Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: ZeroAccess! Attention: cottonball

15 May 2013   #1

Windows 7 Home Premium 64bit
ZeroAccess! Attention: cottonball

[Cottonball, thanks for directing me to the right forum. Same message and issue below.]

When I open my Toshiba external, it now shows a shortcut to the external like this:

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

It's never done that before. Now, when I click this new shortcut, this pops up:

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

I ran disk management (healthy). I skipped past WinRAR and decided to check to make sure the source wasn't my computer. This is where I could really use some help and guidance! Here's the report after I ran a scan on malware threats (ran through RogueKiller)

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 05/11/2013 08:26:28
| ARK || FAK || MBR |

Bad processes : 1
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [x] -> KILLED [TermProc]

Registry Entries : 6
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{FD384747-C343-4AE3-B338-90B3725EC0E4} : NameServer ( -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\n) [-] -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] n : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\n [-] --> FOUND
[ZeroAccess][FILE] @ : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND

Driver : [NOT LOADED]

Infection : ZeroAccess

--> C:\Windows\system32\drivers\etc\hosts

MBR Check:

+++++ PhysicalDrive0: ST950032 5AS SATA Disk Device +++++
--- User ---
[MBR] 9b221d57aa32fe731e936f545e8a54d3
[BSP] 48b55f46929f8f3b3a0db8344e9d9e6e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 461216 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 944979968 | Size: 15420 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: TOSHIBA External USB 3.0 USB Device +++++
--- User ---
[MBR] 06fc92b188bd3f212a572364a023fc21
[BSP] d5d076cfc99131223e5e5999a68b254c : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 305243 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_05112013_02d0826.txt >>

Is the source of my problem in this data at all? My main concern is that the issue stems from the computer and not the external!

My System SpecsSystem Spec
15 May 2013   #2
Sub Styler

Windows 7 Ultimate x64

Have you connected the drive to a port on the laptop labeled Expansion?
My System SpecsSystem Spec
15 May 2013   #3

Windows 7 Home Premium


Is the source of my problem in this data at all?

Task I:
Let's press on with RogueKiller...

•Please quit all programs
•Right-click the RogueKiller file and select: Run as Administrator
•Wait until the Prescan finishes
•Press: Scan
•When the scan is done, press the [Delete] button.

Please post the new RKreport (Mode: Delete) created on the Desktop in your reply.
(The RKreport also opens using the Report button on the console.)

Task II:
Please go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:

Please attach the TDSSKiller log in your reply.

Task III:
Next, please go to the Malwarebytes Anti-Rootkit Download
Save to the Desktop (easy to find)

Right-click the downloaded file and select: Extract here...
In the MBAR folder that appears on the Desktop, open it, and double-click the MBAR application.

At the main program console click: Next

At the Update Database prompt, click: Update
When the update is done, click: Next

Now at the Scan System prompt, under Scan targets, check: Drivers, Sectors, and System (If these items are already checked, that's fine.) Now, click on the SCAN button!

The results from the scan are shown as follows (This is just an example - Image courtesy of BleepingComputer):

If any threats are reported, DO NOT click on the Cleanup button to remove them!!!

At this point go back to the MBAR folder on the Desktop, and look for two reports:
1. system-log.txt
2. mbar-log-2013-04-30 (20-13-32).txt
(corresponds to mbar-log-year-month-day (hour-minute-second).txt)

Please attach the mbar-log and the system-log in your reply.

On the Cleanup screen, press: Exit to close the program.

Need to know what is there before taking any further actions...
My System SpecsSystem Spec

16 May 2013   #4

Windows 7 Home Premium 64bit

Okay, how does this look..

RogueKiller report (on my first run of RKiller I clicked "delete" files after it ran its scan. This was before my original post in the thread you re-directed me from. I hope it didn't ruin anything that follows and sorry if it did!)


TDSSKiller Report:


MBAR Reports:

mbar-log-2013-05-16 (12-25-08).txt


Thanks, Cottonball for all this help. Looking forward to your reply!

Attached Images
ZeroAccess! Attention: cottonball-tdsskillerscan.png 
Attached Files
File Type: txt RKreport_S_05162013_02d1115.txt (1.7 KB, 5 views)
File Type: txt mbar-log-2013-05-16 (12-25-08).txt (4.1 KB, 5 views)
File Type: txt system-log.txt (32.2 KB, 3 views)
My System SpecsSystem Spec
16 May 2013   #5

Windows 7 Home Premium

My apology for the delay!!!

Do not recall being notified that you replied.

Please run MBAR once again, and this time, check Create Restore Point, and press: Cleanup

Also, when prompted, click on Yes to restart your computer.

When done, please post the new report.
My System SpecsSystem Spec
16 May 2013   #6

Windows 7 Home Premium

Also, please do the following before moving on to the next step:

Now, download ComboFix:
Save ComboFix.exe to the Desktop <<---

Please disable your AntiVirus and AntiSpyware applications, as they may interfere with this tool.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Double-click combofix.exe and follow the prompts.
There are several stages processed by CF. Please be patient, as it may take a while to run. (Estimated time: o/a 1 hour)

When done, ComboFix produces a log: C:\ComboFix.txt

Please attach the ComboFix.txt in your reply. <<---

1. Please do not mouse-click the ComboFix window while it is running. This action may cause a stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
3. It also disconnects the computer from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
4. If ComboFix detects any Rootkit/Bootkit activity, it gives a warning and prompts for a reboot. Please allow it to do so. The screen may stay black for several minutes on reboot, however, this is normal.
5. If the following message appears, please reboot to resolve the issue:
"Illegal operation attempted on Registry key that has been marked for deletion."
My System SpecsSystem Spec
17 May 2013   #7

Windows 7 Home Premium 64bit

No worries on the delay! Just happy to have your help on this.

The two reports:


mbar-log-2013-05-17 (19-13-32).txt

And ComboFix


Attached Files
File Type: txt mbar-log-2013-05-17 (19-13-32).txt (4.1 KB, 5 views)
File Type: txt ComboFix.txt (24.7 KB, 4 views)
My System SpecsSystem Spec
17 May 2013   #8

Windows 7 Home Premium

Make sure the external hard drive with which you are having a problem is plugged to the computer.

Please press the Windows key and the R key simultaneously to open Run dialog box.

Type (or copy/paste) the following command in the open area of the Run prompt:

attrib -h -r -s /s /d x:\*.*

(x = needs to be your external drive. Substitute the x with the correct drive letter!!

Click: OK

Next, please download the Farbar Recovery Scan Tool
Select the 64-bit version.

Save it to your Desktop.
  • Double-click the downloaded file to run it.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply. <<---

The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply. <<---
My System SpecsSystem Spec
18 May 2013   #9

Windows 7 Home Premium 64bit

Cottonball, I tried to run the command but it fired back about four or five stacked lines of "Access Denied" and then the Run box immediately closed itself.

I still ran the Farbar scan. Both reports...



Attached Files
File Type: txt Addition.txt (19.3 KB, 4 views)
File Type: txt FRST.txt (32.1 KB, 6 views)
My System SpecsSystem Spec
18 May 2013   #10

Windows 7 Home Premium

See if this works:

Please go to Start > All Programs > Accessories > Command Prompt
Right-click the Command Prompt and select: Run as administrator
Copy/paste the following text inside the code box to the blinking cursor of the Command Prompt and press: Enter

attrib -h -r -s /s /d x:\*.*
(x = needs to be your external drive. Substitute the x with the correct drive letter!!
My System SpecsSystem Spec

 ZeroAccess! Attention: cottonball

Thread Tools

Similar help and support threads
Thread Forum
ZeroAccess? Virus Removal help Please!
I have been fighting this virus for weeks now and still cannot get rid of it. I have ran the following programs already with very little to no luck at all: combofix, ckscanner, dds, hitmanpro, gmer, JRT, roguekiller, rootkitremover, tdsskiller, eset online scan, f-secure online scan, malwarebytes,...
System Security
Attention: cottonball, virus deleted all SD photos
Hey, Having some of the same issues as from this time: This round, whatever is in my computer has deleted all the photos on my SD card :-/ I ran RogueKiller and came up with this report: ...
System Security
FBI Ransomware/ZeroAccess Preventative Measures
Hello Forum, I have been seeing a ton of posts about this FBI Ransomware and Zeroaccess Viruses or whatever they are, and for the first time in as long as I can remember, I am really concerned about my PC's safety, as two of my closest friends just contracted these viruses. They seem really...
System Security
I need help on getting rid of Trojan.ZeroAccess!inf
I did some research on this Trojan and found out that it disguises itself as a java update or an adobe flash update. (a fair warning for fellow windows users) I've scanned my computer with norton anti virus and it detects it but norton can't seem to remove the virus. (yes I have administrator...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:27.
Twitter Facebook Google+