Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing a zeroacess virus


  • Please log in to reply
6 replies to this topic

#1 Purpleankles

Purpleankles

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 09 September 2013 - 07:16 PM

I had been posting for help on nortons forums but i can no longer get help due to a randome post from a user so i have been advised to try here i have the (what i believe is quarantined) file in my google>desktop>install as i was instructed before.


Edited by hamluis, 10 September 2013 - 11:44 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:04 AM

Posted 09 September 2013 - 07:32 PM

Was up to the rest of the ZA folder removal,  The piece that Roguekiller would not remove, before someone else stepped in.

 

The MBAR LOG of what was left after Roguekillers use,  Info for a helper at Bleeping Computer MRT group..

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.09.07.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Rene :: RENE-PC [administrator]

9/7/2013 10:44:43 AM
mbar-log-2013-09-07 (10-44-43).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 320329
Time elapsed: 1 hour(s), 8 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
c:\program files\google\desktop\install\{9652e4e8-ecf6-b222-c8d1-a286d15be5d8}\ (Trojan.0Access) -> No action taken.
c:\program files\google\desktop\install\{9652e4e8-ecf6-b222-c8d1-a286d15be5d8}\ \... (Trojan.0Access) -> No action taken.
C:\Program Files\Google\Desktop\Install\{9652E4E8-ECF6-B222-C8D1-A286D15BE5D8} (Trojan.0Access) -> No action taken.

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

Quads



#3 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:04 AM

Posted 11 September 2013 - 08:47 PM

Looks like it is me, haha

 

Disable Norton for like 1 hour.

 

This time after the Scan with MBAR, have all the items that can be selected to be selected (ticked)  then click the Cleanup button.

 

Now,  This can take a bit of time, and especially during shut down and startup of Windows as MBAR is doing its work all the way through.

I found that if Windows does 

 

MBAR will also use Fixdamage.exe, to attempt to fix the Services showed by FSS as missing, but may not fix all of them we will deal with the services later.

 

The FSS log for this system

 

Farbar Service Scanner Version: 05-09-2013
Ran by Rene (administrator) on 08-09-2013 at 19:28:23
Running from "C:\Users\Rene\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.


Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking Start type of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ImagePath of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.

Checking Start type of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ImagePath of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.
Checking ServiceDll of RemoteAccess: ATTENTION!=====> Unable to open RemoteAccess registry key. The service key does not exist.



File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

 

 

Quads


Edited by Quads, 11 September 2013 - 08:50 PM.


#4 Purpleankles

Purpleankles
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 13 September 2013 - 08:48 PM

OK done, should this have made some sort of log you would want to see?



#5 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:04 AM

Posted 13 September 2013 - 09:51 PM

There should be a new log inside the MBAR folder, along with a system.txt also

 

 

Quads



#6 Purpleankles

Purpleankles
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 14 September 2013 - 07:03 PM

I looked in the mbar folder and the log and system txt both say they were last modified before the scan so it seems that it has not changed should i do this again because it completed and i assume fixed what it was supposed to.


Edited by Purpleankles, 14 September 2013 - 07:04 PM.


#7 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:04 AM

Posted 14 September 2013 - 09:14 PM

The MBAR log becomes a new seperate .txt log   but the system.txt just gets added to, so there is only one system.txt, either that or you did not run the cleanup so MBAR would not have created or updated the logs.

 

 

Quads






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users