Jump to content

Help, trying to remove remaining threats after ZeroAccess Trojan infection


sct123
 Share

Recommended Posts

Hello, so bear with me, I am not a computer expert, but have basic knowledge...So my computer was recently infected with the dreaded ZeroAccess trojan. I have spent the past 3 days running various programs to try and get rid of all traces of this trojan. I originally was following instructions from malwareinfo.com on how to remove this trojan. I ran (in this order) Kaspersky, Combo Fix, Rogue Killer, Malwarebytes, HitmanPro, followed by Emsisoft Emergency Kit. I originally had Microsoft Security Essentials installed as my anti-virus, but recently installed McAfee (2013) instead as I haven't been very happy with MSE. I went through and deleted/quarantined items as instructed through these programs and yet 2 things are concerning me. McAfee keeps finding the ZeroAccess trojan and supposedly removing it but then keeps finding it again (although when I run a full scan it doesn't find anything...), and Emsisoft seems unable to quarantine several threats that it detected (including 1 high risk). I have been experiencing intermittent internet connection issues as well which I am convinced are due to this infection, keep getting (the default gateway is unavailable), then troubleshooter fixes it, then 5 or 10 minutes later I have the same problem and the same result. Please note that I did attempt to quarantine the first time that I ran Emsisoft (before I looked at this forum), I have run the 2 scans and attached the logs as requested for this forum (I have also included my first Emsisoft scan, as the 2nd one after quarantine apparantly didn't find anything...I have copied them both into this text as they would not upload properly), Any assistance you can provide would be greatly appreciated.

 

First scan:

 

Emsisoft Emergency Kit - Version 4.0
Last update: 10/19/2013 12:06:11 AM
User account: Sam-Laptop\Sam

Scan settings:

Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\, C:\Program Files (x86)\

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    10/19/2013 12:08:10 AM
C:\Users\Sam\AppData\Roaming\Pogo Games     detected: Trace.File.Lottso (A)
C:\Users\Sam\AppData\Roaming\Pogo Games\Common     detected: Trace.File.Lottso (A)
C:\Users\Sam\AppData\Roaming\Pogo Games\Common\Cache     detected: Trace.File.Lottso (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\INPROCSERVER32 -> THREADINGMODEL     detected: Trace.Registry.Bara de instrumente web a ISJ Bacau (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C} -> APPID     detected: Trace.Registry.els.mywebtattoo.com (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\INPROCSERVER32 -> THREADINGMODEL     detected: Trace.Registry.els.mywebtattoo.com (A)
C:\Program Files (x86)\Google\Desktop\Install\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\   \...\‮ﯹ๛\{c614d3bf-243a-3fd7-a4fd-36cd3756874b}\GoogleUpdate.exe     detected: Gen:Variant.Kazy.260535 (B)
C:\Program Files (x86)\x264 Video Codec\Filters\Haali\mmdinfo.dll     detected: Backdoor.HydraLoader.A (B)

Scanned    459531
Found    8

Scan end:    10/19/2013 1:07:08 AM
Scan time:    0:58:58

C:\Program Files (x86)\x264 Video Codec\Filters\Haali\mmdinfo.dll    Quarantined Backdoor.HydraLoader.A (B)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C} -> APPID    Quarantined Trace.Registry.els.mywebtattoo.com (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\INPROCSERVER32 -> THREADINGMODEL    Quarantined Trace.Registry.els.mywebtattoo.com (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\INPROCSERVER32 -> THREADINGMODEL    Quarantined Trace.Registry.Bara de instrumente web a ISJ Bacau (A)
C:\Users\Sam\AppData\Roaming\Pogo Games    Quarantined Trace.File.Lottso (A)

Quarantined    5
 

 

 

 

 

Second scan:

 

Emsisoft Emergency Kit - Version 4.0
Last update: 10/19/2013 12:06:11 AM
User account: Sam-Laptop\Sam

Scan settings:

Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\, C:\Program Files (x86)\

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    10/19/2013 12:44:35 PM

Scanned    459613
Found    0

Scan end:    10/19/2013 2:39:45 PM
Scan time:    1:55:10
 

 

Link to comment
Share on other sites

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open n Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  • If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
Download Junkware Removal Tool and save it on your desktop.
  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Download attached fixlist.txt file and save it to the Desktop.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Hello, ok so I am sending this reply from a different computer. I did as you instructed and downloaded the programs and the txt file to my desktop. I opened AdwCleaner and ran a scan, it found quite a few things in my registry (not surprised), I clicked on clean, and as you said, it prompted me to restart the computer so I clicked ok. The computer restarted and when I went to login to Windows I was given a message "The RPC is unavailable", now I am unable to even get Windows to boot, tried holding F8 during startup and nothing happens....now what? Thanks in advance for your help...

Link to comment
Share on other sites

Press Win+R, type msconfig in the open box. Click "OK"

 

Click "OK" at the UAC prompt

 

MsConfig will open, select "Normal Startup", click "OK"

 

Your system will need to restart for the change to take effect.

 

That should clear the "RPC server is unavailable" error.

Link to comment
Share on other sites

This is not working. I get the RPC message when I go to login into Windows, pressing Win+R, F8, F12, nothing works on startup or during login screen. I can't access Windows to do msconfig. Is there any way to fix this, at this point I don't even know how I can go to a restore point, it won't let me do anything...

Link to comment
Share on other sites

Hi, ok so nevermind..I got fed up with trying to get rid of this infection after 5 days, I had enough. I did a full clean install of the OS (Windows 7) I already had backed all of my files up. No sign of infection now. Good luck to anyone who gets stuck with that trojan...Thanks anyways for your help

Link to comment
Share on other sites

Sorry that I couldn't have been of more help.

Thread Closed

Reason: Clean Install of Windows

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...