Rootkit.Zeroaccess

[schoj05]

ok I went in to Directory Services Restore mode through safe boot , still no internet connection through wireless or eternet cable, do you want me to try anything else in their?

 

[kuttus]

In Windows Advance Boot Options you can see an option Directory Services Restore Mode. It is something like Safe mode with Networking....

 

[schoj05]

Yes I have been in their it makes no difference in been able to connect to the internet either wireless or through Ethernet cable

that is what you wanted me to try?

 

[kuttus]

Yes.

<ol>
<li>Press the "Windows" and "R" keys. Type "Ncpa.cpl" in Run and click "OK." This runs the Network Connections component within a new window on the screen.
</li><li>Locate the "Local Area Connection" icon. Right-click the icon and click "Enable." The adapter is now enabled. Continue reading if you do not see this icon.</li>
<li>Press the "Windows" and "R" keys. Type "Devmgmt.msc" in Run and click "OK" to open the Device Manager component.</li>
<li>Click the arrow next to "Network adapters." This will expand all network devices installed on the computer.</li>
<li>Right-click the adapter and click "Enable."</li></ol>

 

[schoj05]

Hi Kuttus

I tried a recommended programme to me called Windows Repair, which I ran and it has fixed my internet connection issues, and I can now connect through safe mode networking to the internet

As soon as I did that , I ran for the 1st time Hitman pro and it caught 7 threats that were still active on my Laptop

report has been posted?

HitmanPro 3.7.3.194
www.hitmanpro.com

   Computer name . . . . : JONATHANS
   Windows . . . . . . . : 6.1.1.7601.X86/2
   Safe Mode Boot  . . . : NETWORK
   User name . . . . . . : Jonathans\Jona
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2013-05-13 22:51:02
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 5m 3s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : Yes

   Threats . . . . . . . : 2
   Traces  . . . . . . . : 5

   Objects scanned . . . : 1,213,214
   Files scanned . . . . : 23,512
   Remnants scanned  . . : 352,254 files / 837,448 keys

Malware _____________________________________________________________________

   C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll -> Quarantined
      Size . . . . . . . : 225,280 bytes
      Age  . . . . . . . : 5.0 days (2013-05-08 22:18:09)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : E6A37A94CF4998E0DA0EFAAABB179899B445F1453CF355EA729D1DCD2B8B63FE
      Needs elevation  . : Yes
      Product  . . . . . : Online files icon's overlay
      Publisher  . . . . : Microsoft
      Description  . . . : Online files icon's overlay
      Version  . . . . . : 1.0.2.5
      Copyright  . . . . : Microsoft
      Gossip . . . . . . : crosoft
    > Emsisoft . . . . . : Trojan.Win32.Agent.amn!A2
      Fuzzy  . . . . . . : 117.0
         One or more antivirus vendors have indicated that the file is malicious.
         This file was most recently added as automatic startup.
         Program starts automatically without user intervention.
         Time indicates that the file appeared recently on this computer.
         The file is in use by one or more active processes.
         The file appears to be part of an installation package or setup program. This is typical for most programs.
      Startup
         HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers\1MediaIconsOverlay\
      References
         HKLM\SOFTWARE\Classes\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\
      Forensic Cluster
         -0.0s C:\ProgramData\Microsoft\Media Tools\
          0.0s C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll
          3.0s C:\ProgramData\Microsoft\Media Tools\temp\
          7.0s C:\ProgramData\Microsoft\Media Tools\plugins\


Malware remnants ____________________________________________________________

   HKU\S-1-5-21-3659869320-2491200586-312378291-1000\Software\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Deleted

 

[kuttus]

Okay. Are you able to connect to the Internet in Normal mode now?

 

[schoj05]

Hi
Yes I am connected in normal mode as well, computer is still a little slow at opening screens such as my computer. I dnt think there is any further virus however can't be certain what would u suggest doing now?

 

[kuttus]

Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.


To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[schoj05]

Apologies about the delay , ok i have attached the below document

1st screen shot is Internet Explorer
2nd screen shot is Scheduled Task

Winlogon was empty so didnt take a screen shot?

 

[kuttus]

Hi,

You send only the screen shot of Scheduled Task. Please Disable Everything in Scheduled Task & Internet Explorer and restart the computer. Then Send me the Screen shots of Scheduled Task & Internet Explorer.

You can Disable All Items that Marked as Yellow as it is a Broken one......