ZeroAccess removal incomplete

Homieside

Homieside

New Member
Thread author
Dec 28, 2013
7
Greetings,

Thanks for the easy to follow redirect virus removal guide, it worked very well, but I am one of the lucky ones and my virus just wont go away.
I have used McAfee for years with no issue, but it has met it's ultimate foe...ZeroAccess.
Rogue Killer keeps finding 1 last run key which it then returns an error on.

First
RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Shawn [Admin rights]
Mode : Scan -- Date : 12/28/2013 15:44:40
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{f4156ecb-7547-284c-2ee5-580753d84100}\?��?��?��\?��?��?��\???ﯹ๛\{f4156ecb-7547-284c-2ee5-580753d84100}\GoogleUpdate.exe" >) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Orics (regsvr32.exe C:\Users\Shawn\AppData\Local\Orics\MciUsb.dll [x][-]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Shawn\AppData\Local\Google\Desktop\Install [-] --> FOUND
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

Second
RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Shawn [Admin rights]
Mode : Remove -- Date : 12/28/2013 15:46:53
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{f4156ecb-7547-284c-2ee5-580753d84100}\?��?��?��\?��?��?��\???ﯹ๛\{f4156ecb-7547-284c-2ee5-580753d84100}\GoogleUpdate.exe" >) -> [0xc0000034] Unknown error
[RUN][SUSP PATH] HKCU\[...]\Run : Orics (regsvr32.exe C:\Users\Shawn\AppData\Local\Orics\MciUsb.dll [x][-]) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Shawn\AppData\Local\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][Folder] L : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1\2E2F~1\28F0~1\E628~1\{F4156~1\L [-] --> DELETED
[ZeroAccess][Folder] U : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1\2E2F~1\28F0~1\E628~1\{F4156~1\U [-] --> DELETED
[ZeroAccess][Folder] {F4156~1 : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1\2E2F~1\28F0~1\E628~1\{F4156~1 [-] --> DELETED
[ZeroAccess][Folder] E628~1 : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1\2E2F~1\28F0~1\E628~1 [-] --> DELETED
[ZeroAccess][Folder] 28F0~1 : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1\2E2F~1\28F0~1 [-] --> DELETED
[ZeroAccess][Folder] 2E2F~1 : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1\2E2F~1 [-] --> DELETED
[ZeroAccess][Folder] {F4156~1 : C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{F4156~1 [-] --> DELETED
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

All after
RogueKiller V8.8.0 _x64_ [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Shawn [Admin rights]
Mode : Remove -- Date : 12/28/2013 16:56:44
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 1 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Shawn\AppData\Local\Google\Desktop\Install\{f4156ecb-7547-284c-2ee5-580753d84100}\?��?��?��\?��?��?��\???ﯹ๛\{f4156ecb-7547-284c-2ee5-580753d84100}\GoogleUpdate.exe" >) -> [0xc0000034] Unknown error
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

Any additional help is greatly appreciated, this one is tough.
 

Attachments

  • aswMBR.txt
    1.9 KB · Views: 77
  • Addition.txt
    24.6 KB · Views: 84
  • FRST.txt
    111.6 KB · Views: 90
  • AdwCleaner[S2].txt
    988 bytes · Views: 98
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
------------------------------------------------------------------------------------------------------------------------------

Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix
Please read and follow very carefully the below instructions

Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------------

How to run the Combofix scan :
  1. Double click on ComboFix.exe & follow the prompts.
  2. Accept the disclaimer and allow to update if it asks
  3. When finished, it shall produce a log for you.
  4. Please include the C:\ComboFix.txt in your next reply.

Additional notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.
 
Homieside

Homieside

New Member
Thread author
Dec 28, 2013
7
Hello Kuttus and thanks for you assistance, I have attached the ComboFix log, I hope it is of value.

Best regards,
Homieside
 

Attachments

  • ComboFix.txt
    22.5 KB · Views: 95
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
STEP 1: Run a scan with AdwCleaner

  1. Download AdwCleaner from the below link.
    ADWCLEANER DOWNLAOD LINK (This link will automatically download Security Check on your computer)
  2. Close all open programs and internet browsers.
  3. Double click on adwcleaner.exe to run the tool.
  4. Click on Scan,then confirm each time with Ok.
  5. After the Scan is Over press on Clean ,then confirm each time with Ok.
  6. Your computer will be rebooted automatically. A text file will open after the restart.
  7. Please post the contents of that logfile with your next reply.
  8. You can find the logfile at C:\AdwCleaner[S1].txt as well.
------------------------------------------------------------------------------------------------------------------------------

STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply



------------------------------------------------------------------------------------------------------------------------------

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)


Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • When it prompts you to try their 30-day trail, click decline
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

 
Homieside

Homieside

New Member
Thread author
Dec 28, 2013
7
Hello again, here are the requested items.

FYI, while running JRT, McAfee alerted that it quarantined "artemis!DED92F725208"

Best regards
 

Attachments

  • mbam-log-2013-12-29(12-40-23).txt
    930 bytes · Views: 106
  • JRT.txt
    1.4 KB · Views: 143
  • system-log.txt
    25.2 KB · Views: 92
  • mbar-log-2013-12-29 (12-14-12).txt
    2 KB · Views: 75
  • AdwCleaner[S4].txt
    1.1 KB · Views: 78
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
STEP 1: Run a HitmanPro scan
  1. Download the latest official version of HitmanPro.
    HITMANPRO DOWNLOAD LINK(This link will open a download page in a new window from where you can download HitmanPro)
  2. Start HitmanPro bydouble clicking on the previously downloaded file.and then following the prompts.
    hpro4.png
  3. Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object clickNext.
    rsz_hpro5.png
  4. ClickActivate free licenseto start the free 30 days trial and remove the malicious files.
    hpro6.png
  5. HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.

Add to your next reply, any log that HitmanPro might generate.

STEP 2: Run a scan with ESET Online Scanner
  1. Download ESET Online Scanner utility from the below link
    ESET ONLINE SCANNER DOWNLOAD LINK (This link will automatically download ESET Online Scanner on your computer.)
  2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
  3. Check Yes, I accept the Terms of Use
  4. Click the Start button.
  5. Check Scan archives
  6. Push the Start button.
  7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  8. When the scan completes, push List of found threats
  9. Push Export to Text file and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.
  10. Push the back button.
  11. Push Finish

STEP 3: Run a scan with Kaspersky Virus Removal Tool
  1. Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
    KASPERSKY VIRUS REMOVAL TOOL (This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)
  2. Follow the onscreen prompts until it is installed
  3. Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
    • System Memory
    • Hidden startup objects
    • Disk boot sectors
    • Local Disk (C: )
    • Also any other drives (Removable that you may have)
  4. Then click on Actions on the left hand side
  5. Click Select Action, then make sure both Disinfect and Delete if disinfection fails are ticked
  6. Click on Automatic Scan
  7. Now click the Start Scanning button, to run the scan
  8. After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side
  9. Click Detected threats on the left
  10. Now click the Save button, and save it as kaslog.txt to your Desktop
  11. Please attach kaslog.txt in your next reply.
 
Homieside

Homieside

New Member
Thread author
Dec 28, 2013
7
Only Eset found anything... the others "no threats detected"

Best regards,
 

Attachments

  • eset12-30-13.txt
    134 bytes · Views: 92
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Now please download this file and save it to the same location of FRST.

Open FRST and click fix. Post the generated log.
 

Attachments

  • fixlist.txt
    370 bytes · Views: 101
Homieside

Homieside

New Member
Thread author
Dec 28, 2013
7
I will need to surf a while to see if there are anymore redirects, will report back.

Thanks for your assistance!

What exactly would have removed the bogus registry lines?
 

Similar threads

Victor M
New Update Chrome 124 Ubuntu 24.04 LTS Apparmor profile
Replies
1
Views
866
ChromeOS & Linux
Victor M
Victor M
J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
2,283
Windows Malware Removal Help & Support
nasdaq
nasdaq
F
    • Like
  • Locked
Service Host: Network List Service...Virus?
Replies
11
Views
2,358
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top