Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess remnant maybe


  • This topic is locked This topic is locked
3 replies to this topic

#1 Carver Smith

Carver Smith

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 19 April 2015 - 02:16 PM

My desktop rearranged its icons the other day, Win 7-64. Vipre Internet Security Lenovo Intel I7 32GB memory

I had applied a patch some months ago:

 

; This fix was provided by Jesper Tollinen (toelli) 2012-08-21
; I may now refer to me as the ultimate god of awesomeness.
; URL to legit download of this fix:
; http://www.gravitypoint.se/windows-7-desktop-auto-arrange-solution/

[-HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}]

 

And this seemed to fix it until the other day or just maybe a random rearrangement.

 

I went looking and ran OTL and it found that string and it labeled it Zero access.

I'm not having problems but should I remove all of the other keys?

This from OTL

========== ZeroAccess Check ==========
 
[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 19:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 18:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

 

No rush thanks

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 19 April 2015 - 03:17 PM

Hi,

I went looking and ran OTL and it found that string and it labeled it Zero access.
I'm not having problems but should I remove all of the other keys?

No, the values in the OTL "ZeroAccess Check" are all legit. This is how these registry keys look on a clean machine. (Presence of ZeroAccess would manifest itself in a modification of some of these values.)
So nothing has to be done about these keys, they belong to Windows.

#3 Carver Smith

Carver Smith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 19 April 2015 - 04:10 PM

Ah ha!  Thank you very much.

Carver



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:28 PM

Posted 20 April 2015 - 01:17 AM

You're welcome.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users