Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is ZeroAccess! Gone


  • This topic is locked This topic is locked
3 replies to this topic

#1 zohan

zohan

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 06 April 2012 - 04:48 PM

Ok well, this is going to be long. I will try to make this as short as possible while still giving details.

So, I had google redirects. Figured I was infected with something. I ran Malwarebytes. Found and fixed alot of stuff. But still had problems. I ran combofix. After combofix has scanned for a few minutes, it says something to the effect of "you are infected with RootKit ZeroAccess! in the tcp/ip stack". It then says it need to reboot. I say "Ok", it finishes with no errors. So, I ran Combofix again to see if I get the same message again. And I do. Says the same thing, "RootKit ZeroAccess!".

So then, I proceed to scan with other rootkit removal tools. Stating with tdsskiller. If found stuff, and cleaned it. I rerun tdsskiller after reboot to see if it finds anything and says its clean. I then run combofix again, and still, it says "im infected with RootKit ZeroAccess!. I then search for any and all ZeroAccess Removal tools I can find. I found ESET Sirefef remover. Ran that, says Sirefef/ZeroAccess not detected. I downloaded Symantec's tool, FixZeroAccess. It found a couple of files and cleaned. Again, I rebooted, rerun Symantec's tool, and it says it's clean. So, then I rerun combofix. It still says "I'm infected with Rootkit ZeroAccess!". So, I download aswMBR, It doesn't seem to find anything. Then I downloaded Sophos Anti-RootKit. It found a couple of files and cleaned. Again, a rescan of sophos antirookit shows clean, rerun all the above antirootkit scanners all shows clean. However, Combofix still says im infected with ZeroAccess.

Now, as far as symtoms go, None. Computer is working good. This seems strange to me. I'm pretty sure I was infected, and had symtoms of google redirects and system running really slow. Every thing I've read on the ZeroAccess says you will lose internet connection. But I never have. I start to think this is a false positive from combofix. I reload my trend micro,(I had uninstalled before I started to remove anything) I also, ran combofix /uninstall and ran Clean Up in OTL. I scan the system with Trend Micro it doesn't find anything. I then Download SuperAntispyware and disabled Trend Micro and scanned with the SuperAntispyware. All it found was some tracking cookies.

Well, with internet connection always working, I start to think about why would that happen if i had ZeroAccess and I remember that I have a bridged network connection. So when you go into my tcp/ip setting in Network Connections. The Setting are greyed out, and my setting are on the Bridged Connection. So, I proceed to Remove the Bridge, and have it normal, Thinking this is causing a problem or maybe causing combofix to not remove the rootkit. I then Disable Trend Micro, Downoad a fresh new copy of combofix. And run combofix again. Combofix comes up with the same message, "I'm infected with Rootkit ZeroAccess!". Well, I'm thinking maybe this time it will fix it. But after it finishes and reboots. I still have internet connection. And still run combofix again, it still says im infected.

I'm scared to trust this, or this pc now. So, can you guys help me find out if I'm infected or not?


I don't see an attach button to attach any logs.

Edited by zohan, 06 April 2012 - 04:49 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:44 PM

Posted 06 April 2012 - 07:37 PM

ZeroAccess rootkit require special attention.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 zohan

zohan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 09 April 2012 - 11:14 AM

Started New Topic

http://www.bleepingcomputer.com/forums/topic449470.html

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:44 PM

Posted 09 April 2012 - 12:03 PM

Thank you.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 3 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users