Solved Possible Zeroaccess infection: denied access to MSE, update error

[PowerTrader]

Hey guys, I am having some problems here on my girlfriends laptop (Win 7 Home Premium 64 bit) and believe it may be infected with “zeroaccess”. Her work computer had a virus on it last week, and she uses her personal laptop to connect to that work computer when she’s out of the office (she uses onboard remote by Adaptive Solutions to connect). We cannot run Microsoft security essentials anymore (access denied) and cannot update (windows update error code 80070005). I downloaded and ran TDSkiller, but it did not show any viruses. I did do a scan with that Farbar and attached the 2 reports. Any help ID'ing what is going on would be greatly appreciated!

Update: Still working the issue, but decided to take the hard drive out, connect it to another computer via USB cables, and do a complete scan of the HD. As soon as I started the scan it already notified me that the preliminary scan found malicious and possibly unwanted software, but did not report what they were. Will update with results (looks like it’s going to take hours).

 

[VistaKing]

PowerTrader

Looking at the log it is infact ZeroAccess . Well you started scanning the hard drive as a USB drive lets see what the results will be , what antivirus are you scanning with ?

 

[PowerTrader]

Scanning the HD with Microsoft Security Essentials on a desktop equipped with Windows Vista Home Premium 32bit

 

[VistaKing]

Lets see what it comes out with .

 

[PowerTrader]

Ok just completed the scan. Here are the results:

Exploit: Java/CVE-2013-0422
TrojanDownloader: Win32/Dofoil.R
TrojanDropper:Win32/Sirefef.gen!E
Rogue:Win32/Winwebsec
TrojanDropper:Win32/Sirefef.gen!G

I have not taken any action yet. Standing by for recommended course of action

 

[VistaKing]

Open Notepad . Inside Notepad paste the highlighted text inside notepad

start
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x] <===== ATTENTION (File name is altered)
HKLM\...\Winlogon: [Shell] [x ] () <=== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess?
HKCU\...\Winlogon: [Shell]
HKCU\...\Policies\system: [DisableChangePassword] 0
HKCU\...\Policies\system: [DisableLockWorkstation] 0
MountPoints2: {1a4eae80-5a20-11e0-ade9-88ae1d0edfee} - E:\setup.exe -a
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files (x86)\Acer\Screensaver\run_Acer.exe [154144 2010-01-14] ()
S1 ouyzvgyu; \??\C:\Windows\system32\drivers\ouyzvgyu.sys [x]
2013-08-13 18:37 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2605782298-985525740-3821210279-1000\$ddc6e1b221ef8d4c62a6ee0de1e5d502

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$ddc6e1b221ef8d4c62a6ee0de1e5d502
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
end


Click on File ====> Save As

File Name : Fixlist.txt

Save as type : All Files

Location : Desktop

Click on the [Save] button .

Open FRST tool again from the Desktop and click on the [Fix] button . Once complete it will create a new log called Fixlog.txt . Upload the new log created in your reply . It should be on the desktop .

 

[PowerTrader]

Awesome thanks! I still have the HD connected to my desktop via USB. Should i allow MSE to remove the threats before i plug it back into the laptop and do that thing with notepad?

 

[VistaKing]

I'd plug the hard drive back into the other PC and remove the items that way . If you run MSE then the notepad isn't needed .

 

[PowerTrader]

Sorry little confused.
Right now i have the Laptop's infected hard drive connected to my desktop via USB cables. Should i keep the hard drive plugged into the desktop and use the desktop's MSE to remove the threat first, and THEN plug it back into the laptop to run that notepad thing or should i do something different?

 

[VistaKing]

You could use the MSE on the desktop . When you plug the hard drive back into the laptop the notepad isn't needed . MSE should remove the infections . I'd personally would unplug the hard drive from the PC ( desktop ) plug it back into the laptop and do the Notepad .

 

[cottonball]

I am confused!!!

If the infected laptop drive is connected as a slave to the Desktop computer, the Registry of the infected laptop drive won't be loaded. So, any cleanup does not remove malware entries from the Registry.

Running FRST on the Desktop to clean a slaved laptop drive is not a good idea, if that is what is being attempted.

 

[VistaKing]

Cottonball

What is happening , PowerTrader is scanning the laptop's hard drive on his desktop using a USB tool . What I am attempting to have him do is put the drive back into the laptop and do the fix on the laptop .

 

[cottonball]

The laptop's drive needs to be in the laptop, and FRST needs to be run from the Desktop of the laptop.

Scanning the drive on the Desktop computer does not load the Registry for the laptop.

What I would do is run FRST again on the laptop, post its report, and then fix the files and the Registry entries with a fixlist, like in Post #6.

If you run that fixlist from the Desktop computer, have no clue as to what that will result in.

Edited to clarify Desktop computer, and laptop's Desktop.

 

[VistaKing]

The fixlist.txt was meant to run Inside the laptop not desktop.

 

[PowerTrader]

Just to clarify:
1 - Those reports were conducted when the HD was in the in the laptop.
2 - After I was sure that there was some kind of threat, I removed the HD from the laptop.
3 - I then connected the HD to my desktop by USB cables (As a slave) and ran a complete virus scan (MSE).
4 - Scan completed and found 5 threats.
5 - I got skittish and used MSE to clean the threats from the enslaved HD (sorry I should of just following your recommendations)
6 – Doing one last scan before I put it back into the laptop

My question now: Because I used MSE on the desktop to eliminate the threats, will my registry be fine, or do I have to make more changes once I put it back in the laptop?
Thanks and sorry for not following instructions to a T.

 

[VistaKing]

I would use FRST.exe again to create a new log file when you place the hard drive back into the laptop.

 

[PowerTrader]

Writing from the laptop. Just tried to run MSE from the laptop with no luck. Update is still blocked as well (same error as before). Attached is the updated FRST report.

 

[cottonball]

5 - I got skittish and used MSE to clean the threats from the enslaved HD (sorry I should of just following your recommendations)
6 – Doing one last scan before I put it back into the laptop

My question now: Because I used MSE on the desktop to eliminate the threats, will my registry be fine, or do I have to make more changes once I put it back in the laptop?

The malware Registry entries are still there, as well as other ZeroAccess entries.

The way malware works nowadays, it is best not to slave a hard drive and run scans from another computer. There are other, more effective options.

VistaKing will look at the new FRST report and prepare a new fixlist. In it, there will also be commands to work on the MSE issue. Between FRST, FSS, and a ServicesRepair program, you should be OK.

Just hang in there.

 

[VistaKing]

The new and old FRST.txt look the same . Run the fixlist posted on Post #6 then run the tools below


Download Services Repair

:ar: http://kb.eset.com/library/ESET/KB Team Only/Malware/ServicesRepair.exe

When done . Drag the file to your desktop

Right click on ServicesRepair.exe choose

Click on Yes or Continue . Once the tool has completed it will ask you to restart . Please restart the PC .

Then run FSS

Farbar Service Scanner

Click here :ar: Farbar Service Scanner to DOWNLOAD

Place the file onto your desktop

Right click on FSS.exe select

Place a check mark next to the following options

• Internet Services
• Windows Firewall
• System Restore
• Security Center
• Windows Update
• Windows Defender

Press the Scan button

Farbar Service Scanner will create a log, called FSS.txt, on the Desktop. Upload the FSS.txt with your reply

 

[PowerTrader]

awesome, thanks! These malwares just keep getting more diabolical every year ...