Mini Spy

Loading...

Latest Threads

Loading...
 
  1. Welcome to MalwareTips!
    MalwareTips is a free community where people like yourself come together to discuss and learn about PC security and computers.
    As a guest, you can browse and view the various discussions in the forums, but you can not create new threads or reply to an existing one unless you are a registered member. By joining our free community you will have access to post threads, start private conversations with other members, respond to polls, upload content and access many other special features.
    Registration is fast, simple and absolutely free, so please join us today!
  2. Before you start!
    All given instructions in this forum are customized for each help request, the tools used may cause damage if used on a computer with different infections. If you think you have similar issues, please post the appropriate logs in our Malware Removal Assistance forum and wait for help.

    Please be aware that removing Malware is a potentially hazardous undertaking. We will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for us to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and we cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
    We strongly advise you to backup any personal files and folders before you start.

Help remove zeroaccess rootkit

Discussion in 'Malware Removal Assistance' started by Papirus, Dec 25, 2012.

  1. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    My Windows XP SP3 system got infected by zeroaccess rootkit.
    I found it when I run Mcafee Rootkit Remover tool as shown below (after restart the rootkit is back again):

    Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]
    McAfee Labs.

    Windows build 5.1.2600 x86 Service Pack 3
    Checking for updates ...

    Now Scanning...
    Malware Found --> ZeroAccess trojan detected!!!
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af
    9c1}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( deleted )
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F
    57F}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted
    after restart )
    ZeroAccess trojan was cleaned successfully!

    Scan Finished

    PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

    Other recommendations:
    1. Perform full scan with McAfee VirusScan product after reboot.


    Press any key to exit.
    ===============================================================================

    However, when I run TDSSKiller, Sophos Anti Virus, Symatec FixZeroAccess, McAfee Stinger, Gridsoft Trojan Killer, Trend Micro antivirus, Malwarebyte, they all show no virus or rootkit found in the system.

    I believe my system is infected because everytime I tried to delete C:\WINDOWS\system32\wbem\wbemess.dll manually, it is always come back within 2 seconds or so (after I refresh the windows explorer).

    I even restore the C drive (Windows system) using my old recovery file and Symantec Ghost, but the rootkit is still there (shown by McAfee Rootkit Remover tool above).

    Can someone please help me to fix this problem? Many thanks in advance.

    Below is the Combofix log file and HijackThis log file (or see attached):

    HijackThis:
    ===========
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:58:49 PM, on 12/24/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    D:\Utilities\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    F2 - REG:system.ini: Shell=
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
    O4 - S-1-5-21-2826457082-1161744426-439199626-1006 Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe (User '?')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
    O4 - Global Startup: AutorunsDisabled
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O4 - Global Startup: WiziWYG XP Startup.lnk = C:\Program Files\Praxisoft\WiziWYG XP\WiziWYGXP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Program\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Norton Ghost - Unknown owner - D:\Program\Ghost10\Agent\VProSvc.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

    --
    End of file - 5203 bytes


    ComboFix:
    ==========
    ComboFix 12-12-25.01 - Sam 12/24/2012 22:48:16.2.1 - x86
    Running from: j:\zip\Spyware\ComboFix.exe
    * Created a new restore point
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-25 to 2012-12-25 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-25 06:40 . 2012-12-25 06:43 -------- d-----w- c:\documents and settings\Sam\Local Settings\Application Data\Google
    2012-12-25 06:40 . 2012-12-25 06:42 -------- d-----w- c:\program files\Google
    2012-12-25 04:39 . 2012-12-25 06:11 14664 ----a-w- c:\windows\stinger.sys
    2012-12-25 04:38 . 2012-12-25 04:38 159608 ----a-w- c:\windows\system32\mfevtps.exe.a40b.deleteme
    2012-12-25 04:37 . 2012-12-25 06:21 -------- d-----w- c:\program files\stinger
    2012-12-25 04:28 . 2012-12-25 04:28 -------- d-s---w- c:\documents and settings\Sam\UserData
    2012-12-25 04:16 . 2012-12-25 04:29 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2012-12-25 04:04 . 2012-12-25 04:04 -------- d-----w- c:\documents and settings\Sam\Application Data\FixZeroAccess
    2012-12-25 04:04 . 2012-12-25 04:04 35752 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LTSMMSG"="LTSMMSG.exe" [2002-03-29 32768]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-13 155648]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
    "nwiz"="nwiz.exe" [2006-08-12 1519616]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-12 86016]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
    .
    c:\documents and settings\Sam\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    Task Manager.lnk - c:\windows\system32\taskmgr.exe [2002-4-24 135680]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2002-4-25 40960]
    WiziWYG XP Startup.lnk - c:\program files\Praxisoft\WiziWYG XP\WiziWYGXP.exe [2008-12-28 6029369]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Billminder.lnk - d:\program\Quicken\billmind.exe [2002-7-30 36864]
    Microsoft Office.lnk - d:\program\Microsoft Office\Office10\OSA.EXE [N/A]
    Quicken Scheduled Updates.lnk - d:\program\Quicken\bagent.exe [2002-7-30 53248]
    Quicken Startup.lnk - d:\program\Quicken\QWDLLS.EXE [2002-7-30 36864]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Shell"=hex(7a8):
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R2 mrtRate;mrtRate; [x]
    R3 MFE_RR;MFE_RR;c:\docume~1\Sam\LOCALS~1\Temp\mfe_rr.sys [x]
    R3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\Drivers\SMBE.SYS [x]
    R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x]
    S0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [x]
    S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [x]
    S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]
    .
    2012-12-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-12-25 06:40]
    .
    2008-12-29 c:\windows\Tasks\Registration reminder 1.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
    .
    2008-12-29 c:\windows\Tasks\Registration reminder 2.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
    .
    2008-12-29 c:\windows\Tasks\Registration reminder 3.job
    - c:\windows\System32\OOBE\oobebaln.exe [2002-04-24 13:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.sony.com/vaiopeople
    IE: E&xport to Microsoft Excel - d:\program\MICROS~1\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-24 22:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-12-24 22:57:26
    ComboFix-quarantined-files.txt 2012-12-25 06:57
    ComboFix2.txt 2012-12-25 06:33
    .
    Pre-Run: 12,297,408,512 bytes free
    Post-Run: 12,289,560,576 bytes free
    .
    - - End Of File - - 75F87112989DC3D61691AFD3592A7CA0
  2. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Hi welcome to MT!

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
      Exit/Close RogueKiller+
  3. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    I have run both AdwCleaner and RogueKiller.
    I have attached both log files in this reply.

    Thanks.
  4. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Do a scan with adwCleaner and RogueKiller again but this time, click delete. Post both logs after.

    Then download a new copy of combofix and run it. Make sure your antivirus is off and install the recovery console when it prompts you to.
  5. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    OK, these were the steps that I did to follow the instructions:
    0. Disable Antivirus
    1. Search using ADWCleaner [attachment=2941]
    2. Select Delete in ADWCleaner after the search is completed [attachment=2942].
    3. Reboot (it asked for a reboot)
    4. Scan using RogueKilller
    5. Select Delete in RogueKiller after the scan is completed [attachment=2944]
    6. Download Combofix from BleepingComputer:
    http://www.bleepingcomputer.com/download/combofix/
    7. Run Combofix
    8. Install Recovery [attachment=2943]
    9. Reboot
    10. Run McAfee Rootkit remover and it somehow stills shows it is infected:

    Windows build 5.1.2600 x86 Service Pack 3
    Checking for updates ...

    Now Scanning...
    Malware Found --> ZeroAccess trojan detected!!!
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af
    9c1}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted a
    fter restart )
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F
    57F}\InprocServer32 ( fixed )
    --> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted
    after restart )
    ZeroAccess trojan was cleaned successfully!

    Scan Finished

    PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

    Other recommendations:
    1. Perform full scan with McAfee VirusScan product after reboot.

    ==================================================

    I have attached all the log files from those steps above.

    Thanks.
  6. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Let see if we can remove it in a separate environment from Windows.

    Please print these instruction out so that you know what you are doing
    • Download OTLPENet.exe to your desktop
    • Download Farbar Recovery Scan Tool and save it to a flash drive.
    • Download List Parts and save it to the flash drive also.
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
      Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Wait for the CD to detect your hardware and load the operating system
    • Your system should now display a Reatogo desktop
      Note : as you are running from CD it is not exactly speedy
    • Insert the USB with FRST
    • Locate the flash drive with FRST and double click
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
    • Next click List Parts and then click Scan
      It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.
  7. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Also note that asking help on multiple sites will hinder and delay the removal process. Please choose to stick with one site in order to make it more efficient.

    Thanks
  8. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    Yup thanks for the reminder, the other request is dormant now. I submitted it then realize that the other forum does not want me to use hijackthis or combofix log. So I figure that my thread will be deleted because I do not follow the forum rule.

    OK, I got the scan log file from those tools:
    1. Reboot from CD and run REATOGO O/S
    2. Scan (without Fix) the system using FarBar recovery scan tool [attachment=2948]
    3. Scan the hard drive partitions using List Part tool [attachment=2949]

    Should I use the Fix option in FarBar?

    Thanks.
  9. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Hi there, we will be using the Fix option but first we have to create a script.

    On a different computer, Open notepad and copy & paste the following:
    and save it as fixlist.txt onto your flash drive. Boot to OTLPE again, plug in your flash drive, open FRST and click Fix. Please post the log that it creates.

    Next, on the main REATOGO Desktop locate a program call OTL or OTLPE [​IMG]

    Double-click it and OTL will start. Under Custon Scan/ Fixes copy and paste the following:
    • Under Extra Registry section, select Use SafeList.
    • Click the Scan All Users checkbox.
    • Click on Run Scan at the top left hand corner.
    • When done, two Notepad files will open.
      • OTListIt.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Please post the contents of these 2 Notepad files in your next reply.
  10. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    OK, I have done the following steps:

    1. Reboot using OTLPE
    2. Run FRST and select Fix (no scan this time) - [attachment=2958]
    3. Close FRST
    4. Run OTLPE from desktop
    5. Select "Yes" to "Do you wish to load remote user profile for scanning?" question.
    6. Highlight "Sam" profile
    7. Check the "Automatically Load All Remaining Users?" option.
    8. Click "OK" button
    9. Paste the following text inside the custom scans/fixes textfield:
    /md5start
    services.exe
    /md5stop
    10. Check the "Use Safelist" under Extra Registry area
    11. There is no option to select "Scan all users" so nothing is done here. Also the File Age drop down is defaulted to 30 days.
    12. Click "Run Scan" button and generate the scan output as listed below:
    [attachment=2959]
    [attachment=2960]

    Thanks.
  11. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Hi,

    Open OTL in OTLPE again. Under custom scan/fixes, copy and paste the following:
    Code:
    :OTL
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    [2008/12/28 02:51:46 | 000,000,050 | ---- | C] () -- C:\WINDOWS\qwimp.ini
    @Alternate Data Stream - 1222 bytes -> C:\Documents and Settings\Sam\Cookies:QoSnn4svZRg0sohAo8188UBZpx4
    @Alternate Data Stream - 1215 bytes -> C:\Documents and Settings\All Users\Application Data\DRM:QbNt0gB8Ra30H67Cd
    @Alternate Data Stream - 1206 bytes -> C:\Program Files\Common Files\MSN:52qkdIvvrQxpOwOXeG
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP]
    [RESETHOSTS]
    
    
    Then click Run Fix. Post the log afterwards.

    After, download HitmanPro
    <ol>
    <li>This step can be performed in <>Normal Mode</> ,so please <>download the latest official version of HitmanPro</>.
    <a href="http://www.surfright.nl/en/downloads" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
    <li><>Double click on the previously downloaded file</> to start the HitmanPro installation.
    <img title="HitmanPro Installer" src="http://malwaretips.com/images/removalguide/hpro1.png" alt="[Image: hitmanpro-icon.png]" width="54" height="58" border="0" />
    <>IF</> you are experiencing problems while trying to starting HitmanPro, you can use the "<em>Force Breach</em>" mode.To start this program in Force Breach mode,<> hold down the left CTRL-key when you start HitmanPro</> and all non-essential processes are terminated, including the malware process. (<a href="http://www.youtube.com/watch?feature=player_embedded&v=m6eRWTv2STk" target="_blank">How to start HitmanPro in Force Breach mode - Video</a>)</li>
    <li>Click on <>Next </>to install HitmanPro on your system.
    <img title="HitmanPro installation process" src="http://malwaretips.com/images/removalguide/hpro2.png" alt="[Image: installing-hitmanpro.png]" width="532" height="421" border="0" /></li>
    <li>The setup screen is displayed, from which you can decide whether you wish to install HitmanPro on your machine or just perform a one-time scan, select a option then click on <>Next </>to start a system scan.
    <img title="HitmanPro setup options" src="http://malwaretips.com/images/removalguide/hpro3.png" alt="[Image: hitmanpro-setup-options.png]" width="532" height="421" border="0" /></li>
    <li>HitmanPro will start scanning your system for malicious files. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.
    <img title="HitmanPro scanning for Win 8 Security System" src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanpro-scanning.png]" width="532" height="421" border="0" /></li>
    <li>Once the scan is complete,a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</>.
    <img title="HitmanPro Win 8 Security System scan results" src="http://malwaretips.com/images/removalguide/hpro5.png" alt="[Image: hitmanpro-scan-results.png]" width="532" height="421" border="0" /></li>
    <li>Click <>Activate free license </>to start the free 30 days trial and remove the malicious files.
    <img title="Activate HitmanPro free license to remove detected infections" src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanpro-activation.png]" width="532" height="421" border="0" /></li>
    <li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.</li>
    </ol>
    Last edited by a moderator: Mar 13, 2014
  12. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    Hi,

    I am not sure where I should run the Hitman Pro. I assume it should be within OTLPE environment too. By the way do you mean Normal Mode is that I can run it in the standard Windows environment (with rootkit running)?

    At any rate, I have the first log file that I got using "Run Fix" option in OTLPE and the code that you had provided [attachment=2977].

    I tried to run in OTLPE but I guess it only scans the CD instead of the C drive. So I run it again in regular Window environment with rootkit running and it does not find anything (just tracking cookies).

    I have attached the log here. [attachment=2978]

    Thanks.
  13. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Yes, window normal mode is the standard windows environment
  14. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    I forget to mention that McAfee rootkit remover tool still finds the zero access after I run hitman pro. This is really a nasty virus I have ever found.
  15. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Hi,

    In the future, make a new post rather than edit your original so i get a notification :)

    Boot to OTLPE and open OTLPE again. Under custom scan, copy and paste the following

    • Click the Scan All Users checkbox.
    • Change Standard Registry to All
    • Check the boxes beside LOP Check and Purity Check
    • Click on Run Scan at the top left hand corner.
    • When done, two Notepad files will open.
      • OTListIt.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Please post the contents of these 2 Notepad files in your next reply.
  16. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    OK.

    I still get confused when you say "Click the Scan All Users checkbox" in OTLPE. There is no such option in OTLPE version that I have.

    I have to select "Yes" on "Do you wish to load remote user profile for scanning?" question. Then I highlighted "Sam" profile on the next popup window. Then check the "Automatically Load All Remaining Users?" option and click OK.

    After that steps I get to the main windows and all other options you mentioned are available on that window. Could you let me know if I do it incorrectly by doing the above steps?

    At any rate, I have run the scan again in OTLP using OTLPE, and using the custom scan script you have provided. Below are the OTL and Extra log files. [attachment=2983] [attachment=2984]

    I also have another problem now. The zeroaccess rootkit disable my network drive now. I cannot connect to the internet now. I think it happens because I run the computer too long (I was running the Comodo Cleaning Essential when it disable the network).

    Could you also help on enabling the network? It said that it cannot get the IP address even though it has it. I use ipconfig /renew but it fails. I am at lost on how to recover the network part.

    Thanks.
  17. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Hi,

    Sorry about the instructions. The steps you took were correct. Your logs are not showing any malware, which is odd.

    Open OTLPE. Under custom scan/fixes, copy and paste the following:

    Then click Run Fix. Post the log afterwards.


    Next, run FRST again. Make sure all the boxes are checked before you click scan.

    After, please download Farbar Service Scanner and run it in the standard windows environment.
    • Check all the boxes.
    • Press Scan.
    • It will create a log FSS.txt in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  18. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    Hi,

    Thanks for the confirmation.

    In regards to the network problem, I think I might caused the problems too...I run the autorun from Comodo and unchecked all entries with no file found problems. May be I should checked them all back? However the OLTPE fix showed missing network system files missing instead....I am not sure now.

    At any rate, I have run the fix tool using OTLPE and using the script you had provided in OTL env. I have attached the log here.[attachment=2991]

    Then I run the FRST again in OTLPE (and within OTL env) and here is the log. [attachment=2988]

    Then I run the FSS in OTLPE (and within OTL env) and here is the log --- just for double check purposes. [attachment=2989]

    Lastly I run the FSS in Windows normal mode and here is the log. [attachment=2990]

    One quick note, I can connect to internet inside the OTL (I guess it has the networks system file setup correctly there).

    Thanks.
  19. Fiery

    Fiery Administrator Staff Member

    Joined:
    Jan 11, 2011
    Messages:
    2,056
    Likes Received:
    6
    Trophy Points:
    105
    Hi,

    Please download ServicesRepair and save it to your desktop.

    • Double-click ServicesRepair.exe
    • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
    • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.

    Then, delete the fixlist.txt on your flash drive and make a new one.

    Open notepad and copy & paste the following:

    and save it as fixlist.txt onto your flash drive.

    Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

    =============================
    Open OTLPE. Under custom scan/fixes, copy and paste the following:

    Then click Run Fix. Post the log afterwards.
    =============================
    Please download a fresh copy of Combofix from here and run it.
  20. Papirus

    Papirus New Member

    Joined:
    Dec 25, 2012
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    10
    OK, here is what I did:
    1. Run ServiceRepair in Windows Normal mode.
    2. Run Fix using FRST in OTL mode and here is the log. [attachment=2993]
    3. Run Fix using OTLPE in OTL mode and here is the log. [attachment=2994]
    4. Finally I run the ComboFix again in Windows Normal mode and here is the log. [attachment=2995]

    Network is still not working at this time.

    Thanks.

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads: Help remove
Forum Title Date
Malware Removal Assistance Please help remove discount locator Jul 14, 2014
Malware Removal Assistance Snapdo 99% Removed, Help Needed with other 1% Jun 29, 2014
Malware Removal Assistance Help! I can't remove V9... May 11, 2014
Malware Removal Assistance RemoVeThEAdAPp Malware? Help?! Mar 27, 2014
Malware Removal Assistance RemoveTheAdApp 3.5 need help to remove Mar 14, 2014

MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.