Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: possible virus, which forum to go to for help

25 Jan 2013   #21

W7 premium 64
 
 
no more zeroaccess

Wow, gotta hand it to malwarebytes! Unreal!!
I do have other things found by that Rouge Killer program I used, but it isn't stating virus. He is the latest report...
RogueKiller V8.4.3 _x64_ [Jan 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : RogueKiller
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : greg [Admin rights]
Mode : Scan -- Date : 01/25/2013 21:53:06
| ARK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 19 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Services\Microsoft\RunOnce : Z1 (cmd /c "C:\Users\greg\AppData\Local\Temp\Rar$EXa0.995\mbar\mbar.exe" /cleanup /s) -> FOUND
[TASK][SUSP PATH] AmiUpdXp : C:\Users\greg\AppData\Local\SwvUpdater\Updater.exe -> FOUND
[TASK][SUSP PATH] Updater21804.exe : C:\Users\greg\AppData\Local\Updater21804\Updater21804.exe /extensionid=21804 /extensionname="Coupon Companion Plugin" /chromeid=jneaojaoiajhnemidnjhoempalnidbhj -> FOUND
[TASK][SUSP PATH] {08C1F234-568C-4E01-A173-0CE24EC7480E} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {0AE7B435-789A-4706-B760-CEBE58093B40} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {4338847E-E938-4FF6-8CC0-5D7332A25EE5} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {4C915BC5-464F-45D1-8DAC-5EBD614BE23F} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {6FE37CCF-0EB5-4144-8DDE-A628D33493C0} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {9051A283-39ED-4164-BFD2-F9AA48668EF0} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {B94F491E-0B54-4E4E-A7A6-19FA3F5FA826} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {F9BEEBEA-4C20-45DC-B6AE-35302F8A99E4} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[HJPOL] HKCU\[...]\Services\Microsoft\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\Services\Microsoft\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Services\Microsoft\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Services\Microsoft\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\Services\Microsoft\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\Services\Microsoft\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD204UI ATA Device +++++
--- User ---
[MBR] 7dc8ed4fba1d6234107389db834b6c05
[BSP] cac14c49d7f039a9758c50803549fbbd : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: ST3160812AS ATA Device +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive3: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] bfc2508142cb31e56488e57ad8f80c9c
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[3]_S_01252013_02d2153.txt >>
RKreport[1]_S_01252013_02d1959.txt ; RKreport[2]_S_01252013_02d2055.txt ; RKreport[3]_S_01252013_02d2153.txt


My System SpecsSystem Spec
.

25 Jan 2013   #22

Windows 7 Home Premium
 
 

drmax,

If you can obtain a report from Malwarebytes Anti-Rootkit, that will be great.

However, do proceed with the following:



Please plug a flash drive into a clean computer.

Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.


Download:
Farbar Recovery Scan Tool Download

Save FRST64 to the USB flash drive.
Remove the flash drive from the clean computer, and plug the drive into the infected computer.







Now, to enter System Recovery Options using Windows installation disc:
  • Insert the installation disc.
  • Restart the infected computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.



In the System Recovery Options menu you get the following options:

  • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

Select: Command Prompt
  • In the command window type notepad and press Enter.
  • Notepad opens. Under the File menu (at the top) select Open.
  • Select Computer, find your flash drive letter, and close Notepad.
  • In the command window type e:\frst64.exe, and press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool starts to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
A log (FRST.txt) is found on the flash drive.

Please provide the FRST.txt in your reply.
My System SpecsSystem Spec
25 Jan 2013   #23

Windows 7 Home Premium
 
 

In the MBAR folder there are two files:
system-log.txt
mbar-log (date,etc.)

One of them contains the malware removed, etc.

See if you can find it, and post it. The more we can confirm, the better.

Thanks!
My System SpecsSystem Spec
.


25 Jan 2013   #24

W7 premium 64
 
 

unlike the regular malwarebytes, this did not store a log. i looked high and low for it, unless it put it somewhere unknown. I searched my pc for mbar and i didn't find that particular scan. Damn...
My System SpecsSystem Spec
25 Jan 2013   #25

Windows 7 Home Premium
 
 

Is there an MBAR folder on your Desktop, or wherever you unzipped the program?

In any event, press on with the instructions for FRST64. We need to make sure ZeroAccess is truly gone. It is best to use more than one program to confirm.



Verify that your system is now running normally, and that the following items are functional:
  1. Internet access
  2. Windows Update
  3. Windows Firewall
Post back.

MBAR can also give the Firewall a repair shot, if needed. However, we need that MBAR folder.
There is an application called fixdamage in it. You would need to run the 'fixdamage' tool, and reboot.

If you have no luck finding the folder, right-click the downloaded MBAR file on the Desktop, and select: Extract here...
My System SpecsSystem Spec
25 Jan 2013   #26

W7 premium 64
 
 

Quote   Quote: Originally Posted by cottonball View Post
Is there an MBAR folder on your Desktop, or wherever you unzipped the program?

In any event, press on with the instructions for FRST64. We need to make sure ZeroAccess is truly gone. It is best to use more than one program to confirm.




Verify that your system is now running normally, and that the following items are functional:
  1. Internet access
  2. Windows Update
  3. Windows Firewall
Post back.

MBAR can also give the Firewall a repair shot, if needed. However, we need that MBAR folder.
There is an application called fixdamage in it. You would need to run the 'fixdamage' tool, and reboot.

If you have no luck finding the folder, right-click the downloaded MBAR file on the Desktop, and select: Extract here...
I will have to figure out was frst64 means, and i'll check that...then get back to you. I did not find that log file anywhere.
My System SpecsSystem Spec
25 Jan 2013   #27

Windows 7 Home Premium
 
 

Sorry! Was not specific enough.

Look at the instructions in Post #22 for Farbar Recovery Scan Tool x64 (FRST64)

Also, check the Firewall, Internet access, Windows Update, etc. to make sure all is well.
My System SpecsSystem Spec
25 Jan 2013   #28

W7 premium 64
 
 

I have the MBAR folder, there is just NO log found that held the info where the virus was located. I thought that is what you were after. I see the "fix damage" exe program within. I figured out what frst means and did not appear to have an issue, as there was nothing to "fix". I re-ran the Roguekiller program, and it did not show anything. What is it I need to attempt with that "fix damage" setting?
My System SpecsSystem Spec
25 Jan 2013   #29

W7 premium 64
 
 

Quote   Quote: Originally Posted by cottonball View Post
Sorry! Was not specific enough.

Look at the instructions in Post #22 for Farbar Recovery Scan Tool x64 (FRST64)

Also, check the Firewall, Internet access, Windows Update, etc. to make sure all is well.
ok, sorry but I will have to get at this in the morning. I have an attachment of the scan report. It was to large to c/p. See you tomorrow and you were a great help.
My System SpecsSystem Spec
26 Jan 2013   #30
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

What is a Rootkit? Rootkit - Wikipedia, the free encyclopedia

Quote:
There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.[79][80] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an alternative operating system from trusted media can allow an infected system volume to be mounted and potentially safely cleaned and critical data to be copied off—or, alternatively, a forensic examination performed.[23] Lightweight operating systems such as Windows PE, Windows Recovery Console, Windows Recovery Environment, BartPE, or Live Distros can be used for this purpose, allowing the system to be cleaned.
Even if the type and nature of a rootkit is known, manual repair may be impractical, while re-installing the operating system and applications is safer, simpler and quicker
I have been awarded the Microsoft 'Most Valuable Professional' in Security for 8 years now.... I will not even try to clean up a rootkit or bootkit. The computer has been extremely compromised and it will never be stable again without a total wipe and clean install.
My System SpecsSystem Spec
Reply

 possible virus, which forum to go to for help




Thread Tools



Similar help and support threads for2: possible virus, which forum to go to for help
Thread Forum
Solved how to fix / clean windows from ramnit virus and virut virus? System Security
I have a virus and unable to run/download anti-virus software System Security
Want ideas for Virus removal if virus shows up in safemode CMD System Security
Partition Virus/Non-system Drive Virus System Security
Solved Is there a Forum issues Forum Chillout Room
Virus On Forum, Or...? General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 08:14 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33