Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: ZeroAccess! Attention: cottonball


15 May 2013   #1

Windows 7 Home Premium 64bit
 
 
ZeroAccess! Attention: cottonball

[Cottonball, thanks for directing me to the right forum. Same message and issue below.]

When I open my Toshiba external, it now shows a shortcut to the external like this:

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

It's never done that before. Now, when I click this new shortcut, this pops up:

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

I ran disk management (healthy). I skipped past WinRAR and decided to check to make sure the source wasn't my computer. This is where I could really use some help and guidance! Here's the report after I ran a scan on malware threats (ran through RogueKiller)


Quote:
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 05/11/2013 08:26:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{FD384747-C343-4AE3-B338-90B3725EC0E4} : NameServer (203.144.95.100 203.144.65.2) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\n) [-] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\n [-] --> FOUND
[ZeroAccess][FILE] @ : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST950032 5AS SATA Disk Device +++++
--- User ---
[MBR] 9b221d57aa32fe731e936f545e8a54d3
[BSP] 48b55f46929f8f3b3a0db8344e9d9e6e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 461216 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 944979968 | Size: 15420 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: TOSHIBA External USB 3.0 USB Device +++++
--- User ---
[MBR] 06fc92b188bd3f212a572364a023fc21
[BSP] d5d076cfc99131223e5e5999a68b254c : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 305243 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05112013_02d0826.txt >>
RKreport[1]_S_05112013_02d0826.txt


Is the source of my problem in this data at all? My main concern is that the issue stems from the computer and not the external!

My System SpecsSystem Spec
.

15 May 2013   #2

Windows 7 Ultimate x64
 
 

Have you connected the drive to a port on the laptop labeled Expansion?
My System SpecsSystem Spec
15 May 2013   #3

Windows 7 Home Premium
 
 

ducat1base,

Quote:
Is the source of my problem in this data at all?
Yes!!

Task I:
Let's press on with RogueKiller...

•Please quit all programs
•Right-click the RogueKiller file and select: Run as Administrator
•Wait until the Prescan finishes
•Press: Scan
•When the scan is done, press the [Delete] button.

Please post the new RKreport (Mode: Delete) created on the Desktop in your reply.
(The RKreport also opens using the Report button on the console.)


Task II:
Please go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan


•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_1.05.2013_15.31.43_log.txt

Please attach the TDSSKiller log in your reply.


Task III:
Next, please go to the Malwarebytes Anti-Rootkit Download
Save to the Desktop (easy to find)

Right-click the downloaded file and select: Extract here...
In the MBAR folder that appears on the Desktop, open it, and double-click the MBAR application.

At the main program console click: Next

At the Update Database prompt, click: Update
When the update is done, click: Next

Now at the Scan System prompt, under Scan targets, check: Drivers, Sectors, and System (If these items are already checked, that's fine.) Now, click on the SCAN button!

The results from the scan are shown as follows (This is just an example - Image courtesy of BleepingComputer):





If any threats are reported, DO NOT click on the Cleanup button to remove them!!!

At this point go back to the MBAR folder on the Desktop, and look for two reports:
1. system-log.txt
2. mbar-log-2013-04-30 (20-13-32).txt
(corresponds to mbar-log-year-month-day (hour-minute-second).txt)

Please attach the mbar-log and the system-log in your reply.

On the Cleanup screen, press: Exit to close the program.

Need to know what is there before taking any further actions...
My System SpecsSystem Spec
.


16 May 2013   #4

Windows 7 Home Premium 64bit
 
 

Okay, how does this look..

RogueKiller report (on my first run of RKiller I clicked "delete" files after it ran its scan. This was before my original post in the thread you re-directed me from. I hope it didn't ruin anything that follows and sorry if it did!)

RKreport_S_05162013_02d1115.txt

TDSSKiller Report:

TDSSKillerScan.PNG

MBAR Reports:

mbar-log-2013-05-16 (12-25-08).txt

system-log.txt

Thanks, Cottonball for all this help. Looking forward to your reply!


Attached Images
 
Attached Files
File Type: txt RKreport_S_05162013_02d1115.txt (1.7 KB, 5 views)
File Type: txt mbar-log-2013-05-16 (12-25-08).txt (4.1 KB, 5 views)
File Type: txt system-log.txt (32.2 KB, 3 views)
My System SpecsSystem Spec
16 May 2013   #5

Windows 7 Home Premium
 
 

My apology for the delay!!!

Do not recall being notified that you replied.


Please run MBAR once again, and this time, check Create Restore Point, and press: Cleanup

Also, when prompted, click on Yes to restart your computer.

When done, please post the new report.
My System SpecsSystem Spec
16 May 2013   #6

Windows 7 Home Premium
 
 

Also, please do the following before moving on to the next step: http://www.sevenforums.com/tutorials/697-system-restore-point-create.html

Now, download ComboFix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save ComboFix.exe to the Desktop <<---

Please disable your AntiVirus and AntiSpyware applications, as they may interfere with this tool.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Double-click combofix.exe and follow the prompts.
There are several stages processed by CF. Please be patient, as it may take a while to run. (Estimated time: o/a 1 hour)

When done, ComboFix produces a log: C:\ComboFix.txt

Please attach the ComboFix.txt in your reply. <<---

Notes:
1. Please do not mouse-click the ComboFix window while it is running. This action may cause a stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. It also disconnects the computer from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
4. If ComboFix detects any Rootkit/Bootkit activity, it gives a warning and prompts for a reboot. Please allow it to do so. The screen may stay black for several minutes on reboot, however, this is normal.
5. If the following message appears, please reboot to resolve the issue:
"Illegal operation attempted on Registry key that has been marked for deletion."
My System SpecsSystem Spec
17 May 2013   #7

Windows 7 Home Premium 64bit
 
 

No worries on the delay! Just happy to have your help on this.

The two reports:

MBAR

mbar-log-2013-05-17 (19-13-32).txt

And ComboFix

ComboFix.txt


Attached Files
File Type: txt mbar-log-2013-05-17 (19-13-32).txt (4.1 KB, 5 views)
File Type: txt ComboFix.txt (24.7 KB, 4 views)
My System SpecsSystem Spec
17 May 2013   #8

Windows 7 Home Premium
 
 

Make sure the external hard drive with which you are having a problem is plugged to the computer.

Please press the Windows key and the R key simultaneously to open Run dialog box.

Type (or copy/paste) the following command in the open area of the Run prompt:

attrib -h -r -s /s /d x:\*.*

(x = needs to be your external drive. Substitute the x with the correct drive letter!!

Click: OK


Next, please download the Farbar Recovery Scan Tool
Select the 64-bit version.


Save it to your Desktop.
  • Double-click the downloaded file to run it.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply. <<---




The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply. <<---
My System SpecsSystem Spec
18 May 2013   #9

Windows 7 Home Premium 64bit
 
 

Cottonball, I tried to run the command but it fired back about four or five stacked lines of "Access Denied" and then the Run box immediately closed itself.

I still ran the Farbar scan. Both reports...

FRST.txt

Addition.txt


Attached Files
File Type: txt Addition.txt (19.3 KB, 4 views)
File Type: txt FRST.txt (32.1 KB, 6 views)
My System SpecsSystem Spec
18 May 2013   #10

Windows 7 Home Premium
 
 

See if this works:

Please go to Start > All Programs > Accessories > Command Prompt
Right-click the Command Prompt and select: Run as administrator
Copy/paste the following text inside the code box to the blinking cursor of the Command Prompt and press: Enter

Code:
attrib -h -r -s /s /d x:\*.*
(x = needs to be your external drive. Substitute the x with the correct drive letter!!
My System SpecsSystem Spec
Reply

 ZeroAccess! Attention: cottonball




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:18 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33