Jump to content

paul_smith

Members
  • Posts

    2
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hi, I have a ZeroAccess infection. I have done all the steps mentioned below, but I still think that it is there. Could anybody help please. John Paul S. ------------------------------------------------------------- #################################################################################################### ### Removing viral infection ### #################################################################################################### ==================================================================================================== 00. Infections found ==================================================================================================== 1. With ComboFix - Trojan.Sirefef.YS in Desktop.ini - Rootkit.ZeroAcess inserted into tcp/ip stack (= Message by ComboFix) 2. With RKill * ALERT: ZEROACCESS rootkit symptoms found! * C:\WINDOWS\assembly\GAC\Desktop.ini [ZA File] * ALERT: ZEROACCESS Reparse Point/Junction found! * C:\WINDOWS\$NtUninstallKB65459$\1241927679 => c:\windows\system32\config [File] 3. After running the antimalwares mentioned below, ComboFix & RKILL are not showing anything now. Especially, C:\WINDOWS\assembly\GAC\Desktop.ini has been deleted as to C:\WINDOWS\$NtUninstallKB65459$\1241927679 4. Remaining problem : - Not sure if everything is clean since some weard cookies are added in my "Cookies" directory even if there is no browser opened; this happen especillay when the network cable is plugged I have the impression that the Rootkit.ZeroAcess is still inserted into tcp/ip stack even if CombixFix is not reporting it anymore ==================================================================================================== 01. Current computer configuration ==================================================================================================== 01. Dell laptop D630 - 4 GB RAM 02. Windows XP SP3 not up to date because I think it is better to solve my viral infection first ==================================================================================================== 02. Preparatory work done ==================================================================================================== 01. Uninstallation of antivirus (otherwise will interfere with ComboFix) - Used uninstall / official remover (AvgRemover to be chosen according to version installed) 02. Uninstallation of Online Armor Firewall 03. Removed unnecessary programs from Windows startup 04. Complementary checking - Copy all virus cleaning programs to disk D:\ - Shut down computer & Disconnect all other external drives - Reboot & check that antivirus & firewall are uninstalled 05. Start computer safe mode or normal depending of the removal program - With network functionalities - Set screen to max possible ==================================================================================================== 03. Unlocking environment done ==================================================================================================== 01. Unhide program = Unhide all Windows files, especially those hiden by virus 02. Defogger = Unlock virtual DVD & CD units - Stop CD & DVD emulation software = Perturbing antivirus - Will reboot the computer (Safe Mode) - Re-enable after done!!!! 03. RKill = To kill all viral processes ==> After each reboot !!!!!!!!!!!!!!!! - Renamed to iexplore to avoid it be stopped by malicious programs - Run RKill - Problems found (mentioned above) 04. FixExec = To repair ".Exec" + ".Com3" link 05. Farbar Tools 01. GrantPerms = To grant permission to locked files 02. Farbar Service Scanner 03. MiniToolBox ==================================================================================================== 04. Core Scanning Tools Used ==================================================================================================== 00. Cleaning Tools = To be used when file with virus is found and cannot be easily deleted 01. VT Hash Check = Check file authenticity & Can also delete file before reboot if needed 02. BlitzBlank = Delete Files before Windows Boot in case needed 01. Microsoft Safety Scanner - Used for 1st detection only - Not used after 02. Kaspersky TDSSKiller - Download and rename as : iexplore.exe - Change parameters : Select "detect TDLFS file system" - Run scan 03. ComboFix - Made sure that no antivirus + Firewall are running - Made sure that running in safe mode without networking - ComboFix will sent info what was detected then ask for reboot => Accept, and if does not stop, force it (press power button) & restart in safe mode (F8) - ComboFix started again automatically before Windows starts: - Displayed completed stages (1,2...50) - Deleted files that are corrupted - ComboFix will ask to reboot itself the computer - Do not reboot manually the computer !!!!! - ComboFix will then generate a report in c:\ComboFix.txt - Rescan again with ComboFix until same report file 04. RogueKiller = Safe Mode + Network connection - Run RKill - Run RogueKiller http://www.adlice.com/zeroaccess-removal-with-roguekiller/ = Website sent as result containing a web malware! 05. MalwareBytes Chameleon = In Normal Mode ; does not work in Safe Mode even with Networking - Run svhost.exe - Perform a Quick scan & Delete all malwares found - Perform a Full Scan & Delete all malwares found 06. HitmanPro - In Normal Mode - Malware found and deleted 07. MalwareByte Anti-Rootkit 08. AdwCleaner 09. Junkware Removal 10. Eset Online Scanner 11. Emsisoft Emergency Kit 12. Farbar Recovery Scan Tool (Safe Mode) 13. SuperAntiSpyware - Found cookies and deleted them ==================================================================================================== 04. Complementary checks done ==================================================================================================== 01. OTL 02. HijackThis 03. Short-cut Cleaner ===================================================== 05. Completion ===================================================== - Re-run main "Unlocking environment" - Re-run all "Core" - Re-enable CD & DVD emulation software with Defogger!!!! - Delete all malware program quarantine folders - Uninstall all malware programs - Remove all cookies: C:\Documents & Settings\(all accounts)\Cookies
  2. Hello, I have similar problem with rootkit.zeroaccess found in my computer. Should I run Farbar too? Best, Paul
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.