I'm infected - What do I do now? URL:mal / ZERO Access trojan

[Maurice Naggar]

This should take less than an hour. But have infinite patience.

You will want to print out or copy these instructions to Notepad for offline reference!

These steps are for thedeadguy only. If you are a casual viewer, do NOT try this on your system!

If you are not thedeadguy and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere. How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases: some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power (AC power)or a UPS system

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

• A window may open with a warning or prompts. Accept the EULA and follow the prompts during the start phase of Combofix.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
  

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.

Notes:

[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh

Reply & Copy & Paste contents of the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

There will need be further follow-up due to a number of services being turned off by malware.

So we will run some other steps later.

[thedeadguy]

I cannot post the log yet.not sure how to descibe. The wireless connection isnt starting and the screen keeps flashing. I think its constantly refreshing. I cant get it to stop. I've reset several times. I'm using my cellphone to post this. What do i do?

[Maurice Naggar]

If you can, logoff and restart the system.

IF it gives you a bad-time do a power-off, wait about a minute, then restart the system into normal mode windows.

[thedeadguy]

Did the hard shutdown. After a minute restarted. Runtime error. And avast error 2.cant reset my wireless adapter. And its stuck trying to refresh

[thedeadguy]

Network initialization error

[Maurice Naggar]

Is this a laptop?

Is this system connected to your router or is it strictly wireless connection?

What do you mean "stuck trying to refresh" ?

[thedeadguy]

Yes its a laptop. Strictly wireless .. the desktop and any open screen keeps doing a refresh so that i cant click any pull down menu or run a program. And there's a network initialization error popup

[Maurice Naggar]

Logoff and restart the system once more. This time, as soon as it is restarting the pc

tap & re-tap F8 function key on keyboard to get to Advanced boot options

select Safe Mode with Networking

Please copy/paste the lines in bold below to Notepad:

@Echo on

pushd\windows\system32\drivers\etc

attrib -h -s -r hosts

echo 127.0.0.1 localhost>HOSTS

attrib +r +h +s hosts

popd

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset resetlog.log

shutdown -r -t 1

del %0

Save as flush.bat to your desktop.

Double-click flush.bat file to run it. Your computer will reboot.

[thedeadguy]

Same situation. Should i do a restore? Things were fine before the flush.bat and combofix

[thedeadguy]

Or just call me and talk me

Phone number removed. No I cannot call you.

Edited September 15, 2012 by Maurice Naggar

[Maurice Naggar]

If you have a backup from before the malware infection, you could if you decide restore from it.

Same if you want to do a factory restore. That is up to you also.

A fresh Windows install is the safest to do in any event. You would have to re-install all your apps.

Do you have a recent backup?

A factory restore would mean all your files and documents would be gone (unless you have them on backup-offline media).

If you can be in Safe mode with Networking, you could copy off your files and documents to external drive, or onto DVD, CDs, USB-flash-drive

[thedeadguy]

Okay then what now my laptops more messed up than it was before

[thedeadguy]

Forgive me for being upset but things are running fine until I did that flush bat thing and combo fix

[Maurice Naggar]

You're not the only one who is upset. You should have addressed your infection weeks ago before getting here yesterday.

And if you had no mirror-image backup you did yourself no favors.

There is one last hope left. To recover the registry settings from before the Combofix.

To access the Advanced Boot Options Menu, restart the machine and tap the F8 key. From the Advanced Boot Options menu, select Repair Your Computer

You should now see the Recovery Environment Menu. From that menu, select Command Prompt

The command prompt is in the X:\ drive . Since the ERUNT backups are located on the drive that has Windows installed, you will need to change to that directory.

For most machines, this is the C: drive which we’ll use for the purpose of examples here.

At the X:\> prompt, type in following:

pushd\windows\erdnt\hiv-backup

and press Enter-key

type in

erdnt.exe

and press Enter-key

Then restart the system.

Edited September 15, 2012 by Maurice Naggar

[Maurice Naggar]

Closed due to no response.