Solved Possible Zeroaccess infection: denied access to MSE, update error

[VistaKing]

PowerTrader

For the fix to work FRST64.exe has to be on the Desktop not the Downloads folder . Drag the FRST64.exe file from your Downloads folder to your Desktop .

 

[Jacee]

Your system has been 'hacked' by a backdoor Trojan ... designed to gather all of your personal (critical) information and is being controlled by the remote computer.

Warning! Backdoor Trojans

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised. They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.

Banking and credit card institutions should be notified of the possible security breech.

 

[VistaKing]

PowerTrader you still with us ?

 

[PowerTrader]

so far so good!
- Ran fixlist then restarted
- got errors for missing msseces.exe files, but then windows started to automatically update (so I guess its working) also updated MSE and ran a scan. seems to be working fine now
- also knocked out the services repair and the fanbar service scanner. below is the report

 

[VistaKing]

Can you upload the FIxlog.txt should be on the Desktop

 

[PowerTrader]

as requested!

 

[VistaKing]

AdwCleaner

Click here AdwCleaner

:ar: Click on Download Now button

:ar: Save to the Desktop

:ar: Right-click on AdwCleaner.exe and choose

:ar: Click on Delete and confirm the prompt.

:ar: Your computer will be rebooted automatically. A text file will open after the restart.

Upload the log : The log file is at C:\AdwCleaner[Sn].txt


Download Junkware Removal Toolkit

Click here Junkware Removal Tool to download

Drag the JRT.exe from the Downloads folder to your Desktop

Right click JRT.exe and choose

Once done upload the JRT.txt file

 

[PowerTrader]

and again

 

[PowerTrader]

BTW I guess there is a new interface for AdwCleaner. No more delete button, just says "clean"

 

[VistaKing]

What version is it saying ?

 

[PowerTrader]

v3.000

 

[PowerTrader]

Anything else or is this one officially solved!?

 

[VistaKing]

That was a recent update . I have 2.306

Usually it says there is an update .

Ok on the new version 3.000 click on the Clean button

 

[PowerTrader]

done and done, reports are a few posts back

 

[VistaKing]

Run

Malwarebytes

Download Link :ar: MalwareBytes

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )

Update the definitions and do a full scan

:ar: On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
:ar: If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
:ar: The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
:ar: When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
:ar: Click OK to close the message box and continue with the removal process.
:ar: Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
:ar: Make sure that everything is checked, and click Remove Selected.
:ar: When removal is completed, a log report will open in Notepad.
:ar: The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
:ar: Copy and paste the contents of that report in your next reply and exit MBAM.

Log looks like this : mbam-log-yyyy-mm-dd

Log located : C:\Users\{Your UserName}\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs or C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

 

[PowerTrader]

Looks clean:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.08.14.02
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Laura :: LAURA-PC [administrator]
8/14/2013 2:22:12 AM
mbam-log-2013-08-14 (02-22-12).txt
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 427650
Time elapsed: 1 hour(s), 52 minute(s), 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[VistaKing]

<==== Download Link


<==== Download Link

:ar: Click on one of the links above that goes with your Windows 7 bit versions

:ar: Save to the Desktop.

:ar: Close all windows and browsers

:ar: Right click on

and choose

:ar: Press: SCAN

:ar: provide the RKreport.txt (Mode: Scan) in your reply.

 

[PowerTrader]

RogueKiller V8.6.5 _x64_ [Aug 5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : Forum
Website : RogueKiller download
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Laura [Admin rights]
Mode : Scan -- Date : 08/14/2013 11:16:05
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVT-22A23T0 +++++
--- User ---
[MBR] 198eb29d567c674079b92f63af980bf1
[BSP] 658a376a6fa05f4157ead5a665eac855 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 13319 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27278370 | Size: 101 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27487215 | Size: 225052 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_08142013_111605.txt >>

 

[VistaKing]

Run RogueKiller and click on the Delete button .

Then run ESET Online Scanner

On

Hold down Control and click on ESET Online Scanner to open ESET OnlineScan in a new window
Click the

button
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.


On

or

Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
Right click on

choose

on your desktop
Check YES, I accept the Terms of Use.
Click the Start button.
Accept any security warnings from your browser.
Under scan settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
° Scan potentially unwanted applications
° Scan for potentially unsafe applications
° Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

 

[PowerTrader]

Looks like there were 4 hits spotted. Should i just use the program to delete the things they have checked? Also i scanned my other computer with this and got the following report. Should i delete these items as well?

RogueKiller V8.6.5 _x64_ [Aug 5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : Forum
Website : RogueKiller download
Blog : tigzy-RK

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Gary [Admin rights]
Mode : Scan -- Date : 08/14/2013 11:21:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=garys-new-iphone.local:6666;hxxps=garys-new-iphone.local:6666;socks=garys-new-iphone.local:5050) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 3e563a017354c810f067962b52ab80a0
[BSP] a79ace6571998e1b25f4ddc737abb8af : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 463738 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 952195072 | Size: 12000 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] b0dc430206e212e42b7598045d4ffa22
[BSP] 4be90e0173eda5250ea297ac98ccbdf5 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 463738 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 952195072 | Size: 12000 Mo

Finished : << RKreport[0]_S_08142013_112119.txt >>