Hi,

You have attached wrong ComboFix logs. Read again CF instructions.
I’m waiting JunctionPoints.txt log too.

And yes, update CF.

Hi and good morning
update combofix.

last one

I still have been using chrome to download

Good morning to you. ;D

Attach JunctionPoints.txt log. It should be on your desktop somewhere …

:slight_smile:

Please download Farbar Recovery Scan Tool and save it in some folder on your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
2.

Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[*] A blank Notepad page should open.

Copy - paste the content below


DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306

[*] Save fixlist.txt in the same folder where you saved FRST.exe

fixlist.txt must be in the same location where FRST.exe tool is!

Run FRST.exe
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Please note: The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.[/list]

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.

Attach here fixlog.txt logreport.

=========== Next ==============

Delete old zoek.exe and download new, fresh copy from here:
zoek.exe

[list]
[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



process;
srinfo;
systemscpecs;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

=========== Next ==============

Attach here:

  1. fixlog.txt from FRST tool
  2. zoek-results.log from Zoek tool

next logs. Hopefully we will get this fixed today. :slight_smile:

the last ones. I hope.

Re-run zoek.exe as you did before but use this script:

{0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
{0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
emptyclsid;
fsutil reparsepoint delete "C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea";b
fsutil reparsepoint delete "C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll";b
FFdefaults;
chrdefaults;
shortcutfix;
resetIEproxy;
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;

How is your computer running now?

I don’t know yet. I will test it out. I think I am going to run those other tests that I couldn’t before and do the window fix. What do you think. I also noticed I don’t have a backup or system restore point
Thanks

Hi,

Please go to this filesharing website and upload sample which was created by zoek.exe program.

C:\Users\Public\Desktop[b]sample_20130523_0224.zip[/b]

http://www.wikisend.com/

Paste here download link.
PS: brake download link by changing “http://” into “hxxp://”

I think I am going to run those other tests that I couldn't before and do the window fix.
What other tool? Don't run blotware or varius junkware tool for so colled test-windows. Test it by hand. Run browsers, run/start AntiVirus ...etc. If all works well, that's it.

I ALSO ENCOUNTERED THIS VIRUS AND I WAS ABLE TO FIX IT…

In Windows 7 and Vista
Go to Start Menu and Inside the Search box type CMD.
Now at the Top side if the Start menu you can see one file Called CMD.
Right Click on that one and Select the Option RUN AS ADMINISTRATOR
In Windows XP
Go to Run and type “cmd” to open the command prompt
Now you will get a black Window. Inside that black window type the commands.
Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe"and press enter
Restart your computer
Then Scan It Again Using AVAST… You would be able to detect it again but now in temp files and it will be deleted at this time…

@ jomeryeoboy

This is the topic of this user. You need to open a new topic and set the logs to review:
Follow guide from here: http://forum.avast.com/index.php?topic=53253.0

AdwCleaner ← cleening adware & junkware
Malwarebytes ← preventive for malware rmeoval
OTL and aswMBR ← primary diagnostic system and antirootkit tool

I am sorry but I am lost. Are saying that I have a file from zoek that states sample or do you want me to make one? Let me know what you would like me to do. Do I have to remove all this stuff again?

Since you don’t know for existence of this filesample, you probably deleted it by mistake. Doesn’t matte. Skip that. :wink:

Do I have to remove all this stuff again?
Yap, remove it by downloading & running [b]DelFix[/b] tool.

Download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I found the log but it is zipped and and has a password so I can’t do anything with it. Sorry. Thank you for your help. Do you know why the virus came right back?

Yes. You got a new variant of ZeroAccess rootkit and our tools were not been updated to target/shows all parts of this malware. Now everything is removed.