Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Possible Zeroaccess infection: denied access to MSE, update error


13 Aug 2013   #1

Windows 7 Home Premium 64bit
 
 
Possible Zeroaccess infection: denied access to MSE, update error

Hey guys, I am having some problems here on my girlfriends laptop (Win 7 Home Premium 64 bit) and believe it may be infected with “zeroaccess”. Her work computer had a virus on it last week, and she uses her personal laptop to connect to that work computer when she’s out of the office (she uses onboard remote by Adaptive Solutions to connect). We cannot run Microsoft security essentials anymore (access denied) and cannot update (windows update error code 80070005). I downloaded and ran TDSkiller, but it did not show any viruses. I did do a scan with that Farbar and attached the 2 reports. Any help ID'ing what is going on would be greatly appreciated!

Update: Still working the issue, but decided to take the hard drive out, connect it to another computer via USB cables, and do a complete scan of the HD. As soon as I started the scan it already notified me that the preliminary scan found malicious and possibly unwanted software, but did not report what they were. Will update with results (looks like it’s going to take hours).



Attached Files
File Type: txt Addition.txt (15.4 KB, 3 views)
File Type: txt FRST.txt (21.9 KB, 6 views)
My System SpecsSystem Spec
.

13 Aug 2013   #2

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

PowerTrader

Looking at the log it is infact ZeroAccess . Well you started scanning the hard drive as a USB drive lets see what the results will be , what antivirus are you scanning with ?
My System SpecsSystem Spec
13 Aug 2013   #3

Windows 7 Home Premium 64bit
 
 

Scanning the HD with Microsoft Security Essentials on a desktop equipped with Windows Vista Home Premium 32bit
My System SpecsSystem Spec
.


13 Aug 2013   #4

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Lets see what it comes out with .
My System SpecsSystem Spec
13 Aug 2013   #5

Windows 7 Home Premium 64bit
 
 

Ok just completed the scan. Here are the results:

Exploit: Java/CVE-2013-0422
TrojanDownloader: Win32/Dofoil.R
TrojanDropper:Win32/Sirefef.gen!E
Rogue:Win32/Winwebsec
TrojanDropper:Win32/Sirefef.gen!G

I have not taken any action yet. Standing by for recommended course of action
My System SpecsSystem Spec
13 Aug 2013   #6

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Open Notepad . Inside Notepad paste the highlighted text inside notepad

start
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x] <===== ATTENTION (File name is altered)
HKLM\...\Winlogon: [Shell] [x ] () <=== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKCU\...\Winlogon: [Shell]
HKCU\...\Policies\system: [DisableChangePassword] 0
HKCU\...\Policies\system: [DisableLockWorkstation] 0
MountPoints2: {1a4eae80-5a20-11e0-ade9-88ae1d0edfee} - E:\setup.exe -a
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
S1 ouyzvgyu; \??\C:\Windows\system32\drivers\ouyzvgyu.sys [x]
2013-08-13 18:37 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2605782298-985525740-3821210279-1000\$ddc6e1b221ef8d4c62a6ee0de1e5d502

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$ddc6e1b221ef8d4c62a6ee0de1e5d502
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
end


Click on File ====> Save As

File Name : Fixlist.txt

Save as type : All Files

Location : Desktop

Click on the [Save] button .

Open FRST tool again from the Desktop and click on the [Fix] button . Once complete it will create a new log called Fixlog.txt . Upload the new log created in your reply . It should be on the desktop .
My System SpecsSystem Spec
13 Aug 2013   #7

Windows 7 Home Premium 64bit
 
 

Awesome thanks! I still have the HD connected to my desktop via USB. Should i allow MSE to remove the threats before i plug it back into the laptop and do that thing with notepad?
My System SpecsSystem Spec
13 Aug 2013   #8

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

I'd plug the hard drive back into the other PC and remove the items that way . If you run MSE then the notepad isn't needed .
My System SpecsSystem Spec
13 Aug 2013   #9

Windows 7 Home Premium 64bit
 
 

Sorry little confused.
Right now i have the Laptop's infected hard drive connected to my desktop via USB cables. Should i keep the hard drive plugged into the desktop and use the desktop's MSE to remove the threat first, and THEN plug it back into the laptop to run that notepad thing or should i do something different?
My System SpecsSystem Spec
13 Aug 2013   #10

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

You could use the MSE on the desktop . When you plug the hard drive back into the laptop the notepad isn't needed . MSE should remove the infections . I'd personally would unplug the hard drive from the PC ( desktop ) plug it back into the laptop and do the Notepad .
My System SpecsSystem Spec
Reply

 Possible Zeroaccess infection: denied access to MSE, update error




Thread Tools



Similar help and support threads for2: Possible Zeroaccess infection: denied access to MSE, update error
Thread Forum
Solved Error 5: Access is denied. General Discussion
Error- Access is Denied General Discussion
Error: Wrapper-CreateFile failed with Error 5: Access is denied Software
Error code 28 access denied Drivers
Error 5: Access Denied System Security
Error 5;access denied BSOD Help and Support
Access denied error in win 7 General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 10:32 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33