Help deleting Rootkit.ZeroAccess

Would you please assit me getting rid of Rootkit.ZeroAccess?

I’m new to Avast and would like to buy the pro-edition, but I need to get rid of this virus first. I was trying to follow the steps to get the logs that you required but I encountered the following issues:

OTL - it was running and then gave me an Access Violation 0052DFB7 error. I then used the other link provided, and got the same result. No logs were produced.

Malwarebytes Anti-Malware won’t install. I get the following message: CoCreateInstance error code 0x8004FF01.

follow the guide here and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal specialists will be notified and analyze your logs…

I’ve followed the directions on that link and I attached the only report that I was able to get. Like I mentioned on my previous post, I’m having problems running OTL and Malwarebytes. Here is the AswMBR.txt report.

Hi sorry for missing you

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the ComboFix report. A screen came up saying that Rootkit.ZeroAccess was found, then another screen popped up with a code 2 error for Malwarebytes, and after that another screen said that the rootkit was detected and that the system needed to reboot the computer. After it rebooted it run all 50 stages and then produced the report.

Could you now retry OTL please

Also how is the computer behaving ?

I got the same ‘Access Violation’ error 0052DFB7. The computer seems to be getting worst. The internet is getting slower and slower.

OK reboot to safe mode
Rename combofix to gotcha by right clicking and selecting rename
Then run the renamed combofix

Done, here is the new report.

How is the computer behaving now

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Here is the Farbar report.

How is the computer behaving now ?

Hi there.
This week my PC caught the Ukash Ransom virus and I thoroughly recommend following this link to download software that removed the virus for me. Avast was no help at all, after it deleted the virus but my PC was still affected.

http://www.bleepingcomputer.com/virus-removal/remove-police-central-e-crime-unit-reveton-ransomware

It worked for me - no reason why it won’t work for you.
Graham. Good luck!

@ graham55

Essexboy is a qualified malware removal specialist and also a teacher (training other malware removal candidates) and a moderator at geekstogo.

Please refrain from offering advice on cleaning in the viruses and worms forum, that is left to the qualified malware removal specialists.

Not to mention your post appears to be completely unrelated.

Zero access and ransomeware are two different animals and what works for one will not work for the other

The computer is pretty much the same.

OK lets dive deep

The zip folder that this creates will need to be uploaded to a file sharing site for me to collect

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPfront.gif

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpsettings.gif

Do not close AVPTool or it will self uninstall, if it does uninstall - - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPAnalysis.gif

Hi LaLuz,
Download and run Kaspersky TDSS Killer- http://support.kaspersky.com/viruses/solutions?qid=208283363 it requires no installation! If you can’t open programs download Rkill- http://www.bleepingcomputer.com/download/rkill/ it has many extensions, not only .exe ! After running it do not restart your computer and try to run Malwarebytes- http://www.malwarebytes.org/products/malwarebytes_free/ or Hitman pro- http://www.surfright.nl/en/hitmanpro/ If Rkill can’t help you try Rogue Killer- http://tigzy.geekstogo.com/roguekiller.php If this can’t help you restart in safe mode with networking and try again!
Hope this helps!

@liubomirwm what will that achieve, the MBR is clean, there are no run keys associated with malware, Hitmanpro has a record of killing systems. Why do you propose these ?

@ liubomirwm
What essexboy it probably too polite to say, is that only qualified malware removal specialists should give removal advice in the viruses and worms forum.

Considering I had only posted the same thing in Reply #13 for graham55, even more so does this apply as it also indicates you didn’t read the topic.

Please refrain from offering advice on cleaning in the viruses and worms forum thank you.