Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
ZeroAccess Rootkit
Message
<blockquote data-quote="Jack" data-source="post: 25203" data-attributes="member: 1"><p><span style="font-size: 15px"><strong>STEP 1 : </strong> Run the <strong>OTL</strong> Fix</span></p><ol> <li data-xf-list-type="ol">Start OTL again.</li> <li data-xf-list-type="ol">Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL<br /> <br /> <img src="http://i.imgur.com/Ratzw.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /><br /> <br /> [code]<br /> :OTL<br /> PRC - C:\Windows\207992514:1028233971.exe File not found<br /> O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present<br /> O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present<br /> O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present<br /> O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present<br /> O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present<br /> O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0<br /> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1<br /> O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7C60CD6A-A8B0-4CAC-9C11-C4EBF776D116}: DhcpNameServer = 10.1.1.1<br /> O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9A30652C-DA78-4742-80DC-9F48B0C2DF81}: DhcpNameServer = 10.176.66.71 10.188.66.103<br /> [2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0<br /> [2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0<br /> [2011/10/02 00:26:13 | 000,000,000 | ---- | M] () -- C:\Windows\207992514<br /> [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]<br /> [2011/10/01 21:01:37 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\RegCure Startup.job<br /> [2011/09/24 03:00:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\RegCure.job<br /> :Services<br /> :Reg<br /> [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]<br /> ""=""%1" %*<br /> :Files<br /> ipconfig /flushdns /c<br /> :Commands<br /> [purity]<br /> [resethosts]<br /> [emptytemp]<br /> [emptyflash]<br /> [createrestorepoint]<br /> [reboot]<br /> [/code]</li> <li data-xf-list-type="ol">Then click the Run Fix button at the top</li> <li data-xf-list-type="ol">Let the program run unhindered, reboot the PC when it is done.</li> </ol><p></p><hr /><p><span style="font-size: 15px"><strong>STEP 2 :</strong> Start your computer in <strong>Safe Mode with Networking </strong></span></p><p></p><ol> <li data-xf-list-type="ol">Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer. </li> <li data-xf-list-type="ol">Do one of the following:<ul> <li data-xf-list-type="ul">If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press <strong>F8</strong> before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.</li> <li data-xf-list-type="ul">If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press <strong>F8</strong>.</li> </ul></li> <li data-xf-list-type="ol">On the Advanced Boot Options screen, use the arrow keys to highlight <strong>Safe Mode with Networking </strong>, and then press <strong>ENTER</strong>. For more information about options, see <a href="http://windows.microsoft.com/en-US/windows-vista/Advanced-startup-options-including-safe-mode" target="_blank">Advanced startup options (including safe mode)</a>.<br /> <img src="http://i.imgur.com/I6J8P.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Log on to your computer with a user account that has administrator rights.</li> </ol><hr /><p></p><p></p><p><span style="font-size: 15px"><strong>STEP 3 :</strong> Download and run <strong><a href="http://www.bleepingcomputer.com/download/anti-virus/rkill" target="_blank">RKill</a></strong> to terminate known malware processes.</span></p><p></p><ol> <li data-xf-list-type="ol">Download RKill - http://download.bleepingcomputer.com/grinler/iExplore.exe<br /> </li> <li data-xf-list-type="ol">Double-click on the RKill icon in order to automatically attempt to stop any processes associated with this rouge.<br /> <img src="http://i.imgur.com/ZnT7s.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Now RKill will start working in the background, please be patient while the program looks for various malware programs and tries to ends them.<br /> <img src="http://i.imgur.com/gATdF.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /><ul> <li data-xf-list-type="ul">If you receive a message that RKill is an infection, that is a fake warning given by the rogue. As a possible solution we advise you to leave the warning on the screen and then try to run RKill again.Run RKill until the fake program is not visible but not more than ten times.</li> <li data-xf-list-type="ul">If you continue having problems running RKill, you can download the other renamed versions of RKill from the above links.</li> </ul></li> <li data-xf-list-type="ol">When Rkill has completed its task, it will generate a log. You can then proceed with the rest of the guide.</li> </ol><p>Note: <em>Do not reboot your computer after running RKill as the malware programs will start again.</em> </p><hr /><p></p><p></p><p></p><p><span style="font-size: 15px"><strong>STEP 4 : </strong> Download and run <a href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" target="_blank"><strong>TDSSKiller</strong></a></span></p><p><span style="font-size: 15px"></span></p><p></p><ol> <li data-xf-list-type="ol">Please download the latest official version of TDSSKiller.<br /> <a href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" target="_blank"><img src="http://i.imgur.com/0aTRt.gif]" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></li> <li data-xf-list-type="ol">Before you can run TDSSKiller, you first need to <strong>rename</strong> it so that<br /> you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select <strong>Rename</strong>. You can now rename it to iExplorer.exe<br /> [code]iExplorer.exe[/code]<br /> <img src="http://i.imgur.com/ZXhAz.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">Once the file is renamed, double-click on it to <strong>launch it</strong>.</li> <li data-xf-list-type="ol">TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the <em>'Start Scan'</em> button.<br /> <img src="http://i.imgur.com/wmoCi.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">TDSSKiller will now scan your computer for the TDSS infection.<br /> <img src="http://i.imgur.com/C5myc.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol"> When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.<br /> <img src="http://i.imgur.com/7zchO.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></li> <li data-xf-list-type="ol">To remove the infection simply click on the <strong>Continue</strong> button and TDSSKiller will attempt to clean the infection. </li> <li data-xf-list-type="ol">A <strong>reboot</strong> might require to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.</li> <li data-xf-list-type="ol">A log will be generated please post it in your next reply</li> </ol><hr /><p></p><p></p><p><span style="font-size: 15px"><strong>STEP 4 : </strong> Download and run a scan with Dr.Web CureIt!</span></p><p></p><p>Download Dr.Web CureIt from <a href="ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe" target="_blank">here</a> and rename it to iExplorer.exe.</p><p></p><p>Reboot your computer in "<strong>Safe Mode</strong>" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".</p><p></p><p>Scan with Dr.Web CureIt as follows:</p><ol> <li data-xf-list-type="ol">Double-click on iExplorer.exe to open the program and click <strong>Start</strong>. (<em>There is no need to update if you just downloaded the most current version</em>)</li> <li data-xf-list-type="ol">Read the <em>anti-virus check by DrWeb</em> scanner prompt and click <strong>Yes</strong> where asked to <strong>Start scan now</strong>? Allow the setup.exe to load if asked by any of your security programs. Be patient as loading of this file is not immediate.</li> <li data-xf-list-type="ol">The Express scan will automatically begin.<br /> (<em>This is a preliminary scan of files currently running in memory, boot sectors, and targeted folders</em>).</li> <li data-xf-list-type="ol">If prompted to download the Full version Free Trial, just ignore and click the <strong>X</strong> to close the window.</li> <li data-xf-list-type="ol">If an infected object is found, you will be prompted to move anything that cannot be cured. Click <strong>Yes to All</strong>. (<em>This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine</em> folder if they can't be cured)</li> <li data-xf-list-type="ol">After the Express Scan is finished, put a check next to <strong>Complete scan</strong> to scan all local disks and removable media.</li> <li data-xf-list-type="ol">In the top menu, click <strong>Settings > Change settings</strong>, and <span style="color: #FF0000"><strong>uncheck</strong></span> "<em>Heuristic analysis</em>" under the "Scanning" tab, then click Apply, Ok.</li> <li data-xf-list-type="ol">Back at the main window, click the <span style="color: #006400">green arrow</span> "S<em>tart Scanning</em>" button on the right under the Dr.Web logo. </li> <li data-xf-list-type="ol">Please be patient as this scan could take a long time to complete.</li> <li data-xf-list-type="ol">When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.</li> <li data-xf-list-type="ol">Click <strong>Select All</strong>, then choose<strong> Cure > Move incurable</strong>.</li> <li data-xf-list-type="ol">In the top menu, click file and choose <strong>save report list</strong>.</li> <li data-xf-list-type="ol">Save the <em>DrWeb.csv</em> report to your desktop.</li> <li data-xf-list-type="ol">Exit Dr.Web Cureit when done.</li> <li data-xf-list-type="ol"><span style="color: #FF0000">Important!</span> Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.</li> <li data-xf-list-type="ol">After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)</li> </ol></blockquote><p></p>
[QUOTE="Jack, post: 25203, member: 1"] [SIZE=4][b]STEP 1 : [/b] Run the [b]OTL[/b] Fix[/SIZE] [list=1][*]Start OTL again. [*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL [IMG]http://i.imgur.com/Ratzw.png[/IMG] [code] :OTL PRC - C:\Windows\207992514:1028233971.exe File not found O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3987451672-638147033-4213727604-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7C60CD6A-A8B0-4CAC-9C11-C4EBF776D116}: DhcpNameServer = 10.1.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9A30652C-DA78-4742-80DC-9F48B0C2DF81}: DhcpNameServer = 10.176.66.71 10.188.66.103 [2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2011/10/01 21:09:03 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2011/10/02 00:26:13 | 000,000,000 | ---- | M] () -- C:\Windows\207992514 [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [2011/10/01 21:01:37 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\RegCure Startup.job [2011/09/24 03:00:00 | 000,000,378 | ---- | M] () -- C:\Windows\tasks\RegCure.job :Services :Reg [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] ""=""%1" %* :Files ipconfig /flushdns /c :Commands [purity] [resethosts] [emptytemp] [emptyflash] [createrestorepoint] [reboot] [/code] [*]Then click the Run Fix button at the top [*]Let the program run unhindered, reboot the PC when it is done.[/list] [hr][SIZE=4][b]STEP 2 :[/b] Start your computer in [b]Safe Mode with Networking [/b][/SIZE] [list=1][*]Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer. [*]Do one of the following: [list][*]If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press [b]F8[/b] before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer. [*]If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press [b]F8[/b].[/list] [*]On the Advanced Boot Options screen, use the arrow keys to highlight [b]Safe Mode with Networking [/b], and then press [b]ENTER[/b]. For more information about options, see [url=http://windows.microsoft.com/en-US/windows-vista/Advanced-startup-options-including-safe-mode]Advanced startup options (including safe mode)[/url]. [img]http://i.imgur.com/I6J8P.jpg[/img] [*]Log on to your computer with a user account that has administrator rights.[/list] [hr] [SIZE=4][b]STEP 3 :[/b] Download and run [b][url=http://www.bleepingcomputer.com/download/anti-virus/rkill]RKill[/url][/b] to terminate known malware processes.[/SIZE] [list=1][*]Download RKill - http://download.bleepingcomputer.com/grinler/iExplore.exe [*]Double-click on the RKill icon in order to automatically attempt to stop any processes associated with this rouge. [IMG]http://i.imgur.com/ZnT7s.png[/IMG] [*]Now RKill will start working in the background, please be patient while the program looks for various malware programs and tries to ends them. [IMG]http://i.imgur.com/gATdF.png[/IMG] [list][*]If you receive a message that RKill is an infection, that is a fake warning given by the rogue. As a possible solution we advise you to leave the warning on the screen and then try to run RKill again.Run RKill until the fake program is not visible but not more than ten times. [*]If you continue having problems running RKill, you can download the other renamed versions of RKill from the above links.[/list] [*]When Rkill has completed its task, it will generate a log. You can then proceed with the rest of the guide. [/list] Note: [i]Do not reboot your computer after running RKill as the malware programs will start again.[/i] [hr] [SIZE=4][b]STEP 4 : [/b] Download and run [url=http://support.kaspersky.com/downloads/utils/tdsskiller.exe][b]TDSSKiller[/b][/url] [/SIZE] [list=1][*]Please download the latest official version of TDSSKiller. [url=http://support.kaspersky.com/downloads/utils/tdsskiller.exe][img]http://i.imgur.com/0aTRt.gif][/img][/url] [*]Before you can run TDSSKiller, you first need to [b]rename[/b] it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select [b]Rename[/b]. You can now rename it to iExplorer.exe [code]iExplorer.exe[/code] [IMG]http://i.imgur.com/ZXhAz.png[/IMG] [*]Once the file is renamed, double-click on it to [b]launch it[/b]. [*]TDSSKiller will now start and display the welcome screen as shown below.In order to start a system scan , press the [i]'Start Scan'[/i] button. [img]http://i.imgur.com/wmoCi.png[/img] [*]TDSSKiller will now scan your computer for the TDSS infection. [img]http://i.imgur.com/C5myc.png[/img] [*] When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below. [IMG]http://i.imgur.com/7zchO.png[/IMG] [*]To remove the infection simply click on the [b]Continue[/b] button and TDSSKiller will attempt to clean the infection. [*]A [b]reboot[/b] might require to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side. [*]A log will be generated please post it in your next reply[/list] [hr] [SIZE=4][b]STEP 4 : [/b] Download and run a scan with Dr.Web CureIt![/SIZE] Download Dr.Web CureIt from [url=ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe]here[/url] and rename it to iExplorer.exe. Reboot your computer in "[b]Safe Mode[/b]" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with Dr.Web CureIt as follows: [list=1] [*]Double-click on iExplorer.exe to open the program and click [b]Start[/b]. ([i]There is no need to update if you just downloaded the most current version[/i]) [*]Read the [i]anti-virus check by DrWeb[/i] scanner prompt and click [b]Yes[/b] where asked to [b]Start scan now[/b]? Allow the setup.exe to load if asked by any of your security programs. Be patient as loading of this file is not immediate. [*]The Express scan will automatically begin. ([i]This is a preliminary scan of files currently running in memory, boot sectors, and targeted folders[/i]). [*]If prompted to download the Full version Free Trial, just ignore and click the [b]X[/b] to close the window. [*]If an infected object is found, you will be prompted to move anything that cannot be cured. Click [b]Yes to All[/b]. ([i]This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine[/i] folder if they can't be cured) [*]After the Express Scan is finished, put a check next to [b]Complete scan[/b] to scan all local disks and removable media. [*]In the top menu, click [b]Settings > Change settings[/b], and [color=#FF0000][b]uncheck[/b][/color] "[i]Heuristic analysis[/i]" under the "Scanning" tab, then click Apply, Ok. [*]Back at the main window, click the [color=#006400]green arrow[/color] "S[i]tart Scanning[/i]" button on the right under the Dr.Web logo. [*]Please be patient as this scan could take a long time to complete. [*]When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found. [*]Click [b]Select All[/b], then choose[b] Cure > Move incurable[/b]. [*]In the top menu, click file and choose [b]save report list[/b]. [*]Save the [i]DrWeb.csv[/i] report to your desktop. [*]Exit Dr.Web Cureit when done. [*][color=#FF0000]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. [*]After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)[/list][/hr][/hr][/hr][/hr] [/QUOTE]
Insert quotes…
Verification
Post reply
Top