ZeroAccess Rootkit

Hi Jack, I just saw your reply this morning. I tried the fix in OTL twice in safe mode but once I clicked on Run Fix and left it there for almost 2 hours, it wasn't responding.

I installed KRD on my USB from another computer and it is still scanning my laptop at the moment.
 
after scan with KRD, if you still worry about malicious file on your PC, then start windows :safemode with networking.
then, download and scan with malwarebytes and hitman pro.
good luck for you. ;)
 
win7holic said:
after scan with KRD, if you still worry about malicious file on your PC, then start windows :safemode with networking.
then, download and scan with malwarebytes and hitman pro.
Click to expand...

normally he should be ok with all that.
 
xephyria said:
Hi Jack, I just saw your reply this morning. I tried the fix in OTL twice in safe mode but once I clicked on Run Fix and left it there for almost 2 hours, it wasn't responding.
Click to expand...
Did you rename the OTL .exe to iExplorer.exe before running it?
Here is the code :

Code: 
:OTL
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7C60CD6A-A8B0-4CAC-9C11-C4EBF776D116}: DhcpNameServer = 10.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9A30652C-DA78-4742-80DC-9F48B0C2DF81}: DhcpNameServer = 10.176.66.71 10.188.66.103
[2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/02 00:26:13 | 000,000,000 | ---- | M] () -- C:\Windows\207992514
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2011/10/01 21:01:37 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\RegCure Startup.job
[2011/09/24 03:00:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\RegCure.job
:Services
:Reg
:Files
:Commands
[resethosts]
[emptytemp]
[emptyflash]
[createrestorepoint]
[reboot]
Kaspersky should detect this rootkit ......don;t forget to post the log of the scan after it will finish:P .
 
yea i renamed it to iexplorer.exe, but it still froze.

anyway, i tried KRD, it took about 5 hours to scan but I think it might have gotten rid of that nasty bug. I reinstalled Hitman pro, it worked this time and nothing was detected. malwarebyte's anti-malware cleared the scan too. AVG 2012 detected 10 hooks I think and I got rid of that. TDSSKiller also did not detect anything. I am downloading Dr. Web's cureit at the moment, and I will post the log once it's done (:
 
good i think you removed it. if HMP and MBAM detect nothing and are not killed, means you succeed.

:D
 
I guess my laptop is clean now, express scan from cureit did not detect anything. The complete scan has been running for 10.5hrs and judging by the loading bar, it will probably take another 30hrs!! :dash1: so I think I won't be posting the log.

Thanks everyone for your help! I will come back again if I need help :)
 
no problem, you can read the many security topics on this forum to how secure tour system and never have this kind of issues.
 
I think your only hope is to re-try the Kaspersky Rescue Disk (KRD) route. Ask a friend\workmate\family member to download the software for you and, as Win7holic suggested, put it on a bootable usb by following the instructions at http://support.kaspersky.com/faq/?qid=208282163. Insert the bootable USB drive, make sure the Boot Sequence in your BIOS is set to boot from a USB device before the hard disk and run KRD. Since this route avoids any use of your infected operating system, you should be able to run the scan and get rid of the malware. However, see the warning I posted at 04:39 pm today.

Good luck.
 

You may also like...