Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess infection, maybe more...


  • This topic is locked This topic is locked
24 replies to this topic

#1 hught78

hught78

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 22 August 2012 - 12:29 AM

I am running an Acer Extensa 5630-4928 with Vista Home Premium 32-bit. I can use most programs in Safe Mode but only for a short time. I can't run any programs in regular mode, I get the "Specified service does not exist" error on everything. Both ethernet and wifi do not work in regular mode and safe mode. McAfee says there's a ZeroAccess infection that it can not quarantine. DDS wouldn't finish, it would get to a certain point and just stick. I'm not sure if there is any script blocking software on this machine. The GMER log is attached. Thank you for your assistance.

EDIT---

I had to manually remove McAfee by deleting Registry entries to get DDS to work/finish. DDS logs are also attached.

Attached Files


Edited by hught78, 22 August 2012 - 10:24 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 26 August 2012 - 08:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 26 August 2012 - 11:15 AM

Thanks, nasdaq. TDSS couldn't find anything but the log is attached anyway. aswMBR couldn't download the latest virus definitions because of the lack of internet connection on the machine currently, but the log is attached here too. Same with the compressed MBR file.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 26 August 2012 - 12:05 PM

Download this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a flash drive.

Plug the flash drive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter. Or FRST.exe if 32 bit system.

    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


#5 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 26 August 2012 - 03:47 PM

Thank you nasdaq, the frst log is attached. Looking forward to the next step.

Attached Files

  • Attached File  FRST.txt   26.85KB   6 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 27 August 2012 - 07:14 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{0768ed3c-91ed-0336-9bb0-427e6d7360ca}
C:\Users\Peter\AppData\Local\{0768ed3c-91ed-0336-9bb0-427e6d7360ca}
end


Now please enter System Recovery Options and run FRST as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
===

If still without internet connection please run this tool. You may also have to download to a the flash drive.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#7 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 27 August 2012 - 09:51 AM

Ran FRST again but still no internet - log is attached. I ran FSS in Safe mode and attached the log as well.

Not sure if this is related, but the computer doesn't recognize a USB drive if I plug it in after the computer has booted up. The USB has to be plugged in before booting in order for me to gain access to it. This is not new since we began troubleshooting.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 27 August 2012 - 12:49 PM

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

Download following registry keys:

http://download.bleepingcomputer.com/win-services/vista/Dnscache.reg
http://download.bleepingcomputer.com/win-services/vista/nsi.reg
http://download.bleepingcomputer.com/win-services/vista/PlugPlay.reg

Double click on on each downloaded file and confirm the prompt.
Restart computer.
Post new FSS log.

Please let me know what problem persists.

#9 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 27 August 2012 - 04:50 PM

Thanks nasdaq. After running those registry files, my USB drive works like it should and I can get on the internet. However, the icon in the bottom-right part of the screen with the two overlapping computers still has a red "X" on it and if I hover over it, it says, "Connection Status Unknown The specified does not exist as an installed service." The same error message pops up when I try to run most programs from the desktop, like FSS, even after copying it from my USB drive.

FSS log is attached.

Thanks for all your help. I'm hopeful we are close to resolving all of these issues.

Attached Files

  • Attached File  FSS.txt   3.43KB   2 downloads


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 28 August 2012 - 07:56 AM

The specified does not exist as an installed service." The same error message pops up when I try to run most programs from the desktop, like FSS, even after copying it from my USB drive


It might just be that your UAC has been compromised or damaged.

Try this.

Vista - Disable the UAC (User Account Control)
http://www.computerperformance.co.uk/vista/user_account_control.htm#How_to_Disable_User_Account_Control_%28UAC

How is it now?
===

Lets continue with the cleaning of the computer.

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Remove the AdWare, PUB found.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


#11 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 28 August 2012 - 01:21 PM

No dice. I disabled UAC via Ctrl Panel->Admin Tools->System Config->Tools->Disable UAC->Reboot - but I still get the same error (The specified service does not exist as an installed service) when trying to open most .exe's either on the Desktop or on my USB drive. Security Check and AdwCleaner log files are attached.

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 29 August 2012 - 07:47 AM

Can you get a log out of this scan?

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
Click Go and copy/paste the log (Result.txt) into your next post.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

#13 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 August 2012 - 09:08 AM

I left everything disconnected from the network while running this. The log is attached.

EDIT-
I am running all of these scans in Safe Mode since nothing will run in Normal Mode.

Attached Files


Edited by hught78, 29 August 2012 - 09:54 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:45 PM

Posted 29 August 2012 - 10:00 AM

However, the icon in the bottom-right part of the screen with the two overlapping computers still has a red "X" on it and if I hover over it, it says, "Connection Status Unknown The specified does not exist as an installed service.


The ping service is not able to contact Google etc....

I suggest you start a new topic in the Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

Post your problem and a copy of the MiniToolBox log.

I will keep this topic open for 5 days. Should you need to return please do.

#15 hught78

hught78
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:45 PM

Posted 29 August 2012 - 10:28 AM

I was not connected to any networks when I ran MiniToolBox. Should I have been connected? Additionally, the issue with the Red X on the networking graphic is not due to a networking error, it is related to the error I get with all the rest of the services/programs that cannot run, "Specified service does not exist." As I mentioned before, even though I see this red X graphic I am still able to access websites. Correct me if I'm wrong, but I think this is due to the damage from the rootkit or virus. I just want to be able to run programs again in Normal Mode.

Please advise.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users