skatko

Rootkit.win32.zaccess!e2- says I need Emisoft to remove....

31 posts in this topic

Emisoft is what caught this what, virus? trojan? Someone please help me as I don't know

what the next step is. I followed the link to Emisoft and all it said was I needed to purchase it

which is silly as I have used Emisoft for quite some time.

Off topic a bit, I noticed this trojan(?) was caught and isolated when I visited a favorite blog page. Does this mean

that the bloggers site is infected somehow? I am afraid to click on that page again!

0

Share this post


Link to post
Share on other sites

Download and run Win32kDiag per the below instructions:

  • Download Win32kDiag.exe and save to C:\Win32kDiag.exe. You must save it here!!!!
  • Now press and hold the windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
  • Then copy the below text and paste it into the Open: text-field and press ENTER.
    C:\win32kdiag.exe -f -r


  • When it's finished, there will be a log named Win32kDiag.txt on your desktop.


Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Save the log somewhere where you can find it.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.(Version)_(Date)_(Time)_log.txt".


Close all windows

Do the following:

Start -> Run

type cmd

Click "OK"

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

netsh int ip reset reset.log
netsh winsock reset catalog
ipconfig /flushdns
exit

Re-boot your PC.


Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • TDSSKiller (C:\TDSSKiller.(Version)_(Date)_(Time)_log.txt)
  • Win32kDiag.txt

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

Share this post


Link to post
Share on other sites

Thanks for the quick reply! First of all let me say I followed the instructions on the START HERE page. I have those two logs, extas and otl attached.

I had to start in safe mode to get back my internet connection and to download the files. Nothing would respond on my laptop before this. I got the files and rebooted in regular mode and still nothing would work.

I restored my pc to a few days earlier and got the programs to work, and also got my internet connection back. Then I ran the first two steps.

I downloaded the Wind32diag.exe and ran it. Then I downloaded the TDSkiller and ran it. It found nothing after about 10 seconds! I changed the parameters and scanned again. It found a problem but not a threat. It closed and I have the log file attached.

Things seem to be working ok.

I don't understand how this happened. I thought Emisoft was supposed to stop this stuff from getting onto the computer in the first place? Could that blog site be infected and they don't know it? Do I need another version of Emisoft? How could a restore point help when the infection was present??

Thanks!!!!

0

Share this post


Link to post
Share on other sites

The type of infection you have is designed to evade security applications. EAM is one of the very few security applications that can detect ZeroAccess post infection.

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.


Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

Share this post


Link to post
Share on other sites

Well I tried the combofix and it was a mess! I ran it three times and when it was 'creating' a log, it sat like that for an hour or so. It never did end right. I also had no internet access at this time. I had to a system restore again, as I did earlier~! I am currently running my EAM scanner again to see what happens. BTW, during all this, I had to reinstall firefox and thunderbird as both got corrupted.

0

Share this post


Link to post
Share on other sites

OK, let's look for partitions that are not supposed to be present.

Do the following:

Start -> Run

type diskmgmt.msc

Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

0

Share this post


Link to post
Share on other sites

Nope, still didn't attach.

0

Share this post


Link to post
Share on other sites

It didn't attach.

0

Share this post


Link to post
Share on other sites

Is there another way to 'paste' the screen shot? I only know to put it into a word document. I am going to try to save it as a .jpg

0

Share this post


Link to post
Share on other sites

I'm not sure of what to make of that 39MB OEM Partition.

Changing to a different tool since ComboFix isn't running correctly.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

0

Share this post


Link to post
Share on other sites

When I started the .exe, it was shut down immediately as unsafe. I am hoping this is just a mistake. If you tell me to try it again I will but that freaked me out!

0

Share this post


Link to post
Share on other sites

What shut it down as unsafe?

0

Share this post


Link to post
Share on other sites

A program I actually forgot was running. Spybot Search and Destroy. When I clicked on 'ignore' and run anyway, it didn't. This happened twice and I wasn't sure it was a false alert or not.

0

Share this post


Link to post
Share on other sites

Shut down Spybot Search&Destroy. It is a false alert.

0

Share this post


Link to post
Share on other sites

AVZ log looks OK.

This next tool is going to dump a lot of information about your system. Hopefully, it will show something that the other tools are not seeing.

Download:

- ISeeYouXP by ShadowPuterDude

Double-click ISeeYouXP.exe, ISeeYouXp will be extracted to C:\ISeeYouXP; and a shortcut to ISeeYouXP.bat will be placed on the Desktop.

Double-click the ISeeYouXP shortcut to run ISeeYouXP.

Possible Error Messages

  • If your ISeeYouXP.txt log appears to be empty or semi-empty or you get an error message similar to the below when running ISeeYouXP.bat and you are running Windows XP or Windows 2000, follow the steps further down that relate to your OS
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Window applications.
    To fix the above error message, choose the download below which is appropriate for your system
    • For Windows XP Pro: download and run: XPproFix
    • For Windows XP Home: download and run: XPHomeFix
    • For Windows 2000: download and run: W2KFix

    Then run ISeeYouXP.bat again and attach the log.

    [*]A possible second type of error message may occur as shown in the quote box below! If you get either of these two messages, perform the Resolution steps given in this: Virtual Device Driver Error Message in 16-Bit MS-DOS Subsystem

16 bit MS-DOS Subsystem

drive:\program path

XXXX. An installable Virtual Device Driver failed DLL initialization. Choose 'Close' to terminate the application.

-or-

16 bit MS-DOS Subsystem

drive:\program path

SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. VDD. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.

After attempting to fix the above errors, run ISeeYouXP.bat and attach the log.

IMPORTANT NOTE:

Vista Users

UAC must be turned off to run this script.

Turning Off/On UAC in Vista

1. Open the Control Panel.

2. Under User Account and Family settings click on the "Add or remove user account".

3. Click on your user account.

4. Under the user account click on the "Go to the main User Account page" link.

5. Under "Make changes to your user account" click on the "Change security settings" link.

6. In the "Turn on User Account Control (UAC) to make your computer more secure" click to unselect the "Use User Account Control (UAC) to help protect your computer". Click on the Ok button.

7. You will be prompted to reboot your computer. Do so.

In order to re-enable UAC just select the above checkbox and reboot.

To Run ISeeYouXP right-click on the batch file and select "Run as Administrator"

Attach the ISeeYouXP log. Should be on your Desktop.

0

Share this post


Link to post
Share on other sites

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 29.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop.
    Windows x86 Offline (jre-6u29-windows-i586.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")


The installed version of Adobe Flash Player on this computer is out-dated. Install the latest version of Adobe Flash Player available from Adobe. (Do this using both IE and Firefox)


The installed version of Adobe Shockwave Player on this computer is out-dated. Install the latest version of Adobe Shockwave Player available from Adobe.


The installed version of Firefox on this compter is out-dated. Install the current version of FireFox from: Mozilla Firefox


The installed version of Thunderbird on this compter is out-dated. Install the current version of Thunderbird from: Mozilla Thunderbird


Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2 - BHO: (no name) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - AutoRun File - [2010/01/08 10:18:42 | 000,000,050 | ---- | M] () - X:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2010/07/09 21:14:07 | 000,000,000 | RH-D | M] - Y:\autorun -- [ NTFS ]
    O32 - AutoRun File - [2002/10/16 07:56:50 | 000,000,036 | RH-- | M] () - Y:\autorun.inf -- [ NTFS ]
    O32 - Unable to obtain root file information for disk Z:\
    [2011/11/18 18:47:14 | 000,000,000 | ---D | C] -- C:\Users\Sheila\AppData\Roaming\PUUVelOOBtz
    [2011/11/18 18:47:04 | 000,000,000 | ---D | C] -- C:\Users\Sheila\AppData\Roaming\RhhYYXwwkUelOtz
    [1 C:\Users\Sheila\AppData\Local\*.tmp files -> C:\Users\Sheila\AppData\Local\*.tmp -> ]
    [2011/11/19 08:17:00 | 000,000,000 | ---- | M] () -- C:\Users\Sheila\AppData\Local\{4A6134E9-CE92-4E26-A2E3-3C793CFA7B0D}
    [2011/06/18 14:26:44 | 000,000,000 | ---- | C] () -- C:\Users\Sheila\AppData\Local\{2CBADD8F-0B0B-4805-8B9F-5B4AEC8E9320}
    @Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:2430E4FC
    @Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:63238B95
    
    :Files
    C:\32788R22FWJFW
    C:\globdata.ini
    C:\install.res.1036.dll
    C:\install.res.3082.dll
    C:\install.res.1040.dll
    C:\install.res.1041.dll
    C:\install.res.1042.dll
    C:\install.exe
    C:\install.ini
    C:\install.res.2052.dll
    C:\install.res.1028.dll
    C:\install.res.1031.dll
    C:\install.res.1033.dll
    C:\Users\Sheila\AppData\Local\temp\DLL_{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}.ini
    C:\install.res.1033.dll
    C:\Users\Sheila\AppData\Local\temp\EF2.dir
    C:\install.res.1033.dll
    C:\Users\Sheila\AppData\Local\temp\is7756.tmp
    C:\Windows\Temp\fb_3800.lck
    C:\Windows\Temp\MSI327d1.LOG
    C:\Windows\Temp\SEP98E8.tmp
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

Share this post


Link to post
Share on other sites

Okay this is wild. I had to redownload OTL and the first time EAM quarantined it with an alert. The second time I tried, I got this message: attached

I did go to eam and restore it. Just thought you should see it. That happened in the beginning also, when I was following the first instructions to get help.

I am going to run it now. Hope it's ok!

0

Share this post


Link to post
Share on other sites

OTL will not run. It got shut down again, this time as an invalid program or something. I clicked on the shortcut again and it had been 'removed'.....

0

Share this post


Link to post
Share on other sites

OK, shut down all you active AV/AM protection. Delete all copies of OTL. Download a new copy and run it.

0

Share this post


Link to post
Share on other sites

Yes, run another scan with OTL and attach the log.

0

Share this post


Link to post
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following from your Desktop (If they exist)

CFscript.txt

Win32kDiag.exe

Win32kDiag.txt

Anything else I had you use

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\ComboFix

C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    4l5a4i.png
  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck amuvj8.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

0

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.