possible virus, which forum to go to for help

drmax

New member
Member
VIP
Local time
4:08 PM
Messages
314
Hello. I used to go to Pc Tech Guy forum to help with virus removal, but for some reason am not allow there anymore. My issue, is I cannot turn on windows firewall. Here is my screen shot.
It is set to automatically start. I use malware bytes and superanti spyware and a few days ago there was a trojan and was removed. Can someone point me to where I need to go? Thx
 

Attachments

  • screenshot.png
    screenshot.png
    83.9 KB · Views: 28

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
drmax,

Let's find out what is going on with that service, and some others...

Please download Farbar Service Scanner

Save to the Desktop
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press: Scan
  • FSS creates a log, FSS.txt, on the Desktop.
Please provide the FSS.txt in your reply.

Also, download RogueKiller:
Tlcharger RogueKiller (Site Officiel)


When you get to the website, go to where it says:
(Download link) Lien de téléchargement:
rendu2.png

Select the 64-bit version.
Click the dark-blue button to download.

Save to the Desktop.

Close all windows and browsers
Right-click and select 'Run as Administrator'
Press: SCAN

A report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Farbar Service Scanner Version: 16-01-2013
Ran by greg (administrator) on 25-01-2013 at 17:58:22
Running from "C:\Users\greg\Desktop"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
bfe Service is not running. Checking service configuration:
The start type of bfe service is set to Disabled. The default start type is Auto.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
figured it out

Cottonball had me run that program. It found BFE was not turn on. Went in a enabled it. Now firewall active.
Weird. Will run the other program to check for trojans/viruses. You know, I never did disable that function.
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
Now I am unable to turn on windows defender. Am running the RogueKiller prog. and submitting findings here.
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
RK report

RogueKiller V8.4.3 _x64_ [Jan 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : RogueKiller
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : greg [Admin rights]
Mode : Scan -- Date : 01/25/2013 18:21:18
| ARK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 12 ¤¤¤
[TASK][SUSP PATH] AmiUpdXp.job : C:\Users\greg\AppData\Local\SwvUpdater\Updater.exe -> FOUND
[TASK][SUSP PATH] AmiUpdXp : C:\Users\greg\AppData\Local\SwvUpdater\Updater.exe -> FOUND
[TASK][SUSP PATH] {08C1F234-568C-4E01-A173-0CE24EC7480E} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {0AE7B435-789A-4706-B760-CEBE58093B40} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {4338847E-E938-4FF6-8CC0-5D7332A25EE5} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {4C915BC5-464F-45D1-8DAC-5EBD614BE23F} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {6FE37CCF-0EB5-4144-8DDE-A628D33493C0} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {9051A283-39ED-4164-BFD2-F9AA48668EF0} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {B94F491E-0B54-4E4E-A7A6-19FA3F5FA826} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[TASK][SUSP PATH] {F9BEEBEA-4C20-45DC-B6AE-35302F8A99E4} : C:\Users\greg\Desktop\abgx360_v1.0.5_setup.exe -> FOUND
[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\Services\Microsoft\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$1e9339da09b7843ff081d435102d9026\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-2872747093-637173786-3556813959-1000\$1e9339da09b7843ff081d435102d9026\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$1e9339da09b7843ff081d435102d9026\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-2872747093-637173786-3556813959-1000\$1e9339da09b7843ff081d435102d9026\L --> FOUND
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD204UI ATA Device +++++
--- User ---
[MBR] 7dc8ed4fba1d6234107389db834b6c05
[BSP] cac14c49d7f039a9758c50803549fbbd : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: ST3160812AS ATA Device +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive2: TigerJet HardDisk USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_01252013_02d1821.txt >>
RKreport[1]_S_01252013_02d1821.txt
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
On top of the good help cotton has given you, I would add that you run Hitman Pro as well. It is free to scan for life and if it finds something, you can activate a free 30 day full working trial to remove whatever it finds. It is among the best.

Downloads - SurfRight
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64 SP1
OS
Windows 7 Home Premium x64 SP1
On top of the good help cotton has given you, I would add that you run Hitman Pro as well. It is free to scan for life and if it finds something, you can activate a free 30 day full working trial to remove whatever it finds. It is among the best.

Downloads - SurfRight
I can try that. I also seen that RK found that zeroaccess thing, and I can not even follow the terrible video that is supplied to get rid of that issue. (from their website) I have ran Kaspersky and nothing found. Unsure now how to get rid of zeroaccess, unless RK has a tool built in for a onestep clean. I won't do anything until i hear from you people. I will run hitman now and report back.
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
Hitman found nothing. Zeroaccess is the issue at hand. Also, I use Micro Sercurity Essentials. It is supposedly running, however there is not Green box in bottom of my desktop anymore. Weird.
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
Trojan.Zeroaccess | Symantec

CVE-2009-1672, CVE-2009-4324, CVE-2010-1885 Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, downloads more malware, and opens a back door on the compromised computer.

The Trojan is called ZeroAccess due to a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess. It is also known as max++ as it creates a new kernel device object called __max++>.

If it was my computer and it had a advanced rootkit I would do a clean wipe install.
one way.
http://www.sevenforums.com/tutorials/197255-windows-7-installation-prepare-pc-sold.html
I recommend changing all password for everything using another clean computer. Inform your banks and credit card companies ect. what happened.
I would not copy over any thing from old install to the new install because it can and probable is infected also.
You have been infected by one of the Bad Boys of infections and the backdoor was left open for all his buddies.
 

My Computer My Computer

At a glance

Windows 10 Pro. 64/ version 1709 Windows 7 Pr...Intel i7-6800K @ 4.3Corsair Platinum 16 gig @2400EVGA GTX 1070 OC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home made Desktop
OS
Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
CPU
Intel i7-6800K @ 4.3
Motherboard
ASUS X-99 Deluxe II
Memory
Corsair Platinum 16 gig @2400
Graphics Card(s)
EVGA GTX 1070 OC
Monitor(s) Displays
Asus 27" LED LCD/VE278Q
Screen Resolution
1920-1080 or 1280-720 HDMI
Hard Drives
INTEL SSD 730-240 Gb Sata 3.0/
PSU
EVGA Platium 1200W
Case
Phanteks Luxe Tempered Glass 8 fans/ one radiator
Cooling
XSPC/ Water Cooled CPU
Keyboard
Das 4 Professional
Mouse
Logitech M705/MX Anywhere 2-S
Internet Speed
100 mbits
Antivirus
Microsoft Security Essentials/ Malwarebytes Premium 3.0/ SAS
Browser
I.E. 11 default/Firefox/ ISP Time Warner Cable/Spectrum
Other Info
LG BluRay Burner/
Sound system-KLipsch-THX/
Icy Dock ssd Hot Swap bays.

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
Post #9 RK found Zerroaccess
Post #10 Zerroaccess is issue at hand.
------------------------
This is what my post #11 is all about.
Was Zerroaccess found on your computer as post #9 and 10 indicate?
Yes or No.
 

My Computer My Computer

At a glance

Windows 10 Pro. 64/ version 1709 Windows 7 Pr...Intel i7-6800K @ 4.3Corsair Platinum 16 gig @2400EVGA GTX 1070 OC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home made Desktop
OS
Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
CPU
Intel i7-6800K @ 4.3
Motherboard
ASUS X-99 Deluxe II
Memory
Corsair Platinum 16 gig @2400
Graphics Card(s)
EVGA GTX 1070 OC
Monitor(s) Displays
Asus 27" LED LCD/VE278Q
Screen Resolution
1920-1080 or 1280-720 HDMI
Hard Drives
INTEL SSD 730-240 Gb Sata 3.0/
PSU
EVGA Platium 1200W
Case
Phanteks Luxe Tempered Glass 8 fans/ one radiator
Cooling
XSPC/ Water Cooled CPU
Keyboard
Das 4 Professional
Mouse
Logitech M705/MX Anywhere 2-S
Internet Speed
100 mbits
Antivirus
Microsoft Security Essentials/ Malwarebytes Premium 3.0/ SAS
Browser
I.E. 11 default/Firefox/ ISP Time Warner Cable/Spectrum
Other Info
LG BluRay Burner/
Sound system-KLipsch-THX/
Icy Dock ssd Hot Swap bays.
yes

yes, read my log post #7 please
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
drmax,

Since we are dealing with ZeroAccess, let's approach the issue in a mode before Windows starts.
We could use the Delete option in RogueKiller, but the program operates while in Windows, and there might be more to the infection than what it finds.


Need some information in order to proceed...

Confirming the Operating System on the involved computer is Windows Seven 64-bit.

Do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:

Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?
If you do not have the option above, do you have your Windows installation CD/DVD available?

And last, do you have a USB flash drive available, and do you have access to another computer?
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
yes 64 bit. Tapping F8 brought me to a boot menu and repair disk option not there. I do own my windows 7 cd and have it now.
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
We are ready to roll if you also have a USB flash drive available, and have access to another computer.

Is that the case?
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
If it was my computer and it had a advanced rootkit I would do a clean wipe install.

Cotton is giving you 1st rate help and with his help you may defeat the rootkit, but I tend to agree with Bear on this.

On top of cotton's advice you could also try the new program from Malwarebytes that targets rootkits only, while it's still in beta it has been getting rave reviews and is very stable. I don't see that you have anything to lose at this point............. Definitely follow cotton's advice first while he's working with you.

Malwarebytes : Malwarebytes Anti-Rootkit
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64 SP1
OS
Windows 7 Home Premium x64 SP1
We are ready to roll if you also have a USB flash drive available, and have access to another computer.

Is that the case?
not just yet
 
Last edited:

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
If it was my computer and it had a advanced rootkit I would do a clean wipe install.

Cotton is giving you 1st rate help and with his help you may defeat the rootkit, but I tend to agree with Bear on this.

On top of cotton's advice you could also try the new program from Malwarebytes that targets rootkits only, while it's still in beta it has been getting rave reviews and is very stable. I don't see that you have anything to lose at this point............. Definitely follow cotton's advice first while he's working with you.

Malwarebytes : Malwarebytes Anti-Rootkit
i wished that would have been brought up sooner. i just ran it and bAM, found 7 items. will report back when i finish and give results.
 

My Computer My Computer

At a glance

W7 premium 64amd a8-38508G g-skillasus gt-520 silent
OS
W7 premium 64
CPU
amd a8-3850
Motherboard
asus f1-a75v pro
Memory
8G g-skill
Graphics Card(s)
asus gt-520 silent
Monitor(s) Displays
LED viewsonic 24"
Hard Drives
seagate sata 120
wd 2T green
PSU
cool master 600W silent pro (80+bronze)
Back
Top