Emul:mem Worm. Rootkit.ZEROACCESS.

I am trying to fix my stepsisters computer. When she brought it to me, it was seriously screwed up. and it was being bombarded by it. when i put avast in. immeadiatly after the welcome to avast. it said it wasn’t fully protected. i looked. all the shields were running. and as i dug deeper. i wasnt able to turn on the firewall. so i tried clicking the internet lock for ten minutes. Avast was shutdown by a virus, worm or malware. so i ran ccleaner, and tdds killer. tdds killer found 2 things. malware and a suspicious locked file. i used ccleaner to fix problems in the registry, and delete any complications with other things. i am currently running combofix on it. it just now (as im typing) popped up a message saying that it is infected with rootkit.zeroaccess. it is a particulary difficult infection and it has injected itself into something. now it popped up saying rootkit detected. im restarting the computer now. if this doesnt work. i may need some help. does anyone have information of what this infection does alltogether as i have no clue.

more info: when i put avast in before running anyprograms. a threat popped up about every 2-3 minutes. it kept blocking a malicious url that was trying to be opened by C:/windows/system32/ping.exe Has the infection injected a code into that windows file to make it do so

any ideas?

Stop running tools like Combofix without aid, if you have doubt about what you are doing.

Stop moving/deleting things now, and follow the guide here>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

i have done stuff like this before. im just wondering what the ping.exe has to do with the rootkit problem.

Forum search “ping.exe” in the virus&worms section., it will return plenty of hits. :wink:

Thank you sir :wink:

Np, good hunting.

Hi the first programme I would like to see a log from is aswMBR followed by the OTL scan please

i forgot where i would locate that. i have to use a usb to bring it over. as the internet on the computer will not work after removing the rootkit. i have the combofix log prepared.

failed to query TCP/IP settings of the connections it says when i try to repair the connection

Ah OK I will give the download links and destructions - plus one additional programme to look at the net

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*

C:\commands.txt echo list vol /raw /hide /c
/wait
C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

FINALLY

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

oops. i forgot to use otl on it. just one moment. should i put the otl log up before running the other programs?

Yep post as you get 'em ;D

Ok Sir :slight_smile:

otl logd

aswMBR log

FSS TXT.

All the logs are now posted. aswMBR found a locked file. Is that bad?

shall i post the combofix log as well?