Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZEROACCESS found


  • This topic is locked This topic is locked
33 replies to this topic

#1 kooky500

kooky500

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 17 December 2016 - 08:56 PM

So, I let a family member use my computer recently. When I came back, all my security programs were behaving oddly. Emsisoft won't let me scan my pc, and MBAM goes into 'Not Responding' whenever I try to run a scan. It also stops HitmanPro.Alert from scanning.

 

So, I decided to run rKill and when it finished and showed me the log this stood out: ALERT: ZEROACCESS Reparse Point/Junction found!

 

So how do I get rid of this thing?  :)

 

 

 

It won't let me run FRST, either.

 

Mod Edit

This topic is a continuation of ZEROACCESS found

 

NickAu


Edited by NickAu, 17 December 2016 - 09:29 PM.
Mod Edit


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:28 AM

Posted 18 December 2016 - 09:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 18 December 2016 - 01:33 PM

Here's the RogueReport:

 

RogueKiller V12.8.5.0 (x64) [Dec 12 2016] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : illus [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 12/18/2016 09:29:34 (Duration : 00:35:06)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[Tr.Generic][File] C:\Users\illus\Pictures\wrar521.exe -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 2 ¤¤¤
[PUP][Chrome:Addon] Default : Grammarly for Chrome [kbfnbcaeplbcioakkpcpgfkobkghlhen] -> Not selected
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage  -> Not selected
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EZEX-08M2NA0 ATA Device +++++
--- User ---
[MBR] c0fa8b46438986b601c7f54b412bceb2
[BSP] 573ad104525012577a392166354043e9 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 952866 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1951676416 | Size: 450 MB
3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1952600064 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK
 
The zoek tool froze for 1 hour, when it got to 'Firefox Extensions' so I couldn't get it to run fully.

Edited by kooky500, 18 December 2016 - 01:36 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:28 AM

Posted 18 December 2016 - 02:13 PM

Run Zoek tool again.

Post the log if you can.

#5 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 18 December 2016 - 02:30 PM

I can't run the zoek tool - whenever I run it and click 'Yes' on the security prompt nothing happens - I waited 5 mins and it never came up. I tried restarting my pc - but still nothing. I tried downloading it again as well, and it still won't open. Even with my a/v and a/m disabled.



#6 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 18 December 2016 - 06:10 PM

Update - Okay so, still can't run zoek (left it for 2 hours, still didn't unfreeze) but I was able to grab a FRST and Addition log by renaming the Farbar.exe

Attached Files


Edited by kooky500, 18 December 2016 - 06:11 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:28 AM

Posted 19 December 2016 - 09:49 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {1F2247BE-2845-4F1F-8B2B-49F18CC3EDC9} - System32\Tasks\WMIC Restore Point Creation => C:\Windows\System32\wbem\WMIC.exe [2016-07-16] (Microsoft Corporation) <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
CHR Extension: (Chrome Web Store Payments) - C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-29]
CHR Extension: (Chrome Media Router) - C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-02]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

===

Run the Zoek tool after the restart of the computer.
Stop the process if not completed after 30 minutes.
Post the log if you can.

If not successful please rename the file to svchost.exe and run it.

#8 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 19 December 2016 - 03:39 PM

Here's the logs you requested.

 

Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by illus on Mon 12/19/2016 at 12:42:40.86.
Microsoft Windows 10 Home 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\illus\Desktop\svchost.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2016-09-25-185135.log 7020 bytes
C:\zoek-results2016-09-27-013544.log 2193 bytes
C:\zoek-results2016-09-27-154615.log 1748 bytes
C:\zoek-results2016-09-28-152040.log 106235 bytes
C:\zoek-results2016-09-28-163446.log 109481 bytes
C:\zoek-results2016-10-06-165931.log 1050 bytes
C:\zoek-results2016-10-06-174109.log 2380 bytes
C:\zoek-results2016-12-18-180501.log 2945 bytes
C:\zoek-results2016-12-18-211032.log 1774 bytes
C:\zoek-results2016-12-19-165428.log 2067 bytes
 
==== System Restore Info ======================
 
12/19/2016 12:44:49 PM Zoek.exe System Restore Point Created Successfully.
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\illus\AppData\Roaming\Mozilla\Firefox\Profiles\ojsblgme.default-1474391732257\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
Added to C:\Users\illus\AppData\Roaming\Mozilla\Firefox\Profiles\ojsblgme.default-1474391732257\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\illus\AppData\Roaming\Mozilla\Firefox\Profiles\ojsblgme.default-1474391732257
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\illus\AppData\Roaming\Mozilla\Firefox\Profiles\ojsblgme.default-1474391732257
- WOT - %ProfilePath%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
- HTTPS Everywhere - %ProfilePath%\extensions\https-everywhere@eff.org.xpi
- Undetermined - %ProfilePath%\extensions\uBlock0@raymondhill.net.xpi
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\illus\AppData\Roaming\Mozilla\Firefox\Profiles\ojsblgme.default-1474391732257
8CE35D76726DFC8C3848BB26B3C79A54 - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll - Shockwave for Director / Shockwave for Director
 
 
==== Chromium Look ======================
 
 
BeFunky Photo Editor - illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apfkepiiddolifkgjmfdgpnipgnfejab
uBlock₀ - illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm
Ponyhoof - illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\efjjgphedlaihnlgaibiaihhmhaejjdd
PicMonkey - illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\fgdgokchhicmaiacmgegjnppjkgogdhm
Grammarly for Chrome - illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen
Webcam Toy - illus\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfbgimoladefibpklnfmkpknadbklade
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF42fc124.TMP was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF49ef23a.TMP was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF42fc51b.TMP was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF49ebe97.TMP was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Web Data.old was reset successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\illus\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\illus\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\illus\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\illus\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\illus\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=8083 folders=1068 2369964917 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\illus\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Mon 12/19/2016 at 13:29:00.67 ======================
 

Attached Files


Edited by kooky500, 19 December 2016 - 03:40 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:28 AM

Posted 20 December 2016 - 10:44 AM

Any remaining issues with this computer?

#10 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 20 December 2016 - 11:04 AM

So far so good - I can use my security software again, so that's good. Is there any way I can be 100% sure the virus is gone? Just to calm my anxiety about it.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:28 AM

Posted 20 December 2016 - 01:46 PM


This may take a while. Do it when you know you will not need the computer for an hour or 2.
Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

#12 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 20 December 2016 - 10:10 PM

I might not get around to this till tomorrow. Is that okay? 



#13 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 21 December 2016 - 01:04 AM

Okay, ESET didn't find anything. But now my security programs are back to not working.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:28 AM

Posted 21 December 2016 - 08:59 AM

Restart the computer normally one more time.

If the problem persists the run these tools.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#15 kooky500

kooky500
  • Topic Starter

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Colorado, USA
  • Local time:01:28 AM

Posted 21 December 2016 - 10:52 AM

Alright, TDSS didn't find anything, and the second program in your post caused a BSOD when I tried to run it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users