Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess infection


  • Please log in to reply
3 replies to this topic

#1 HybridGrill

HybridGrill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 01 October 2014 - 06:01 PM

Hello,
 
It's been years since I've tried to uninfect a computer & man, these things have gotten nasty! I am at the end of my abilities.  My friend's dad (let's call him Bob) at the end of August, proudly announced that he had run Malware Bytes & CCleaner the night before & his computer was running faster than it had been. Apparently he runs these every month or two, and they help, but obviously they're not getting to the root (har har) of the problem. I spent an afternoon on it, but had to head back home. So it's been a month, but I took some notes back then so I have pretty good memory of what was wrong and how I tried to fix it.
 
YouTube was running really slow and usually stopping and refusing to start back up again. Other things were running slow but I don't remember what. After I had removed some things, Bob asked me if Ebay & Amazon did some weird things when I used them (no, because my computers don't get infected!). I don't remember the specifics, but when I was looking into I think ScorpionSaver? The reported issues were consistent with Bob's complaints. He had a number of anti-spyware, anti-malware, and cleaning products. I know some of these can conflict & cause more harm than good. I removed them all but CCleaner (don't know much about it) & set up Windows Security Essentials, which I've read is doing a pretty good job these days. He appears to have downloaded Spybot Search & Destroy since then. He's also been running it in Safe Mode with Networking, which makes me nervous because that means security systems are disabled, yes?
 
I started a simple visual of what seemed unusual (looking through Programs & Features, and Task Manager). I found these that may not be good:
BringMeSports IE toolbar
goobzo YouTube accelerator
Mindspark interactive network 29ezsetp.dll
mypcbackup.com
ScorpionSaver
sweetpacks a11 api server
TelevisionFanatic
TV Bar 2 B2 toolbar
wildtangent wtapp namespace detector
 
They're using IE, so first I deleted or disabled plug-ins.
Then I downloaded FireFox & hid IE from them.
Then I went through a normal uninstall process. It said the following were removed, but they still show up in  Programs and Features:
BringMeSports IE toolbar
Mindspark interactive network 29ezsetp.dll
ScorpionSaver
TelevisionFanatic IE toobar
 
These seem to have been removed:
goobzo YouTube accelerator
mypcbackup.com
sweetpacks a11 api server (disappeared without my directly attacking it)
TV Bar 2 B2 toolbar
wildtangent wtapp namespace detector (also disappeared)
 
And now, a month later, a new one has popped up:
Spot from XM Asia Pacific Pte Ltd
 
EDIT: I was just reminded that the Recycling Bin announces that it is corrupted whenever you try to delete something. I remember one of the scanners/cleaners I ran saying last month that there were issues in the Recycling Bin.
 
I went through this a few times, but the ZeroAccess warning keeps popping up in RKill. I fully uninstalled Malware Bytes and installed their RootKit program, but ZeroAccess persists. I've looked through the forums here and elsewhere, but it seems like the fix is so specific to each computer I thought I should get my own diagnosis. Let's do this!
 
Thank you in advance, you are doing a great service to the herd!
(EDITS: typos & formatting)

Edited by Queen-Evie, 01 October 2014 - 06:37 PM.
moved from Windows 7 to the appropriate forum


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:06 PM

Posted 01 October 2014 - 07:14 PM

Welcome aboard p22002758.gif

 

ZeroAccess rootkit requires elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 HybridGrill

HybridGrill
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 01 October 2014 - 08:27 PM

Thanks for the quick response, Broni! Sorry I posted in the wrong forum.

I ran the Prep Guide as you suggested, and posted a new topic in the proper forum.



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,708 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:06 PM

Posted 01 October 2014 - 10:14 PM

p22003888.gif


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users