Virus: "Rootkit.ZeroAcess inserted into tcp/ip stack" (ComboFix)

[Simon2]

Dear All,

 

After running a couple of times (more than 6 times), ComboxFix is still reporting this viral infection:

 

 "Rootkit.ZeroAcess inserted into tcp/ip stack"

 

I have run a large number of removal tools as found in the MalwareBytes forums, but none of them is detecting apart ComboFix.

 

Also, I am sure that the virus is still there as I can see it creating some cookies every time in my "Cookies" directory (under my name).

 

Below is the full details of what I tried so far.

 

Can anybody offer some help please, as my computer is still infected, and very slow; basically, I cannot use it anymore!

 

Indeed, you are totally free to offer some help.

 

Simon

====================================================================================================
00. Computer configuration
====================================================================================================

01. Dell laptop D630
02. Windows XP SP3 not up to date because I do not know if it is better to solve my viral infection first before updating.

But I can do this is it is better.

====================================================================================================
01. Preparatory work
====================================================================================================

01. Uninstallation of AGV antivirus (otherwise will interfere with ComboFix)
    - Used uninstall & official remover (AvgRemover to be chosen according to version installed)

02. Uninstallation of Online Armor Firewall

03. Removed unnecessary programs from Windows startup
    
04. Complementary checking
    - Copy all virus cleaning programs to disk D:\
    - Shut down computer & Disconnect all other external drives
    - Reboot & check that antivirus & firewall are uninstalled correctly

05. Start computer in safe mode or normal depending of the removal program
    - With network functionalities
    - Set screen to max possible

====================================================================================================    
01. Unlocking environment
====================================================================================================
01. Unhide program
    = To unhide all Windows files, especially those hiden by virus

02. Defogger = Unlock virtual DVD & CD units
    - Stop CD & DVD emulation software = Perturbing antivirus
    - Will reboot the computer (Safe Mode)
    - Re-enable after done!!!!
    
03. RKill = To kill all viral processes ==> After each reboot !!!!!!!!!!!!!!!!
    - Rename to iexplore to avoid it be stopped by malicious programs
    - Run RKill
    - Problems found

04. FixExec = To repair ".Exec" + ".Com3" link

05. Farbar Tools
    01. GrantPerms = To grant permission to locked files
    02. Farbar Service Scanner
    03. MiniToolBox

====================================================================================================
02. Core Scanning Tools Used
====================================================================================================    
00. Cleaning Tools = To be used when file with virus is found and cannot be easily deleted

    01. VT Hash Check = Check file authenticity & Can also delete file before reboot
    02. BlitzBlank = Delete Files before Windows Boot)

01. Microsoft Safety Scanner = For 1st detection only - Not fundamental after

02. Kaspersky TDSSKiller
    - Download and rename as : iexplore.exe
    - Change parameters : Select "detect TDLFS file system"
    - Run scan
    
03. ComboFix
    - Make sure that no antivirus + Firewall are running
    - Make sure that running in safe mode without networking
    - ComboFix will sent info what was detected then ask for reboot => Accept, and if does not stop, force it (press power button) & restart in safe mode (F8)
    - ComboFix will start again automatically before Windows starts:
        - Will display completed stages (1,2...50)
        - Will delete files that are corrupted
    - ComboFix will ask to reboot itself the computer - Do not reboot manually the computer !!!!!
    - ComboFix will then generate a report in c:\ComboFix.txt
    - Rescan again with ComboFix until same report file

04. RogueKiller = Safe Mode + Network connection
    - Run RKill
    - Run RogueKiller
    
    http://www.adlice.com/zeroaccess-removal-with-roguekiller/ = Website sent as result containing a web malware!

05. MalwareBytes Chameleon = In Normal Mode ; does not work in Safe Mode even with Networking
    - Run svhost.exe
    - Perform a Quick scan & Delete all malwares found
    - Perform a Full  Scan & Delete all malwares found

06. HitmanPro = In Normal Mode
07. MalwareByte Anti-Rootkit
08. AdwCleaner
09. Junkware Removal
10. Eset Online Scanner
11. Emsisoft Emergency Kit
12. Farbar Recovery Scan Tool (Safe Mode)

====================================================================================================
04. Complementary
====================================================================================================

01. OTL
02. HijackThis
03. Short-cut Cleaner

=====================================================
05. Completion
=====================================================
    - Re-run main "01. Unlocking environment"
    - Re-run all "02. Core" 4 times in total and ComboFix at least 6 times
    - Delete all malware program in quarantine folders
    - Remove all cookies: C:\Documents & Settings\Simon\Cookies + other accounts

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Kevin

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!