Unable to remove Trojan Zeroaccess!inf4 infection in services.exe

[shekhar]

Hi,

I have a Windows 7 Professional OS with Norton antivirus 2012.

Recently I got a notification on Norton for Trojan Zeroaccess!inf4.

Here is what I did so far and am unable to remove it fully from my system.

1) Ran Norton to check if there are more infections and got a message All Threats Removed.

2) But the Unsolved Security Risks showed services.exe(Trojan Zeroaccess!inf4) detedted by Auto-Protect. Assuming this is being picked form quarantine, I ran MBAM for a Quick Scan.

3) MBAM log showed two infections. Below is the Log.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Admin :: ADMIN-PC [administrator]

Protection: Enabled

8/12/2012 9:32:22 AM

mbam-log-2012-08-12 (09-32-22).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 198547

Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Users\Admin\Downloads\SoftonicDownloader_for_mozilla-firefox.exe (PUP.ToolbarDownloader) -> No action taken.

C:\Windows\Installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.

(end)

4) Clicked "Remove Selected" and rebooted the machine.

5) Re-ran to verify if the infections were removed and MBAM log generated is attached here.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.12.04

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Admin :: ADMIN-PC [administrator]

Protection: Enabled

8/12/2012 11:18:07 AM

mbam-log-2012-08-12 (11-18-07).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 198084

Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

6) Ran RogueKiller as Administrator. Its log is below showing ZeroAccess infection:

RogueKiller V7.6.6 [08/10/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Admin [Admin rights]

Mode: Scan -- Date: 08/12/2012 09:52:05

¤¤¤ Bad processes: 1 ¤¤¤

[sUSP PATH] c2c_service.exe -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 9 ¤¤¤

[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer (155.132.2.31,155.132.9.10) -> FOUND

[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{38F75B14-47DE-47B4-AEBE-9D57EE0B3643} : NameServer (155.132.2.31,155.132.9.10) -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Admin\AppData\Local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\n.) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\windows\installer\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L --> FOUND

[ZeroAccess][FILE] @ : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\U --> FOUND

[ZeroAccess][FOLDER] L : c:\users\admin\appdata\local\{ae963f8e-ac3e-59ff-8e3e-cf2ef11cd12e}\L --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

107.21.203.123 insplnx03.inspirage.com insplnx03

23.21.196.134 insplnx04.inspirage.com insplnx04

107.20.241.12 testec2.inspirage.com testec2

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS545050B9A300 +++++

--- User ---

[MBR] aa0b2ff107add63d95adeafa737941cc

[bSP] 15fc16227e8fccae680f59a76c9e4889 : Windows 7 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99900 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204802048 | Size: 150000 Mo

3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 512002048 | Size: 226938 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Kindly guide me in removing this infection completely from my system and suggest how to keep it away from re-entering my system.

Thanks in advance.

Regards,

shekhar

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

[MrCharlie]

Got him here, MrC

http://forums.malwarebytes.org/index.php?showtopic=114116&hl=&fromsearch=1

[Maurice Naggar]

Duplicate thread. This one is closed.