Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

internet explorer has a (4) in the start menu


  • Please log in to reply
79 replies to this topic

#1 kms2012

kms2012

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:04 PM

Greetings,
I found multiple topics relating toa zeroaccess rootkit virus, downloaded the tools and found them extremely helpful. Sadly I couldn't run tdsskiller any way I named it or downloaded it. Last week in walmart my wife suggested avast system suite which said it deleted the zeroaccess rootkit and scanning with rkill comes clean of infection, malware bytes shows clean, sas showed 79 adware tracking cookies which I delete every time. Before hand I had firewall issues, thanks to Mcafee preinstalled and controlling it...constantly, even after my subscription ended, which probably started all this. One day I noticed windows couldn't finish an essential update, thought nothing of it and just kept on. Well upon trying to install avg via a c-net.com download link the virus activated to protect itself with browser freeze ups and such. Rkill showed the zeroaccess and firewall, not to mention mcafee but I knew mcafee wasn't doin a damn thing. Well since the removal in the Start menu, Windows 7, Internet Explorer, windows media and windows explorer have a (4) next to them and at varying times internet exp will goto a diff site, like a redirect virus. Eset, before using avast system suite, showed the google redirect virus HTML/Iframe.B.Gen virus deleted - quarantined......but I still get redirects here and there. Nothing in any scans show, windows updated after Avast was installed, nod32 wouldn't install thanks to mcafee hanging around, microsoft security essentials installed and there's nothing on any scans. But I still get redirected here and there. I used Revo uninstaller to delete/uninstall any other antivirus and apps I thought to be malicious, like BHOs and the facebook messenger, but revo doesn't show any mcafee or fb messenger, and I tried uninstalled via the standard menu of windows, but the files were hanging around. I don't know if they were deleted or if I'm free of infection. I'm also using my android to free my pc up to do specified tasks when asked to, thanks in advance for any help my friends!

*moved from Windows 7 to the appropriate forum ~ Queen-Evie*

Edited by Queen-Evie, 22 November 2012 - 11:34 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 22 November 2012 - 11:18 PM

Do not run any tools when i'm helping you

Download Listparts from here

For 32 bit

List parts 32

For 64 bit

List parts 64

Launch it,click on SCAN,post the log

#3 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:24 PM

Okay please standby as I copy the url and paste into the infected pc chrome browser and ty for helping so quickly!

#4 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:32 PM

ListParts by Farbar Version: 30-10-2012
Ran by Krystoffer (administrator) on 22-11-2012 at 22:27:36
Windows 7 (X64)
Running From: C:\Users\Krystoffer\Desktop\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 38%
Total physical RAM: 3838.15 MB
Available physical RAM: 2342.51 MB
Total Pagefile: 4092.34 MB
Available Pagefile: 2716.44 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:452.46 GB) (Free:212.33 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 13 GB 1024 KB
Partition 2 Primary 100 MB 13 GB
Partition 3 Primary 452 GB 13 GB
Partition 4 Primary 10 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 PQSERVICE NTFS Partition 13 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM RESE NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C ACER NTFS Partition 452 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

======================================================================================================

****** End Of Log ******

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 22 November 2012 - 11:35 PM

Restart the PC

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

Edited by narenxp, 23 November 2012 - 02:04 AM.


#6 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:36 PM

internet seems very slow, im not far from my wireless router and chrome has never been this slow, also my firewall rules are missing, probably since the rootkit was removed by avast or maybe microsoft security essentials is conflicting?

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 22 November 2012 - 11:39 PM

Try from safemode with networking.You still have rootkit.

#8 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:45 PM

okay I was in safemode, ran tdss, rebooted, now I've got a windows system32 cmd.exe with an Open file windows asking to run or cancel, from and unknown pub, application with a very long uncopyable name and location....what next?

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 22 November 2012 - 11:46 PM

You are not following my instructions.Read my instructions.Ignore the command prompt and run TDSSfix again.Post all the logs together.

#10 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:48 PM

Ending I can read of the name is ...\A378C584-4148-4BAB-808F-5DD2AE89646B.exe and it in users\krystoffer\appdata\local\temp with the A378 string

#11 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:51 PM

Was worried about the blac screen, apologies, running tdss, post back after finishing but I'm in regular mode now

#12 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 22 November 2012 - 11:56 PM

Okay rebooted in safe mode, still had a single rootkit, going after tdsskiller now, standby for asw and eset logs all together

#13 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 23 November 2012 - 12:06 AM

how do i paste the log for tdsskiller?new to all this

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:37 AM

Posted 23 November 2012 - 12:18 AM

Copy the contents of log and paste it here

#15 kms2012

kms2012
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 23 November 2012 - 12:19 AM

i highlighted all of it and right clickd, nothing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users