ZeroAccess! Attention: cottonball

Page 1 of 4 123 ... LastLast

  1. Posts : 48
    Windows 7 Home Premium 64bit
       #1

    ZeroAccess! Attention: cottonball


    [Cottonball, thanks for directing me to the right forum. Same message and issue below.]

    When I open my Toshiba external, it now shows a shortcut to the external like this:

    Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

    It's never done that before. Now, when I click this new shortcut, this pops up:

    Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

    I ran disk management (healthy). I skipped past WinRAR and decided to check to make sure the source wasn't my computer. This is where I could really use some help and guidance! Here's the report after I ran a scan on malware threats (ran through RogueKiller)


    Quote:
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Owner [Admin rights]
    Mode : Scan -- Date : 05/11/2013 08:26:28
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 1 ¤¤¤
    [SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe [x] -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 6 ¤¤¤
    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{FD384747-C343-4AE3-B338-90B3725EC0E4} : NameServer (203.144.95.100 203.144.65.2) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\n) [-] -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FILE] n : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\n [-] --> FOUND
    [ZeroAccess][FILE] @ : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\@ [-] --> FOUND
    [ZeroAccess][FOLDER] U : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\Users\Owner\AppData\Local\{1f957569-cd63-6237-8ca9-0c9e5cb16265}\L --> FOUND
    [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini [-] --> FOUND
    [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini [-] --> FOUND

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ Infection : ZeroAccess ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts



    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST950032 5AS SATA Disk Device +++++
    --- User ---
    [MBR] 9b221d57aa32fe731e936f545e8a54d3
    [BSP] 48b55f46929f8f3b3a0db8344e9d9e6e : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 461216 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 944979968 | Size: 15420 Mo
    3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: TOSHIBA External USB 3.0 USB Device +++++
    --- User ---
    [MBR] 06fc92b188bd3f212a572364a023fc21
    [BSP] d5d076cfc99131223e5e5999a68b254c : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 305243 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1]_S_05112013_02d0826.txt >>
    RKreport[1]_S_05112013_02d0826.txt


    Is the source of my problem in this data at all? My main concern is that the issue stems from the computer and not the external!
      My Computer


  2. Posts : 740
    Windows 7 Ultimate x64
       #2

    Have you connected the drive to a port on the laptop labeled Expansion?
      My Computer


  3. Posts : 2,470
    Windows 7 Home Premium
       #3

    ducat1base,

    Is the source of my problem in this data at all?
    Yes!!

    Task I:
    Let's press on with RogueKiller...

    •Please quit all programs
    •Right-click the RogueKiller file and select: Run as Administrator
    •Wait until the Prescan finishes
    •Press: Scan
    •When the scan is done, press the [Delete] button.

    Please post the new RKreport (Mode: Delete) created on the Desktop in your reply.
    (The RKreport also opens using the Report button on the console.)


    Task II:
    Please go to the TDSSKiller Download
    Select the .exe version
    Double-click on TDSSKiller.exe to run the program.

    When the TDSSKiller console opens, click on: Change Parameters
    Under Additional Options, place a check in the box next to: Detect TDLFS File System
    Click: OK

    Press: Start Scan


    •If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
    •If malicious objects are found, they show in the Scan results.
    Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
    (Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

    When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

    Logs have a name like:
    C:\TDSSKiller.X.X.X_1.05.2013_15.31.43_log.txt

    Please attach the TDSSKiller log in your reply.


    Task III:
    Next, please go to the Malwarebytes Anti-Rootkit Download
    Save to the Desktop (easy to find)

    Right-click the downloaded file and select: Extract here...
    In the MBAR folder that appears on the Desktop, open it, and double-click the MBAR application.

    At the main program console click: Next

    At the Update Database prompt, click: Update
    When the update is done, click: Next

    Now at the Scan System prompt, under Scan targets, check: Drivers, Sectors, and System (If these items are already checked, that's fine.) Now, click on the SCAN button!

    The results from the scan are shown as follows (This is just an example - Image courtesy of BleepingComputer):





    If any threats are reported, DO NOT click on the Cleanup button to remove them!!!

    At this point go back to the MBAR folder on the Desktop, and look for two reports:
    1. system-log.txt
    2. mbar-log-2013-04-30 (20-13-32).txt
    (corresponds to mbar-log-year-month-day (hour-minute-second).txt)

    Please attach the mbar-log and the system-log in your reply.

    On the Cleanup screen, press: Exit to close the program.

    Need to know what is there before taking any further actions...
      My Computer


  4. Posts : 48
    Windows 7 Home Premium 64bit
    Thread Starter
       #4

    Okay, how does this look..

    RogueKiller report (on my first run of RKiller I clicked "delete" files after it ran its scan. This was before my original post in the thread you re-directed me from. I hope it didn't ruin anything that follows and sorry if it did!)

    RKreport_S_05162013_02d1115.txt

    TDSSKiller Report:

    TDSSKillerScan.PNG

    MBAR Reports:

    mbar-log-2013-05-16 (12-25-08).txt

    system-log.txt

    Thanks, Cottonball for all this help. Looking forward to your reply!
    Attached Thumbnails Attached Thumbnails ZeroAccess! Attention: cottonball-tdsskillerscan.png  
    ZeroAccess! Attention: cottonball Attached Files
      My Computer


  5. Posts : 2,470
    Windows 7 Home Premium
       #5

    My apology for the delay!!!

    Do not recall being notified that you replied.


    Please run MBAR once again, and this time, check Create Restore Point, and press: Cleanup

    Also, when prompted, click on Yes to restart your computer.

    When done, please post the new report.
      My Computer


  6. Posts : 2,470
    Windows 7 Home Premium
       #6

    Also, please do the following before moving on to the next step: https://www.sevenforums.com/tutorials/697-system-restore-point-create.html

    Now, download ComboFix:
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Save ComboFix.exe to the Desktop <<---

    Please disable your AntiVirus and AntiSpyware applications, as they may interfere with this tool.
    Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

    Double-click combofix.exe and follow the prompts.
    There are several stages processed by CF. Please be patient, as it may take a while to run. (Estimated time: o/a 1 hour)

    When done, ComboFix produces a log: C:\ComboFix.txt

    Please attach the ComboFix.txt in your reply. <<---

    Notes:
    1. Please do not mouse-click the ComboFix window while it is running. This action may cause a stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
    3. It also disconnects the computer from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
    4. If ComboFix detects any Rootkit/Bootkit activity, it gives a warning and prompts for a reboot. Please allow it to do so. The screen may stay black for several minutes on reboot, however, this is normal.
    5. If the following message appears, please reboot to resolve the issue:
    "Illegal operation attempted on Registry key that has been marked for deletion."
      My Computer


  7. Posts : 48
    Windows 7 Home Premium 64bit
    Thread Starter
       #7

    No worries on the delay! Just happy to have your help on this.

    The two reports:

    MBAR

    mbar-log-2013-05-17 (19-13-32).txt

    And ComboFix

    ComboFix.txt
    ZeroAccess! Attention: cottonball Attached Files
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #8

    Make sure the external hard drive with which you are having a problem is plugged to the computer.

    Please press the Windows key and the R key simultaneously to open Run dialog box.

    Type (or copy/paste) the following command in the open area of the Run prompt:

    attrib -h -r -s /s /d x:\*.*

    (x = needs to be your external drive. Substitute the x with the correct drive letter!!

    Click: OK


    Next, please download the Farbar Recovery Scan Tool
    Select the 64-bit version.


    Save it to your Desktop.
    • Double-click the downloaded file to run it.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
    Please provide the FRST.txt in your reply. <<---




    The first time the tool is run, it also makes another log: Addition.txt
    Also post the Addition.txt in your reply. <<---
    Last edited by cottonball; 17 May 2013 at 21:44.
      My Computer


  9. Posts : 48
    Windows 7 Home Premium 64bit
    Thread Starter
       #9

    Cottonball, I tried to run the command but it fired back about four or five stacked lines of "Access Denied" and then the Run box immediately closed itself.

    I still ran the Farbar scan. Both reports...

    FRST.txt

    Addition.txt
    ZeroAccess! Attention: cottonball Attached Files
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #10

    See if this works:

    Please go to Start > All Programs > Accessories > Command Prompt
    Right-click the Command Prompt and select: Run as administrator
    Copy/paste the following text inside the code box to the blinking cursor of the Command Prompt and press: Enter

    Code:
    attrib -h -r -s /s /d x:\*.*
    (x = needs to be your external drive. Substitute the x with the correct drive letter!!
      My Computer


 
Page 1 of 4 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:10.
Find Us