BleepingComputer.com: Infected w/Rootkit.ZeroAccess

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected w/Rootkit.ZeroAccess Cant be sure if it's gone

#1 User is offline   Andrews222 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 22-October 10

Posted 20 July 2011 - 02:59 PM

Hello all,

I read, with great interest a thread where the various log generation utilities were run, resulted submitted and analyzed, leading to a successful removal.
I'm afraid, I tried ComboFix before I even thought to read through this forum to see what the experience on this was.

Bottom line, after many attempts to run ComboFix, it finally ran through stage 50 and generated a log file - ending successfully (without crashing like it had on earlier runs). However, that successful run was preceded by the message saying that "rootkit.zeroaccess is detected". After the successful run, I rebooted and ran it again hoping not to get the message, unfortunately, I gave me the same message, but ran through the 50 stages very quickly, again, resulting in a log file and success.

My Symantec endpoint protection software seems to have been clobbered, so I just uninstalled that, and everything else that looks to be wasted electrons.

I have now, after the fact, run the prescribed sequence of utilities and I'm hoping someone wouldn't mind taking a quick look to see if I've slain the monster. GMER is running (10 items listed) as I type this, and I don't know what it's telling me.

Thanks in advance

Hello again,

I've attached the log files. Just for kicks I re-ran combofix to see it the infection was gone, it pops up with "There's a newer version of ComboFix available, Would you like to update ComboFix?"

Not sure what this is all about...

EDIT: Posts merged ~Budapest

Attached File(s)

  • Attached File  dds.txt (9.17K)
    Number of downloads: 4
  • Attached File  Ark.log (3.68K)
    Number of downloads: 2
  • Attached File  attach.txt (23.52K)
    Number of downloads: 0

This post has been edited by Budapest: 20 July 2011 - 05:15 PM

#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 23 July 2011 - 09:11 PM

Please post the ComboFix log(s)

then run the following:

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now

  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 29 July 2011 - 09:03 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users