Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Infection


  • This topic is locked This topic is locked
1 reply to this topic

#1 strangephenomena

strangephenomena

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 07 September 2014 - 07:17 AM

Mod Edit:  PM sent OP requesting RogueKiller log - Hamluis.

 

Hello,

 

I've really appreciate some help with removing what appears to be a ZeroAccess infection, including many tracking cookies and hijacks. These were found by McAfee, MalwareBytes, Microsoft Security Essentials and Rogue Killer.

 

The symptoms I have encountered are:

 

  • Windows Security Centre, Firewall, Defender and Windows Updates are all stopped and disabled (checked in services.msc) and cannot be enabled. (Error: 0x80070424)
  • ZeroAccess Trojan appearing in "\AppData\Local\Google\Desktop\Installer" titled 'GoogleUpdate?' with a Unicode heart character.
  • UAC is set to 'Never Notify Me' and cannot be changed.
  • I am unable to download many .exe files in Internet Explorer and Google Chrome. I have been unable to even download the ComboFix setup - which I do not intend to use until advice from this forum. In IE 10 I am presented with the 'This page cannot be displayed' screen, and in Chrome the download fails at 100%.
  • Other issues are constant crashing of the Dell Datasafe Local Backup when the computer is started, and I have problems using the back button in Internet Explorer, which requires multiple clicks before it works.

 

Here is the most recent MalwareBytes log. Older logs can provided if needed.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 07/09/2014
Scan Time: 12:52:42
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.07.01
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Phil Kemsley

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 359985
Time Elapsed: 22 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-2453164366-1788348854-2414602607-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^â®â¤, , [a8f13b8e97e4a294b899788a36ca44bc],

Registry Data: 3
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|AntiVirusDisableNotify, 1, Good: (0), Bad: (1),,[8b0e38913843b08657c34ba14eb69967]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|FirewallDisableNotify, 1, Good: (0), Bad: (1),,[8b0edaef45365bdb70ab6b8102027e82]
PUM.Disabled.SecurityCenter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER|UpdatesDisableNotify, 1, Good: (0), Bad: (1),,[970207c263182016819b5399e61e2cd4]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

Any help would be greatly appreciated!

 

Thank you :)


Edited by hamluis, 07 September 2014 - 07:58 AM.


BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,693 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:30 AM

Posted 07 September 2014 - 11:01 PM

Since you have a topic already here: http://www.bleepingcomputer.com/forums/t/547109/suspicious-behaviour-from-mcafee-siteadvisor-and-blocked-firewall/ I'm closing this one pending deletion to avoid potential confusion.

 

~ OB :cherry:


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users