Malware Win32ZAccess-PB [Trj]

Hello all,

You helped me last year with Sirefef virus, this time Avast keeps showing alert Win32:ZAccess-PB[Trj]
every 5 minutes or so. I´ve tried to remove it, but according to reports, my laptop is still infected.
I can´t download none of the tools that you provide, I don´t know why but they´re detected as a virus.
I´ve managed to get OTL report (I kept the aplication from last year), and the mbam-log as well, hope it´s enough.

I need your help again, please

Thanks in advance,
Ruth

you seems to have a ZeroAccess rootkit…again. :cry: how do you do it. :-[

removers are notified

Monitoring …

I think installing a codepack ::slight_smile:
In Spain we say “Man is the only animal to stumble over the same stone twice” :-\

Infection has load its loading files today. This is something that you have been downloading and ran from torrents …

probably this:
C:\Users\Txomin\Desktop\L.A. - Dualize 2013.rar

If you do not know how to use torrents then don’t use them. Why would I separated my free time to help you if you first do not want to help yourself?

  • torrents are illegal stuff, even if I would tell you to not use torrents you probably won’t obey.

Fixing …

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Commands
[CREATERESTOREPOINT]

:Otl
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe" File not found
O4 - HKU\S-1-5-21-2039352587-2439263487-3237410795-1000..\Run: [AdobeBridge]  File not found
[2013/06/30 17:38:59 | 000,000,804 | ---- | C] () -- C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}\L\00000004.@
[2013/06/30 17:38:58 | 000,015,360 | ---- | C] () -- C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}\U\80000000.@
[2013/06/30 17:38:58 | 000,002,048 | ---- | C] () -- C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}\U\00000004.@
[2013/06/30 15:02:04 | 000,001,024 | ---- | C] () -- C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}\U\00000008.@
[2012/01/11 15:43:54 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}\@

:Files
C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}
ipconfig /flushdns /c

:Commands
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

THEN …

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

I know is absolutly my fault, but it has nothing to do with that archive, I think it has been installing a codepack.
The OTL is not responding with the code you gave me. I guess I´ve done something bad
I´m really sorry to take your time.
Thank you so much anyway Magna86,
Ruth

Don’t quit on me yet … try to run Combofix. We will clean this mashine. :wink:

I can´t download any program, Avast detects them as a virus…

Avast detect Combofix? Are you shure? Disable avast and try again to download and run Combofix as instructed. If you fail, just let me know, we will use another tool that I have in my heands.

I have tried it three more times, even with Avast disabled, but is detected as a virus. Attached screenshot

Hm … that doesn’t look as avast. :slight_smile:

Follow this guide from here for running RogueKiller;
http://forum.avast.com/index.php?topic=53253.0

Attach here all RK_reports

THEN …

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Hi again,
I´ve managed to download the aplications from a friend´s laptop, you were right,
it had nothing to do with Avast, was related to Windows. Yesterday I didn´t think clearly.
I´ve followed the instructions and have attached requested reports. In case you need something else, let me know, please
I appreciate your help

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
File: %SystemRoot%\system32\shell32.dll
HKLM-x32\...\Run: []  [x]
HKCU\...\Run: [AdobeBridge]  [x]
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}\U
C:\Windows\Installer\{0a7579f0-3fba-27f3-3dab-5d5370e62ba6}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
End


  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

Here is the fix log

Looks good. Now try to download fresh copy of Combofix.exe and re-run it as instructed above.
Attach here Combofix.txt log.

Done. Combofix file attached

Job done. 8)

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended you to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Good job,
Thanks a lot! :slight_smile:

One quick question according to this, do you think the infection could have been via pendrive? or was the codec pack?

As I can see from logs, ZeroAccess has been load his own malicious loading files into system on 2013/06/30 at 17:38: 58 - 59 according to your computer time.
What did you do at that moment or a few minutes before that, only you know for shure.