ZeroAccess? Virus Removal help Please!

[zippo]

I have been fighting this virus for weeks now and still cannot get rid of it. I have ran the following programs already with very little to no luck at all: combofix, ckscanner, dds, hitmanpro, gmer, JRT, roguekiller, rootkitremover, tdsskiller, eset online scan, f-secure online scan, malwarebytes, Bitdefender, nod32, and im probably forgetting some. I've had this before and got rid of it but it took me almost a month to do so and did so many different attempts at removing it I dont quite remember which one worked. The only things that seemed to have found anything were both the online scanners. The last one ran was f-secure and it said that it found and removed w32/ZeroAccess.e623c78f39!Online. I also did a low level format multiple times w/ multiple programs. Dban seems to work the best and I ran dban in every option possible with still no luck. Everytime I re-install windows its still there so I need some other options here from some of you pro's. You tell me what logs you need and I'll provide them for you since I already have all the ones you will probably ask for. After the last install of Win 7 Ultimate x64 I cannot access certain folders because it says I don't have administrative rights but I do. I don't know what other information you guys need at this point my brain is shot and im just tired of dealing with this. Last note: im currently running Emisoft Emergency Kit. Sorry for the long post and thanks in advance!

 

[Kaktussoft]

How did you reinstall windows? I mean did you do "diskpart clean" to destroy the MBR totally?
Are you willing to reinstall win7 again? I mean... you have all important stuff on backup already and know how to "clean install", install drivers and put files back from backup. Put only data files back like doc, mp3, xls etc. Otherwise you probably restore the virus as well.

Are you willing to give it one more try?

 

[Borg 386]

Rootkits install a hidden boot partition that can survive a reinstall. It's best to wipe the disk before doing a reinstall to be sure you get rid of that partition. Most AV's have a problem with removing rootkits.

There is a tool that is specialized for removing rootkits, TDSSKiller generally does a good job of eliminating rootkits.

TDSSKiller Download

If you wish to try again with a clean install, here is a list of disk erasers.

http://www.techrepublic.com/blog/five-apps/five-hard-disk-cleaning-and-erasing-tools/

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

 

[zippo]

I have no problem reinstalling windows again. I used dariks boot and nuke and did a complete wipe of the drive. But apparently im not reinstalling the MBR and sys files? What do you think the best way to do it is then? I figured a complete HD wipe and then I entered dos before installing and even made sure to do a MBR delete and then I reinstalled windows 7. Still no luck. So You tell me what you think the next best route is please. Thanks. Oh ya, I did run TDSSkiller multiple times and it never found anything.

 

[Kaktussoft]

I have no problem reinstalling windows again. I used dariks boot and nuke and did a complete wipe of the drive. But apparently im not reinstalling the MBR and sys files? What do you think the best way to do it is then? I figured a complete HD wipe and then I entered dos before installing and even made sure to do a MBR delete and then I reinstalled windows 7. Still no luck. So You tell me what you think the next best route is please. Thanks. Oh ya, I did run TDSSkiller multiple times and it never found anything.

Did you boot from a clean virus free DVD and wiped the harddisk? How did you wipe it exactly?
you can very easy wip the disk using the "diskpart clean" command. "clean all" is not needed!
http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

 

[zippo]

Yes I used a clean virus free CD and wiped the disk. Unless when I burned the dban onto a new cd it somehow got infected also? I did notice that when I went to burn the cd there was a hidden file desktop.ini that also tried to burn to the cd and I removed it(there are desktop.ini hidden files in every single folder now..sometimes 2 or 3 of them in each folder). I have never really noticed that many desktop.ini files before so I don't know if thats something with the virus or not? But anyways, Yes I Booted from a cd with dban and wiped the drive completely. After that I then inserted the cd that came with my mobo (asus crosshair IV formula) and booted into command prompt and made sure to delete the MBR again and format the drive another time from command prompt. The only thing I have not done this time that I did last time that worked is flash the bios. The only problem there is that the bios ver. that is currently on the mobo is the newest version and it wont let me flash back to an older version? Is there a way around that so that I can flash back to an older version or is that a bad idea? I'll go run another diskpart now and do a cleanall just to be safe. I know its not needed but its really not an issue at this point and I want this thing rid of for good. I'll be back to check for a response after. Once again, thank you for your assistance!

 

[zippo]

No luck. Virus still remains. Bios flash?

 

[Kaktussoft]

Yes I used a clean virus free CD and wiped the disk. Unless when I burned the dban onto a new cd it somehow got infected also? I did notice that when I went to burn the cd there was a hidden file desktop.ini that also tried to burn to the cd and I removed it(there are desktop.ini hidden files in every single folder now..sometimes 2 or 3 of them in each folder). I have never really noticed that many desktop.ini files before so I don't know if thats something with the virus or not? But anyways, Yes I Booted from a cd with dban and wiped the drive completely. After that I then inserted the cd that came with my mobo (asus crosshair IV formula) and booted into command prompt and made sure to delete the MBR again and format the drive another time from command prompt. The only thing I have not done this time that I did last time that worked is flash the bios. The only problem there is that the bios ver. that is currently on the mobo is the newest version and it wont let me flash back to an older version? Is there a way around that so that I can flash back to an older version or is that a bad idea? I'll go run another diskpart now and do a cleanall just to be safe. I know its not needed but its really not an issue at this point and I want this thing rid of for good. I'll be back to check for a response after. Once again, thank you for your assistance!

Did you create the installation DVD from here? http://www.heidoc.net/joomla/technology-science/microsoft/14-windows-7-direct-download-links
Did you burn it from a CLEAN machine?

Last time: How did you wipe the disk?

 

[zippo]

No I did not download it from there. I have a clean windows 7 ultimate cd that I purchased a long time ago. The last wipe I did was with diskpart and I did a cleanall command. After that I cleared the cmos and then re-installed win7. Now I am having issues with connecting to the internet, and still have no administrative rights to certain folders/files. Also when trying to go to google it tells me that there is a problem with this websites security certificate? I also grabbed a copy of Avast to see if that would maybe catch the virus running a boot scan and full system scan and that failed to find anything also. So whats next on the list to try haha? Only thing I can think of is flashing the bios after wiping the drive again. But I still don't know how to flash the bios back to an older version because it won't let me go to an older version, only a newer version. Any other Ideas?

 

[Kaktussoft]

1. Boot from CD/DVD/USB and use diskpart->clean ("clean all" not needed) to wipe the disk. You must boot from a 100% virus free source. I should use Windows 7 Direct Download Links, Official Disk Images from Digital River and burn the ISO on a "clean" machine.
2. Install win7 from a virus free DVD/USB.

CMOS and BIOS are not related to this virus problem.

 

[zippo]

I have 2 versions of windows 7 and both of them are clean DVD's. At this moment I don't have another machine to make another copy. Ive read alot of articles about some rootkits attaching themselves to the bios so reformatting and wiping the drive does no good. Im just wondering if maybe im the lucky one who has it in the bios? I've wiped the drive at least 5 times already and have re-installed windows about 10 times. I'll go run another diskpart and do a clean command. I'll be back soon to check back.

 

[zippo]

ntoskrnl.exe has suspicious modifications according to gmer. Don't know if this helps you at all?

 

[Borg 386]

It's just a matter of figuring out where the re-infection is coming from. It could be the BIOS, but first examine all the other alternatives. Is it coming from infected files, if so, what is the source. If there is any way you can get to another clean PC & make a new Win 7 disk, that would eliminate one possible source.

One tool you can use to look at your HDD is GParted. It is a boot partition editor. If you are infected, the rootkit will show up as a hidden boot partition at the end of the drive, usually between 1 - 10 MB. With this tool you can eliminate this partition. Be sure to read the documentation.

GParted -- A free application for graphically managing disk device partitions

 

[BugMeister]

You could try running Windows Defender Offline, once you've got the OS installed..
the virus is obviously re-initializing, so you've got to isolate it before it starts up..

 

[jumanji]

It is easy for ZeroAccess virus to come back if one is not thoughtful and prudent. ZeroAccess rootkit virus can return resorting to autorun.inf and other correspondent virus programs generated in local hardware, memory stick or external hard drive with automatic playback function. So you need to sanitize all external devices you connect to your PC apart from your other internal drives.