Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a ZeroAccess virus in my pc


  • This topic is locked This topic is locked
33 replies to this topic

#1 ADHDqueen

ADHDqueen

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 21 March 2014 - 08:04 PM

Hello.  

 

I am having problems with my pc. When on the internet,  pc has random underlined words, a little pop up that appears on the right hand side at the bottom.  I ran malwarebytes, but it won't update. it gives me this message: (0, 0, I/0 error)

I ran adwcleaner, and after it deleted a lot of things (that I did not get a copy of because I had not discovered this place yet), my computer still accessed wifi, but none of the browsers would. I ran the following elevated command prompts:

 

netsh interface ipv4 reset
netsh interface ipv6 reset
ipconfig /flushdns

 

I restarted after each one, but the browsers would not work.

 

I tried to turn the firewall on, but that is messed up as well.  It won't update or set to default settings.

 

so I did a system restore, and the browsers still would not work.

 

I then turned internet explorer off and back on, and it started working again.  However, I can't download anything from that browser because it says everything is a virus, and deletes it. there are also still random underlined words, and the little popup is still here.

 

I then started a thread here, where it was determined that I have zero access.  http://www.bleepingcomputer.com/forums/t/528136/no-internet-to-browsers-after-running-adwcleaner/#entry3320404 

 

I followed those instructions, and so now I am here.

 

Right now I am working from my laptop, using a jump drive to transfer necessary programs to the infected pc. 

 

I ran dss and am attaching those two files.

 

Thank you very much for your time.

Attached Files


Edited by ADHDqueen, 21 March 2014 - 08:06 PM.


BC AdBot (Login to Remove)

 


#2 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 21 March 2014 - 08:15 PM

Hello again. Should I have been connected to the internet when running dss?  I just realized that at the time, I had wifi turned off, for safety reasons.


Edited by ADHDqueen, 21 March 2014 - 08:16 PM.


#3 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 21 March 2014 - 08:24 PM

Also, I forgot a step I mentioned in my other thread.  I downloaded this program:  mbam-clean-1.60.2.0003.exe to remove malwarebytes. I then downloaded malwarebytes again and attempted to update. It still would not update after this.


Edited by ADHDqueen, 21 March 2014 - 08:24 PM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 22 March 2014 - 05:20 PM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 22 March 2014 - 10:04 PM

Thank you very much. I will get on this right away.



#6 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 23 March 2014 - 06:18 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-03-23 19:13:13
-----------------------------
19:13:13.563    OS Version: Windows x64 6.1.7601 Service Pack 1
19:13:13.563    Number of processors: 2 586 0x6B02
19:13:13.565    ComputerName: THEBROWNSOF4-PC  UserName: Sonya's Biz
19:13:17.441    Initialize success
19:13:23.167    AVAST engine download error: 0
19:13:40.781    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000062
19:13:40.785    Disk 0 Vendor: ST332041 HP34 Size: 305245MB BusType: 11
19:13:40.901    Disk 0 MBR read successfully
19:13:40.905    Disk 0 MBR scan
19:13:40.910    Disk 0 unknown MBR code
19:13:40.918    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
19:13:40.931    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       294468 MB offset 206848
19:13:40.965    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        10675 MB offset 603277312
19:13:41.004    Disk 0 scanning C:\Windows\system32\drivers
19:13:49.105    Service scanning
19:13:51.679    Service BHDrvx64 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20131218.001\BHDrvx64.sys **LOCKED** 5
19:13:52.203    Service ccSet_N360 C:\Windows\system32\drivers\N360x64\1501000.012\ccSetx64.sys **LOCKED** 5
19:13:56.678    Service IDSVia64 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140107.001\IDSvia64.sys **LOCKED** 5
19:14:01.271    Service NAVENG C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140107.041\ENG64.SYS **LOCKED** 5
19:14:01.346    Service NAVEX15 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140107.041\EX64.SYS **LOCKED** 5
19:14:07.029    Service SRTSPX C:\Windows\system32\drivers\N360x64\1501000.012\SRTSPX64.SYS **LOCKED** 5
19:14:07.409    Service SymDS C:\Windows\system32\drivers\N360x64\1501000.012\SYMDS64.SYS **LOCKED** 5
19:14:07.530    Service SymEvent C:\Windows\system32\Drivers\SYMEVENT64x86.SYS **LOCKED** 5
19:14:07.591    Service SymIRON C:\Windows\system32\drivers\N360x64\1501000.012\Ironx64.SYS **LOCKED** 5
19:14:07.656    Service SymNetS C:\Windows\System32\Drivers\N360x64\1501000.012\SYMNETS.SYS **LOCKED** 5
19:14:11.588    Modules scanning
19:14:11.603    Disk 0 trace - called modules:
19:14:11.619    ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys ACPI.sys storport.sys hal.dll amdsata.sys 
19:14:11.631    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800460e060]
19:14:11.643    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa800459c980]
19:14:11.654    5 amdxata.sys[fffff880010697a8] -> nt!IofCallDriver -> [0xfffffa800459c040]
19:14:11.665    7 ACPI.sys[fffff88000f2b7a1] -> nt!IofCallDriver -> \Device\00000062[0xfffffa80045988f0]
19:14:11.678    Scan finished successfully
19:14:55.409    Disk 0 MBR has been saved successfully to "F:\MBR.dat"
19:14:57.859    The log file has been saved successfully to "F:\aswMBR.txt LOG.txt"


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 24 March 2014 - 10:38 AM

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

FrostWire 5.2.3
GamingWonderland Toolbar Chrome Extension
Coupon Printer for Windows
Yontoo 1.10.02


Close the window.

 

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 March 2014 - 11:13 AM

Hello, thanks for responding so quickly.

 

When I try to uninstall yontoo, I get an error message that says the following exactly:

 

C:\PROGRA~3\TARMAI~1\{889DF~1\Setup.dat

Error 2 while loading archive:

The system cannot find the file specified.

 

How should I proceed from here?


Edited by ADHDqueen, 24 March 2014 - 11:17 AM.


#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 24 March 2014 - 11:18 AM

Yes, please proceed.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 March 2014 - 11:46 AM

Hello again: I just got a new message that says:

 

Find String (QGREP) Utility has stopped working

A problem caused the program to stop working correctly.  Windows will close the program and notify you if a solution is available. 

 

Should I continue? 



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 24 March 2014 - 12:03 PM

When did you get this message, when running Combofix?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 March 2014 - 12:08 PM

Yes, while running combofix

 

The combofix window says:

 

Scanning for infected files...

This typically doesn't take more than 10 minutes

However, scan times for badly infected machines may easily double

 

Completed Stage_1

Completed Stage_2

Completed Stage_3

Completed Stage_4

Completed Stage_5

 

At this point is when I got message window about String (QGREP)


Edited by ADHDqueen, 24 March 2014 - 12:13 PM.


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 PM

Posted 24 March 2014 - 12:13 PM

Reboot into safe mode and try again


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 March 2014 - 12:19 PM

Ok, thanks, I will be back.



#15 ADHDqueen

ADHDqueen
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 24 March 2014 - 02:04 PM

Hello. 

 

I booted in safe mode. I ran combofix, but I keep getting this message:

 

ComboFix has detected the following real time scanner(s) to be active:

 

antivirus:  Norton Security Suite

antispyware:  Spybot Search Destroy

antispyware: Norton Security Suite

 

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. This may lead to unpredictable results ore possible machine damage.

 

Please disable these scanners before clicking 'OK'.

 

 

 

I did not realize these were still on my computer. we used them several years ago.  (we had recently been using symantec)    I stopped and found them and uninstalled them.

 

I restarted the computer in safe mode. I tried running combofix again. but it stopped again and It still says that these programs are still running.   I went to go find them to see if they had come back, but I could not find them.  

 

What should I do?


Edited by ADHDqueen, 24 March 2014 - 02:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users