Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: ZeroAccess! Attention: cottonball

22 May 2013   #21
ducat1base

Windows 7 Home Premium 64bit
 
 

Ah, sorry about that :-/ Let's try this again...

RKiller's report:

RKreport_fixshortcuts.txt

MBAR's results screen and report:

MBAM_results_screen.PNG

MBAM_scan_complete.PNG

mbam-log-2013-05-21 (16-53-08).txt

FYI, there were no boxes to check or uncheck for removal after MBAR's scan. Am I assuming correctly that's because it didn't find anything?




Attached Images
ZeroAccess! Attention: cottonball-mbam_scan_complete.png ZeroAccess! Attention: cottonball-mbam_results_screen.png 
Attached Files
File Type: txt mbam-log-2013-05-21 (16-53-08).txt (1.9 KB, 3 views)
File Type: txt RKreport_fixshortcuts.txt (1.5 KB, 5 views)
My System SpecsSystem Spec
.
22 May 2013   #22
cottonball

Windows 7 Home Premium
 
 

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[G:] \Device\CdRom2 -- 0x5 --> Skipped
[H:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume8 -- 0x3 --> Restored

Is the external drive [I:]?
Does it still show a shortcut?



Please go to: Downloading ListParts (64-bit)
Save to the Desktop.

Double-click the downloaded file to run the program.



Click: Scan

When done, please post the Result.txt in your reply.


Next, please provide a screenshot of: Disk Management - Post a Screen Capture Image
My System SpecsSystem Spec
26 May 2013   #23
ducat1base

Windows 7 Home Premium 64bit
 
 

I still see the shortcut and receive the same pop-up window when I click it. But now, like the thread I first posted on, I see all my files in a new $RECYCLE.BIN folder. Good news: I can access my files! Should I worry that the the folder is titled "RECYCLE?"

external_files.PNG

On to, as Jumanji wrote, the therapy...

FARBAR scan results:

farbar_scan_report.txt

Disk Management screenshot:

diskmanagement_screenshot.PNG


Attached Thumbnails
ZeroAccess! Attention: cottonball-diskmanagement_screenshot.png  
Attached Images
ZeroAccess! Attention: cottonball-external_files.png 
Attached Files
File Type: txt farbar_scan_report.txt (4.7 KB, 4 views)
My System SpecsSystem Spec
.

26 May 2013   #24
ducat1base

Windows 7 Home Premium 64bit
 
 

Sorry, didn't answer the first part of your question. Yes, [I:] is the external!
My System SpecsSystem Spec
26 May 2013   #25
cottonball

Windows 7 Home Premium
 
 

ducat1base,

Quote:
I see all my files in a new $RECYCLE.BIN folder
Are you using WinRAR to show them, or, are the files showing after using the Shortcut Fix?

Are you able to take the contents of the $RECYCLE.BIN folder where you see the files, and move them to a folder in another USB drive, or in the computer's HDD?

If you can do the above, verify that the move was successful by checking the files in the folder where you moved them to.
My System SpecsSystem Spec
27 May 2013   #26
ducat1base

Windows 7 Home Premium 64bit
 
 

The files are showing from the Shortcut Fix. I was able to move them to a different external and yes, all the files are opening!

Is my computer still compromised?
My System SpecsSystem Spec
27 May 2013   #27
cottonball

Windows 7 Home Premium
 
 

ducat1base,

Since Trojan.ZeroAccess can filter network traffic and steal personal information, it is in your best interest to go to a clean computer, and change any passwords to bank accounts,
credit card transactions, and the like. Use complex passwords to make it difficult to crack password files. This all helps to prevent or limit damage.

The results of the different scans do not show malware on the computer.

If you moved files to another USB drive, run Malwarebytes Anti-Malware once again, with the USB drive where you moved the files to plugged in. Make sure you perform
a Full Scan, and select the drives in quetion:
ZeroAccess! Attention: cottonball

As far as your external drive [I:] goes, plug it in also, and let MBAM scan it, and then we can do more work on it if you wish to use WinRAR or format the drive.

Other suggestions addressed by our colleague jumanji are here: External Hard Drive error ~$WV.FAT32
My System SpecsSystem Spec
28 May 2013   #28
Colev42

Windows 7 Ultimate 64 Bit and Ubuntu 13.04 64 Bit
 
 

Wait an infected svchost?When you open up task manager does it show a process by the name of "svchost 32*"?
My System SpecsSystem Spec
29 May 2013   #29
jumanji

Windows 7 Home Premium 32 bit
 
 

Hi ducat1base,

I am limiting myself to your Toshiba External drive.

1. You have confirmed that you had moved all your data files to another media. If you had made sure all your data files are intact and nothing will be lost if you format your Toshiba external drive, then you may do so.

2. Before that, check the file location of the shortcut. Right click on the shortcut > Properties > Open file location. Let us know where that leads to and the exact file name. We shall know whether the root cause has been eliminated or still present.

3. Just for my curiosity and better insight: You have said that $RECYCLE.BIN contains all your data files. Fine. Now run WinRAR and explore your Toshiba external drive. Open each and every other folder and let us know what the other two folders (one unnamed folder and the other 02.ETTT contain.) ( WinRAR can show even superhidden files. That is why I am asking you to open those with WinRAR.) This is only for academic purpose as I have already said. Just information gathering. You may also name any other files/folders that may be seen. Better a screen capture.

4. To format your Toshiba external drive follow this procedure - this keeps Windows out of the loop, just in case your PC is still compromised. I think cottonball has asked you to run MBAM again. Please do that.

Run MiniTools Partition Wizard Home edition. Download the bootable CD version from Free download Magic Partition Manager Software, partition magic alternative, free partition magic, partition magic Windows 7 and server partition software - Partition Wizard Online (the last one on this page)

You may either burn the ISO to a CD and boot from it or create a bootable pen drive with that ISO using Rufus Rufus - Create bootable USB drives the easy way

Note: If you had created a bootable pen drive, when booting with it you have to type linux0 against the boot prompt and press Enter for the boot process to continue. ( It is zero and not the alphabet O. You may press TAB key to see all available options linux0, linux1, local, I think.)
My System SpecsSystem Spec
30 May 2013   #30
ducat1base

Windows 7 Home Premium 64bit
 
 

Hey Cottonball, thanks for all your help! For a guy who doesn't know much about computers, thanks for making the instructions clear and simple for me to do on my own. I learned a lot! I moved my files over to a new external and all my log-ins and passwords are changed. Much appreciated!

Jumanji, below are the screen captures from WinRAR. I don't know how, but the shortcut actually disappeared when I opened it this time, so no shortcut to explore. With inimitable logic I also named the blank folder "blank" so I could save the screenshot under a name, though in hindsight I suppose I could have done without the other. Here is what I see...

[I:]

ZeroAccess! Attention: cottonball-i_drive.png

02.ETTT folder contents

ZeroAccess! Attention: cottonball-02.ettt.png

Blank folder contents

ZeroAccess! Attention: cottonball-blank_folder.png

$RECYCLE.BIN

ZeroAccess! Attention: cottonball-recycle_bin.png

..its contents

ZeroAccess! Attention: cottonball-rb_contents.png


------------

The size of MiniTools Partition Wizard Home is too big for me to download. (I'm serving with the Peace Corps in Cambodia and trying to do this from my village with a VPN. I can barely handle e-mail tasks and small file uploads!) I went ahead and downloaded the 11MB Enterprise version. Is it the same thing? This is what I see when I open it:

ZeroAccess! Attention: cottonball-minitool_partition_screen.png

How can I format my drive from here?


My System SpecsSystem Spec
Reply

 ZeroAccess! Attention: cottonball




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
ZeroAccess? Virus Removal help Please!
I have been fighting this virus for weeks now and still cannot get rid of it. I have ran the following programs already with very little to no luck at all: combofix, ckscanner, dds, hitmanpro, gmer, JRT, roguekiller, rootkitremover, tdsskiller, eset online scan, f-secure online scan, malwarebytes,...
System Security
Attention: cottonball, virus deleted all SD photos
Hey, Having some of the same issues as from this time: http://www.sevenforums.com/system-security/290053-zeroaccess-attention-cottonball.html#post2398835. This round, whatever is in my computer has deleted all the photos on my SD card :-/ I ran RogueKiller and came up with this report: ...
System Security
FBI Ransomware/ZeroAccess Preventative Measures
Hello Forum, I have been seeing a ton of posts about this FBI Ransomware and Zeroaccess Viruses or whatever they are, and for the first time in as long as I can remember, I am really concerned about my PC's safety, as two of my closest friends just contracted these viruses. They seem really...
System Security
I need help on getting rid of Trojan.ZeroAccess!inf
I did some research on this Trojan and found out that it disguises itself as a java update or an adobe flash update. (a fair warning for fellow windows users) I've scanned my computer with norton anti virus and it detects it but norton can't seem to remove the virus. (yes I have administrator...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:14.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App