Jump to content

Infected by ZeroAccess the 2nd One

Recommended Posts


i have a workstation infected with the Rootkit ZeroAccess.

It has NOD32 Antivirus v4 installed but the ESET Service dont have the permission to start.

I have no connection to the Windows 2008 Server but to the internet.

I run Maxlook and Maxhandle they nothing found.

Maxlook -Sig Log in attachment.

Than i run Kaspersky Tdsskiller and it founds the Win32.Zaccess Rootkit and i Cure it.

Please Help








Link to post
Share on other sites

Hello w23fdg0 and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.



ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.

It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

That being said, please do the following:


ComboFix needs to be run from the Desktop (of your C: drive).

Please delete the following file (in bold): i:\tools\ComboFix.exe


Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.


Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


In your next reply, please include:

  • C:\ComboFix.txt
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

thx for your help and your time.

No problem :)

Let's run TDSSKiller once more ;):

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Skip, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt

how the PC is running now?

Link to post
Share on other sites

TDSSKiller found nothing more.

PC works ok, no redirections in the browsers, no popups but NOD32 Antivirus want start.

The ESET Service says no rights zu start but i'm the local admin.

OS is Windows XP Prof SP3.

When i want to uninstall ESET it comes the Message that i have no rights to delete this

Regkey: "HKLM\software\currentversion\plugin\01000103\Profiles\@My profile"

I cannot change the rights of the key or give the right to me.

Nero, Lightscribe and Retrospect was infected with the Win32.Patched.HN and Win32.Sirefef.CO + CH

I deinstall the apps and the NOD32 Online Scanner found no more viruses on the PC.


Link to post
Share on other sites

but NOD32 Antivirus want start.

The ESET Service says no rights zu start but i'm the local admin.

It has been corrupted by the ZeroAccess infection you had- you'll have to reinstall it ;)

Try uninstalling ESET with Revo Uninstaller:

Please download and install Revo Uninstaller (Freeware) from here. Then please run Revo Uninstaller and select ESET (or NOD32).

Please click Uninstall icon to uninstall the selected program.


Please choose Advanced.


Then click Next and follow the prompts.

Please click Select All (1.) and Delete (2.)


to delete all registry items, folders and files listed by Revo.

If asked to restart the computer, please do so immediately.

Let me know how it goes ;)


Your logs are looking better!

Before we move on, let's run some more scans to see if there's any traces left :):

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic


Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

Link to post
Share on other sites

So hello again,

Revo Uninstaller didnt delete all of Eset cause i have no rights. I boot in safe mode than i can

delete the Regkeys and Folders. I think the Zeroaccess Bastard

change something of the windows security.

I found that MS article http://support.microsoft.com/kb/313222/en-us

With this fixit you can restore the security defaults of Windows.

In normal mode i can install NOD32 AV and it works without a error.

Before i do that i made a Eset Online Scan the result was nothin found.

I do now the Bitdefender Onlinescan. If its done i will write you back.

BTW How can i uninstall the MS Recovery Console? Must i only edit the boot.ini and delete

the cmdcons directory?

Link to post
Share on other sites

Glad to hear you were able to reinstall ESET :)

I'll wait for the online scan logs ;)

BTW How can i uninstall the MS Recovery Console? Must i only edit the boot.ini and delete

the cmdcons directory?

I'd strongly recommend you don't remove it- the Recovery Console is a crucial security fallback option that you should keep installed at all times ;)

Link to post
Share on other sites

Ewww one File found as Gen:Trojan.Heur.Hype.cqW@amPT8Jn

It happens :P

Please delete the following file (in bold): C:\WINDOWS\system32\c_25310.nl

Then, empty the Recycle Bin.



Before we move on, please take the time to install the following updates, as using outdated applications leaves you extremely vulnerable to getting infected again ;):

Your Flash Player is out of date!

To make sure you have the latest version of Adobe Flash Player installed:

1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe

2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).

3. Double-click on the file you've downloaded to uninstall Flash.

4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).

Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).


Please let me know how the updates went, as failed updates may indicate additional malware ;)

Link to post
Share on other sites

Glad to hear the updates went well! :)

Unless there are any further issues, I will now provide you with some suggestions for security software, but first, ComboFix must be uninstalled ;):

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall


Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.




Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.


A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.


A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:


A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.