Hi, I think my PC is infected but am not sure if it actually is or how to remove any virus. My PC is running a bit slower and not all my programmes work, such as Adobe. A couple of weeks ago I had a bogus security virus which I got rid of by using a set of removal instructions on this site; thanks Jack! Since then I have run the Anvi Smart Defender checker and it tells me that I have the Trojan ZAccess on my computer. I have tried your removal guide three times now but Laspersky, Malwarebytes, Hitman Pro etc have all recorded clean scans. Immediately though Anvi Smart Defender tells me the ZAccess is still present. The poor performance of my PC and inability to work normally has got quite frustrating so I am wondering if you can advise me on what to do next please? Many thanks in anticipation.
Is my PC Infected?
- Thread starter Tilleylamp1
- Start date
- Mar 8, 2013
- 22,627
Hi, I'll be working with you 
1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guidehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully.
Note: ComboFix must be downloaded to your Desktop.
--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.htmlthis or this Instruction.
Instructions how to disable avast:
Note: Do not forget to turn on this option after the cleaning.
--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guidehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully.
Note: ComboFix must be downloaded to your Desktop.
--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.htmlthis or this Instruction.
Instructions how to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
Hi, I'll be working with you
1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.
--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
Instructions how to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
Hi, thanks for agreeing to help. Ran ComboFix as requested and report attached, could not find .txt so hope this is the right one!
- Mar 8, 2013
- 22,627
Did ComboFix finished its scan? Have you got notepad opened in the end?
Try to find report at the C:\ or in C:\Qoobox folder...
Try to find report at the C:\ or in C:\Qoobox folder...
Last edited:
- Mar 8, 2013
- 22,627
There are signs of Zero Access rootkit, so this won't help. Thanks for your thought, but let me continue...
Oh dear, I must admit that I did not let it finish the full scan but have rerun Combofix and the notepad was there. I had previously closed the notepad down when it first appeared as 'administrator' thinking I would be able to upload the notepad from either desktop or C: as you suggested. Unfortunately I cannot find ComboFix.txt anywhere on my system. I can only find Qoobox which has two sub folders; Backenv and Quarantine. Qurantine has a sub folder named C and within that I can see Program Data and Windows folders and Registry. Within the latter is one folder called Backups. Nowehere within Qoobox can I find any file with .txt even after a restart. On a more positive side, once I had rebooted I ran Anvi Smart Defender and for the first time in a month it came back with a completely scan which is encouraging. Unfortunately when I tried to run an add on I have been having problems with it still would not work properly. Where do you want me to go from here?
- Mar 8, 2013
- 22,627
Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)
Open FRST, and click Fix. Attach me that report after it is finished.
After that, re-run ComboFix following instructions above, but let it run uninterrupted...
Open FRST, and click Fix. Attach me that report after it is finished.
After that, re-run ComboFix following instructions above, but let it run uninterrupted...
Hi, thanks very much for this. I know I am probably being a bit dense here but when you say download to the same location as FRST, where is that likely to be? From memory I downloaded FRST last night and copied it to my desktop where I ran it from. Presumably I wont save the fixlist.txt to desktop so am I right in saying that I download it to the C: where I am assuming the original FRST download will be? Unfortunately I am at work so cannot be more specific on things but I want to get on to this as soon as I get home tonight. As there is the chance of a fix not working I want to be absolutely sure about what I have to do. Grateful for your continued help.
- Mar 8, 2013
- 22,627
FRST stores its files at C:\FRST , but you downloaded/run it from Downloads folder. Either move FRST to Desktop, and download fixlist.txt on the Desktop too or download fixlist.txt in Downloads folder, and run FRST from there.
Important thing only is that FRST and fixlist.txt are on the same location/same folder
Important thing only is that FRST and fixlist.txt are on the same location/same folder
Last edited:
First phase completed and log attached,
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-12-2013
Ran by Dave at 2013-12-11 18:55:21 Run:1
Running from C:\Users\Dave\Downloads
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {028eeb9c-a697-11e0-b002-806e6f6e6963} - D:\stub.exe
MountPoints2: {0709290e-aca6-11e0-a9cf-f04da2f86349} - F:\LaunchU3.exe -a
cmd: netsh winsock reset
C:\ProgramData\dlfod7lwl.ctrl
C:\ProgramData\dlfod7lwl.pff
C:\ProgramData\gifnocsm.pad
C:\Users\Dave\AppData\Local\Temp
cmd: ipconfig /flushdns
*****************
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{028eeb9c-a697-11e0-b002-806e6f6e6963} => Key not found.
HKCR\CLSID\{028eeb9c-a697-11e0-b002-806e6f6e6963} => Key not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0709290e-aca6-11e0-a9cf-f04da2f86349} => Key not found.
HKCR\CLSID\{0709290e-aca6-11e0-a9cf-f04da2f86349} => Key not found.
========= netsh winsock reset =========
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
========= End of CMD: =========
C:\ProgramData\dlfod7lwl.ctrl => Moved successfully.
C:\ProgramData\dlfod7lwl.pff => Moved successfully.
"C:\ProgramData\gifnocsm.pad" => File/Directory not found.
"C:\Users\Dave\AppData\Local\Temp" directory move:
C:\Users\Dave\AppData\Local\Temp\AdobeARM.log => Moved successfully.
Could not move "C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
Could not move "C:\Users\Dave\AppData\Local\Temp\JavaDeployReg.log" => Scheduled to move on reboot.
C:\Users\Dave\AppData\Local\Temp\jusched.log => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\users00 => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF15CF15D293E4CC5E.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF2CA90F1C70379C17.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF4303580E491A1084.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF5FC1031B372AF5AB.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF68A01884F21248A5.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF68F0D0F08805CAE9.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF95D68824C07920E5.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DFA2ABDD1903C43BD6.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DFA5F0E81311A94609.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~e5d141.tmp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~efe1d6\~de160b.tmp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~efe1d6\~df394b.tmp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~efe1d6\~efe2.tmp => Moved successfully.
Could not move "C:\Users\Dave\AppData\Local\Temp" directory. => Scheduled to move on reboot.
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2013-12-11 18:57:02)<=
"C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => File could not move.
C:\Users\Dave\AppData\Local\Temp\JavaDeployReg.log => Moved successfully.
"C:\Users\Dave\AppData\Local\Temp" => Directory could not move.
==== End of Fixlog ====
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-12-2013
Ran by Dave at 2013-12-11 18:55:21 Run:1
Running from C:\Users\Dave\Downloads
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {028eeb9c-a697-11e0-b002-806e6f6e6963} - D:\stub.exe
MountPoints2: {0709290e-aca6-11e0-a9cf-f04da2f86349} - F:\LaunchU3.exe -a
cmd: netsh winsock reset
C:\ProgramData\dlfod7lwl.ctrl
C:\ProgramData\dlfod7lwl.pff
C:\ProgramData\gifnocsm.pad
C:\Users\Dave\AppData\Local\Temp
cmd: ipconfig /flushdns
*****************
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{028eeb9c-a697-11e0-b002-806e6f6e6963} => Key not found.
HKCR\CLSID\{028eeb9c-a697-11e0-b002-806e6f6e6963} => Key not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0709290e-aca6-11e0-a9cf-f04da2f86349} => Key not found.
HKCR\CLSID\{0709290e-aca6-11e0-a9cf-f04da2f86349} => Key not found.
========= netsh winsock reset =========
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
========= End of CMD: =========
C:\ProgramData\dlfod7lwl.ctrl => Moved successfully.
C:\ProgramData\dlfod7lwl.pff => Moved successfully.
"C:\ProgramData\gifnocsm.pad" => File/Directory not found.
"C:\Users\Dave\AppData\Local\Temp" directory move:
C:\Users\Dave\AppData\Local\Temp\AdobeARM.log => Moved successfully.
Could not move "C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
Could not move "C:\Users\Dave\AppData\Local\Temp\JavaDeployReg.log" => Scheduled to move on reboot.
C:\Users\Dave\AppData\Local\Temp\jusched.log => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\users00 => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF15CF15D293E4CC5E.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF2CA90F1C70379C17.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF4303580E491A1084.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF5FC1031B372AF5AB.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF68A01884F21248A5.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF68F0D0F08805CAE9.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DF95D68824C07920E5.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DFA2ABDD1903C43BD6.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~DFA5F0E81311A94609.TMP => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~e5d141.tmp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~efe1d6\~de160b.tmp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~efe1d6\~df394b.tmp => Moved successfully.
C:\Users\Dave\AppData\Local\Temp\~efe1d6\~efe2.tmp => Moved successfully.
Could not move "C:\Users\Dave\AppData\Local\Temp" directory. => Scheduled to move on reboot.
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2013-12-11 18:57:02)<=
"C:\Users\Dave\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => File could not move.
C:\Users\Dave\AppData\Local\Temp\JavaDeployReg.log => Moved successfully.
"C:\Users\Dave\AppData\Local\Temp" => Directory could not move.
==== End of Fixlog ====
Couldn't find the notepad for ComboFix after I ran it so I did a cut and paste which might prove useful if you need me to send it?
- Mar 8, 2013
- 22,627
Could be wrong but by looking at the timings for these text files in C:\Qoobox I think these are the notes for last night and after the run tonight. Hope these are the ones as there is no folder under C: for ComboFix.
- Mar 8, 2013
- 22,627
That's great news, thanks for all your help. Only problems now seem to be opening some documents, add on and attachemnts; certainly Adobe still isn't working - should I reinstall that? Also, I noticed that I have about 12 Windows updates which I take it I can now install (my understanding was that Zero Access would not allow updates to be installed) and hopefully that might help. Is it worth me running the Windows disc and carrying out the repair function?
- Mar 8, 2013
- 22,627
Please download Farbar Service Scanner and run it on the computer with the issue.
- Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
Similar threads
- Locked
