hi, been lurking here for a while, so I know you guys are good at removing tough malware. have a computer that’s been infected with ZeroAccess. I will be at the client’s location in about 12 hours, I could post logs then. MBAM originally found ZeroAccess, and removed it, but it’s back after reboot. Microsoft Safety Scanner removed 2 additional trojans, and partly removed sirefef.y, then a message appears saying some critical error, and will reboot in a minute, please save your work. Currently, the computer has MSE installed (which is better than the previous av). I’ve been told by client that MSE finds it at bootup, and then goes into a boot loop.

TIA

follow the guide here and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done a malware removal specialist will be notified…and help you when he arrive…may take several hours

Monitoring

at windows 7 bootup, everything is fine, then MSE (only temp AV) finds it, and says cleaning. then it pops up saying system has a critical error and has to reboot in 1 min, so I can’t disable MSE, or do anything, including running those tools.

Does safe mode work…??

tried. same thing.

Better wait for Essexboy then.

OK can you burn a cd or if you have windows 7 then a USB will do. I will give instructions for both

CD- XP/Vista

Please print these instruction out so that you know what you are doing

[list]

[*]Download OTLPENet.exe to your desktop
[]Download Farbar Recovery Scan Tool and save it to a flash drive.
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[]Insert the flash drive with FRST on it
[]Locate the flash drive and run FSRT
[]The tool will start to run.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif

[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]

USB

Download the following three programmes to your desktop :

1. WiNToBootic
2. Windows 7 64bit RC
   Windows 7 32bit RC
3. 64 bitFarbar Recovery Scan Tool x64
   32 bitFarbar Recovery Scan Tool

Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7. Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

I’m following the CD instructions, since I don’t have a flash drive with me. Currently downloading OTLPENet on working pc. it says to download FRST to flash drive. should I download that to CD too? also, this is Win7 x64, so I should download the x64 FRST from the 2nd instructions?

If this is win 7 64 bit, it may be worthwhile downloading the boot disc as that will always come in handy… I have a copy of that and the 32 bit one

You can put FRST64 on the CD but after OTLPE has been installed - drop it on the root sector

done with the install on the CD (OTLPE), but there’s not enough room on the CD for FRST64. It’s a CD-RW disc.

OK as it stands then Run OTLPE and I will work from that initially

OTLPE should enable you access to the internet

[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

ok, after “yes” for remote registry it asks for select user profile with choices like LocalService, 1 username, etc. and this dialog box has automatically load all remaining users checked. should I select LocalService (top, already selected choice), or username?

Go with local service initially please

OTL file created, but that pc has no network connection in Reatogo.

Darn and no USB drive either ?

Could you burn the windows 7 recovery console and FRST to the same disc ?
Then burn the FRST log once produced - Without the log I cannot see where to resolve the problem

will try to burn win7 rc and frst64 to another disc, but the link for win7rc points to the 32-bit one.

There are two links - one 32bit and one 64

both point to the 32-bit one, but I found it.

Duh colour me stupid :-[