please be patient.If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Log... Read more

Read other 2 answers
RELEVANCY SCORE 76.4

Hi, I have posted this topic in Am I Infected? section and I have been asked to make a new topic here. Here's the link to my previous topic http://www.bleepingcomputer.com/forums/topic421975.html/page__gopid__2441032#entry2441032. I'm running window vista sp1. So here's the problem, after installing Kaspersky Internet Security 2012 I have been receiving notification about firefox is downloading object containing malicious url each time I load a website (alsmost every website with the exception of google search). Here's a screenshot that show the notification that I received http://imageshack.us/photo/my-images/3/maliciousurlnotificatio.jpg/ . I have tried reinstalling my firefox and the problem cease for one week before reoccurring again. I had run malwarebytes anti malware, superantispyware, gmer and minitoolbox guided by Cryptodan. I have also run combofix and tdsskiller guided by a mod in kaspersky forum and was told that all my log was clean.

Anyway, here is my DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_27
Run by Gan at 13:11:25 on 2011-10-15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.60.1033.18.3069.1808 [GMT 8:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
SP: Kaspersky Internet Security *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF4... Read more

A:Malicious url detected repeatedly by kaspersky

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

Read other 16 answers
RELEVANCY SCORE 76.4

Hi, I know this problem is quite common among avast user however I think this is the first ever case for kaspersky. My OS is Window Vista Home premium SP2 and I'm using Kaspersky Internet Security 2012. After 1 week of installing the KIS 2012 I have been receiving a lot of notification about a malicious URL being blocked each time I load or refresh a webpage! (except google). The URL that have been blocked are hxxp://51x1nnaa.com/, hxxp://4z64x8aa.com/ which I don't even think exist. I have posted my problem in Kaspersky forum and the mod have been very helpful but still unable to solve my problem. He have checked my mbam log and combofix log and he said my system was clean and he had no idea what is the problem. I have scan my system with tddskiller as well with no result. I have also scanned with superantispyware and removed a few trojan but the problem still persist. My first guess is that it have something to do with java so I reinstalled a new java but to no avail as well.

Pls help me. I've been really frustrated about this problem for more than a week and can't online with peace. Any help would be much appreciated. Thanks in advance.

A:Malicious URL detected repeatedly by Kaspersky

Hi, can anyone help me to solve this problem?

Read other 12 answers
RELEVANCY SCORE 76

Hello, i am currently infected with ZeroAccess.inf4 in System32/services.exe.

I ran a tool and got a report back if that helps but i wasnt really aware if i should, i apologise if i shouldnt but could someone please help me.

Thank you.

A:ZeroAccess.inf4

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Read other 15 answers
RELEVANCY SCORE 75.6

Hello and thanks for being here.
I have a problem that started when I was trying to find a keycode for a game I already bought. (I had lost the box, thus no keycode) I know I shouldnt get progams like this, and trust me, I wont again.
As soon as I clicked it, I was nuked with spyware, a new background, etc, which all were promptly taken care of with my software Ad-Ware, Malwarebyte, and AVGs free AV. I thought I was clear. But now my Firefox keeps erroring out, and rendering itself useless, begging to be restarted. Ive swtiched to IE but I prefer Firefox.
Also, When I restart, I have a new set of malware that appear when I check it with Malwarebyte or Ad-Ware, no matter how much I cleaned it the time before.

I did the 5 but I had a little trouble with Panda (I thought it was going to do something after I Disinfected it) and IESpyad now uses ZoneOut and not sure how to use it. It gives me a list of sites but I dont know how to apply it.

Heres my beloved HJT File



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:58 PM, on 8/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.... Read more

A:Firefox Errors, Malware detected Repeatedly

Bump Pls

Read other 2 answers
RELEVANCY SCORE 75.6

Hello,
Can you please help me? I have run several virus/malware/rootkit detection programs (malwarebytes, Kaspersky, Hitman Pro, Microsoft Security Essentials) and none of them find anything. However, lately when I've been online and click the back button, the page doesn't change, and the dropdown history list is filled with multiple entries of the same "adclick" link that I did not actually click on. So it seems like I've got some sort of zeroaccess or similar bug that clicks on ads, but it's not being detected.  Any suggestions you can give are much appreciated!
 
Thanks very much,
Suzanne
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.11.2
Run by Suzanne at 10:46:20 on 2013-09-21
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4044.2417 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svc... Read more

A:Seems like zeroaccess, but nothing detected in scans?

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
Please be sure to subscribe to the topic if you have not already done so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that....     Let's get going!!  
----------
  Please download TDSSKiller
Double click TDSSKiller.exe
Press Start Scan but do nothing else as we are just looking for what is there.
If Malicious objects are fou... Read more

Read other 34 answers
RELEVANCY SCORE 75.6

While I'm presently experiencing no apparent computer performance problems, after previous contact with another BleepingComputer helper, I understand that I have the ZeroAccess rootkit on my system. If reference to the earlier complaint and resulting diagnostics would be helpful, please see http://www.bleepingcomputer.com/forums/t/507136/very-slow-iexplorer-and-safari-for-windows/
 
As directed by that helper, I have run DDS and am including its resulting logs here. Attach.txt file is attached.
 
Thanks in advance for any help that can be provided.
 
 
Mike
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by owner at 18:07:29 on 2013-09-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.534 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dexpot\dexpot.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Prog... Read more

A:ZeroAccess rootkit detected

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with aswMBRPlease download aswMBR ( 4.5MB ) to your desktop.Double click the aswMBR.exe icon, and click Run.There will be a short delay before the next dialog box comes up. Please just wait a minute or two.When asked if you'd like to "download the latest Avast! virus definit... Read more

Read other 18 answers
RELEVANCY SCORE 75.2

Hello, I found this forum on Norton 360 pages.
 
My PC has become infected with zeroaccess!inf4 and I am at a loss as to how to remove it. Can anyone help me please?
 
Norton's removal tool wont download as it comes up with a warning that it contains a virus!!
 
Thanks, Michelle

A:Zeroaccess!inf4 infection, need help please

Hi michelle, can you repost?Please follow this Preparation Guide and post in a new topic.Let me know if all went well.

Read other 1 answers
RELEVANCY SCORE 75.2

I accidentally downloaded a file that contained the virus. Norton caught the virus, but is only able to suppress it. I have a flashdrive, and I have not taken any steps to try and remove it. Any help would be welcomed. Also my operating system is windows 7 64 bit.
 
DreamerX
 

A:zeroaccess!inf4 virus Help me Please!!!!

Please download TDSSKiller from here and save it to your DesktopDoubleclick on TDSSKiller.exe to run the application, then click on Change parameters


Check Loaded Modules  and Detect TDLFS file system.  Do not check Verify file digital signatures (even though it is checked in the example)If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


Click Start Scan and allow the scan process to run

If threats are detected select Skip for all of them unless I instruct you otherwiseClick Continue


Click Reboot computerPlease post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply===================================================aswMBR--------------------Download aswMBR and save it to your desktop.
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.If you need help to disable your protection programs see here and here.Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

Please post the contents of the log in your next reply.NOTE:  aswMBR will create M... Read more

Read other 7 answers
RELEVANCY SCORE 75.2

Actually it looks like I was able to remove the inf4, now just have the Trojan.Zeroaccess.B remaining as well as Trojan.Gen2.
Jeff

A:Zeroaccess!inf4 infection

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

Read other 19 answers
RELEVANCY SCORE 75.2

Hello, recently my machine has come down with a case of 
zeroaccess.inf4
I Apparently it steals my browsing history, it also ads extensions to browsers and redirects links. virus remove software that i have tried has failed and i cant find anything that shouldn't be on my machine or spot anything running that seams out of place. I saw another post about zeroaccesess today but didnt want to risk trying a solution that wasn't for me. Ive had allot of pc issues recently and cant afford anymore. Would be very grateful for some help, keen for a response 

A:zeroaccess.inf4 ............desporate for some help with this

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)Run FRST. Don´t change one of the checkboxes and hit Scan. Logfiles are created on your desktop. Poste the FR... Read more

Read other 11 answers
RELEVANCY SCORE 74.4

Working on a computer that is infected by ZEROACCESS. Removed with a combination of TDSS, MBAM, HitmanPRO, Combofix, RougeKiller, and AdwCleaner.
Unfortunately rKill still detects a reparse point junction (have included .txt below). I do not really know what this means but it leads me to believe that I am still infected. Thank you so much in advance.
DDS:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635
Run by Mike at 16:28:45 on 2013-08-08
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3032.1534 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wirel... Read more

A:ZEROACCESS - Remnants detected by rKill

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download a new version of Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and pa... Read more

Read other 15 answers
RELEVANCY SCORE 74.4

Hello !

Avira detects TR/ATRAPS.Gen2 on this system, Stinger picks it up as well as ZeroAccess.cfg & ZeroAccess.hi. Nor Stinger nor Avira can clean the infected files, access is denied.

The OS is Win7 64bit Home Premium, no access to windows install disk or boot CD (it's a netbook with only a restore partition, no CD/DVD drive)

The infected files that are detected are :

c:\windows\assembly\GAC_32\desktop.ini
c:\windows\assembly\GAC_64\desktop.ini
c:\$Recycle.Bin\S-1-5-18\$6a14061adc683a771403e26f40be00dd\U\[email protected]
c:\$Recycle.Bin\S-1-5-18\$6a14061adc683a771403e26f40be00dd\U\[email protected]

Let me know if you require more information and thanks in advance for the help


DDS report :

DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 1.6.0_20
Run by Gilles at 10:02:05 on 2012-11-12
Microsoft Windows*7 ?dition Familiale Premium 6.1.7601.1.1252.32.1036.18.1979.994 [GMT 1:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Win... Read more

A:TR/ATRAPS.Gen2 / ZeroAccess.hi detected

Hello and welcome to TSF.

I am currently reviewing your post. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification then click Subscribe.
----------

As you already know....

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with... Read more

Read other 7 answers
RELEVANCY SCORE 74.4

Hey. I was running a routine scan with MalwareBytes and received notification that it had picked up some ZeroAccess Trojan files. They are currently quarantined (I haven’t deleted them yet in case of a false positive), and subsequent full scans with MBAM and Microsoft Security Essentials come up clean, but I know that this Trojan is hard to remove and I need some advice on how to verify that my system is clean. MBAM required a restart to complete the quarantine process, and upon restart I was informed that Windows Firewall was turned off, which is unusual.  
 
Two other issues that are probably unrelated but I feel I should mention anyway: at startup, I am getting a Windows notification saying “There is a file or folder on your computer called "C:\Program" which could cause certain applications to not function correctly. Renaming it to "C:\Program1" would solve this problem. Would you like to rename it now?" and the options are to Rename or Ignore. It appears that this is related to a problem caused by an update to Foxit Reader, though the problem persists even after uninstalling Foxit. Probably not a virus thing, but full disclosure and all. I started a separate BC thread on it here: http://www.bleepingcomputer.com/forums/t/534482/file-name-warning
 
Another oddity that just happened is that I was looking at the Microsoft support site and a couple flickering horizontal lines appeared on the screen. They stayed anchored to specific places on the sit... Read more

A:MBAM detected ZeroAccess Trojans

Hi,
 
You are infected with ZeroAccess, we will need more advanced tools to deal with it:
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
xXToffeeXx~

Read other 3 answers
RELEVANCY SCORE 74.4

Continually getting messages that ZeroAccess Rootkit has been detected by combofix whenever I run it, however it never seems to clean the infection.

I also get a message from yorkyt.exe that it has found bad/infected files but likewise, it never seems to fix the problem.

I've run malwarebytes, securitycheck, tdsskiller and none of them are picking anything up.

Firefox has been running a little slower than normal and also I've gotten a popup to install flash, a few times when starting aol instand messenger (I already have flash installed), but that's the extent of what seems to be off now. I'm concerned something might still be lingering and worried about the possibility of a keylogger.

A:ZeroAccess Rootkit TCP/IP continually detected

Hello frenchfry,My name is ratman and and I will be helping you with your computer problems.Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.====================================================================================I want you to run TDSSKiller:Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip.Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensu... Read more

Read other 17 answers
RELEVANCY SCORE 74.4

i used kaspersky recuse disk 10... then ran combofix twice. my machine seems to be running great but if i run combofix again it still says rootkit zeroaccess detected. i am pretty sure it got rid of the infection and i just have some kind of file or something that is still lingering, but i am no expert. please someone help.

A:rootkit zeroaccess still detected by combofix

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administr... Read more

Read other 13 answers
RELEVANCY SCORE 74.4

Hi hoping you can assist with my dilemna for the past week or so I have learnt I have the above trojan on my machine and have tried all ways of trying to find it but no way this one is a classic.

Kindest regards

hazzab

 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720
Run by Hillary at 15:51:53 on 2013-10-17
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.7786.4322 [GMT 11:00]
.
AV: Norton 360 Premier Edition *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 Premier Edition *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 Premier Edition *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
... Read more

A:Malware Removal of Zeroaccess!inf4 please

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if you want... Read more

Read other 17 answers
RELEVANCY SCORE 73.6

Last night McAfee reported that it detected a Trojan in the c:/Windows/assembly/GAC_32/Desktop.ini (and GAC_64/Desktop.ini).  It asked me to restart in order for it to remove it.  Restarting didn't resolve the problem.  I tried to manually remove the files using powershell in admin mode but it reported that I didn't have the proper permissions to do that. 
 
Now I'm getting a popup message about every 15-30 seconds from McAfee that a Trojan was removed and no further action is required.  Most of the time it is quarantining a ZeroAccess trojan from C:\Windows\Installer\... but occasionally it is quantining an Artemis!... trojan also.
 
I ran the DDS application and it produced the following log file:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635  BrowserJavaVersion: 10.15.2
Run by Greg at 21:55:21 on 2013-07-24
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5942.3442 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C... Read more

A:McAfee Detected ZeroAccess.hi in GAC_32/64 Desktop.ini

Hi and Welcome!! gmbartlett My name is Robybel.I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.The fixes are specific to your problem and should only be used for the issues on this machine.Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.It's often worth reading through these instructions and printing them for ease of reference.If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.Please reply to this thread. Do not start a new topic.IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.Vista and Windows 7 users:These tools MUST be run from the executable. (.exe) every time you run themwith Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you th... Read more

Read other 8 answers
RELEVANCY SCORE 72.8

McAfee scan has detected ZeroAccess.ia, RDN/GenericPWS.y!k,RDN/Generic Exploit!1nk. One of these seems to be turnning off the McAfee firewall.
 
Would like help in cleaning up the computer.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.17256
Run by Brady Family at 19:56:55 on 2013-03-14
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.6007.3948 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleM... Read more

A:ZeroAccess.ia detected by McAfee scan and turning off the firewall

Hello JackBrady Welcome to The Forums!!Around here they call me Gringo and I'll be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at ... Read more

Read other 17 answers
RELEVANCY SCORE 72.8

Hello, I have been struggling with a infection on my xp home for months! NPE said it was ZeroAcess.kmem but could not remove it fuly even with their tools. Came by here and have been following all kinds of things to remove and thought it was gone but is still their. Computer run great for awhile after running ComboFix, TDDSKiller, Malwarebytes, Norton NPE ( Said infected with ZeroAcess.kmem file netbt.sys deleted and it replaced it self but still not a great improvement from system until ComboFix ran first time "I have also manually replaced this file with original!"), Norton Internet Security 2012, Sophos free, Avast free, Panda Active Scan Free, Norton Boot Recovery Scan, Online virus scans, lots of things been ran weeks straight and nothing. I started getting better results after reading and running idea's from another post here on "BleepingComputer.com" Then it began again and now no results even after running ComboFix that still say's I am infected with rootkit ZeroAcess I have my first log from ComboFix and should have all logs from most of the scans I did. Seems no Anti-Virus will cure it fully. Running differents ones come's up with various different virus names. Also have used MBRCheck.exe and is good also have those logs. Weeks straight of running all these multiple times still getting ComboFix telling me its still rootkit ZeroAcess infection. Computer really slow again but have partioned with other Windows 8 preview CE.... Read more

A:Norton Power Eraser detected ZeroAccess.kmem

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Read other 24 answers
RELEVANCY SCORE 72.4

Hi All,

Thanks for reading this. Within the last week or so my Norton Internet Security (Microsoft Windows XP) has been having trouble with its "Protection Updates". My Norton status has been showing "At Risk", but when I click on the program to search for updates it completes the process but the "At Risk" status remains. Furthermore, whenever I click on Norton's "Help & Support" I receive a notification from Norton saying that "Auto-Protect has blocked a Trojan Horse" (Risk Level: High).

I have just downloaded and scanned with Avast for a "second opinion", and it is showing no infected files. Also, my Norton status is now showing as "Secure". However, when I open Norton and click on "Help & Support" I am continuing to receive the "Auto-Protect has blocked a Trojan Horse" message.

I'm not very clear on what the problem could be here, and even though Norton says it's "Blocking" the Trojan Horse, why am I consistently getting this message with "Help & Support"? Could Norton be corrupted? Should I try reinstalling Norton?

I would greatly appreciate any advice on this!

Cheers.

A:Trojan Horse Repeatedly Blocked with Norton

Hello and welcome to Bleeping Computer.Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.Lets take a look with MalwarebytesPlease download Malwarebytes' Anti-Malware from here:MalwarebytesPlease rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exeMBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Double Click zztoy.exe to install the application.* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.* If an update is found, it will download and install the latest version.* Once the program has loaded, select "Perform Full Scan", then click Scan.* The scan may take some time to finish,so please be patient.* When the scan is complete, click OK, then Show Results to view the results.* Make sure that everything is checked, and click Remove Selected.* When disinfection is completed, a log will open in Notepad and y... Read more

Read other 3 answers
RELEVANCY SCORE 71.6

Good Afternoon,
 
Not sure if this is anything to do with FARBAR Recovery Scan Tool (FRST) and if not maybe you can forward it on to the correct person or team. There is a new variant of Zero Access that is doing the rounds that the FRST tool does not detect - The New Variant is described in the following link:
 
hxxp:/nakedsecurity.sophos.com/2013/07/31/zeroaccess-malware-revisited-new-version-yet-more-devious/?utm_source=feedburner&utm_medium=feed&utm_content=Netvibes&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29
Basically the payload files are now being found in the following Path(s):
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\@
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\[email protected]
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\L\6715e287
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\[email protected]
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\[email protected]
c:\program files\Google\Desktop\Install\{7e85e7dc-4063-5461-5388-f06482b6da28}\ \...\???\{7e85e7dc-4063-5461-5388-f06482b6da28}\U\[email protected]
c:\program files\Google\Desktop... Read more

A:New ZeroAccess variant not detected by FRST (Farbar Recovery Software Tool)

Examples of the Service with 3 logs, that does appear at times, seeing it is one thing, dealing with it by these tools is another.
 
Combofix
 
R2 ?etadpug;Google Update Service (gupdate);c:\program files (x86)\Google\Desktop\Install\{e79d61e6-9b74-9ace-3555-c97004525cf9}\ \...\???\{e79d61e6-9b74-9ace-3555-c97004525cf9}\GoogleUpdate.exe <;c:\program files (x86)\Google\Desktop\Install\{e79d61e6-9b74-9ace-3555-c97004525cf9}\ \...\???\{e79d61e6-9b74-9ace-3555-c97004525cf9}\GoogleUpdate.exe < [x]
 
 
OTL
 
O23 - Service: Google Update Service (gupdate) (?etadpug) . (...) - C:\Program Files (x86)\Google\Desktop\Install\{c9940291-904a-83a3-407e-b260f98ab069}\ \...\???\{c9940291-904a-83a3-407e-b260f98ab069}\GoogleUpdate.exe
 
 
FRST
 
U2 ‮etadpug; C:\Program Files\Google\Desktop\Install\{3b803de2-9b3a-e14d-88f0-70942e83e842}\ \...\‮ﯹ๛\{3b803de2-9b3a-e14d-88f0-70942e83e842}\GoogleUpdate.exe [0 ] (Advanced Micro Devices, Inc.)
 
 
Quads

Read other 3 answers
RELEVANCY SCORE 70.8

Hi all,This far I've been helped out by Boopme and was advised to start a topic here and post my logs. See topic.I tried follwoing the prep guide, but was unable to get DDS to run. Instead OTL was used. Also I had to skip the GMER step and post the ComboFix log instead.How to proceed on removing the infected file? (meanwhile all tips on disabling useless services/programs to start during starting Windows are very welcome. This good oldy gets started pretty slow)Thanks for helping out!Bas._____________________________________ComboFix logComboFix 12-06-25.05 - basko 06/26/2012 10:36:28.3.2 - x86Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.2038.1060 [GMT 2:00]Gestart vanuit: c:\users\basko\Desktop\ComboFix.exeAV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}SP: SPYWAREfighter *Disabled/Updated* {54CEAF19-6DDF-F31A-F96A-11F730C2EC03}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}..(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\basko\AppData\Roaming\Izutc:\users\basko\AppData\Roaming\Izut\quudn.apyc:\windows\TEMP\xlp6vhbx.vbt.c:\windows\system32\Services.exe . . . is geïnfecteerd!!..(((((((((((((((((((( Bestanden Gemaa... Read more

A:W32/Patched.UB detected in services.exe

Welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please download OTL from... Read more

Read other 18 answers
RELEVANCY SCORE 70.8

Hi,

Avira detected the file C:\Windows\System32\services.exe to be infected and isn't able to fix the problem. Besides this the computer seems to run normal, as well is internet.

I tried running Combofix. It has been restoring the services.exe file, but the problem remains.

Can you help out fixing this problem??

Thanks in advance.

A:W32/Patched.UB detected in services.exe

Hello basko,having run ComboFix we need to see that and a DDS log.Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Skip the GMER step and instead post the ComboFix log you have.Let me know if that went well.

Read other 5 answers
RELEVANCY SCORE 70.4

I'm running 2 pc's on windos xp pro, I have a d-link wireless N router, and i just can't use my pc which is connected through the wireless part of the router.

It shows the signal Very strong strength, then it doesn't see anything at all, and it keeps happening over and over. I've tried changing the wireless channel, nothing.
The other PC has an USB wireless adapter.
PS: i've tried restarting the router/moden, to no avail.

Anyone got any ideas ?
 

A:wireless network detected, not detected, detected and so on.

Read other 6 answers