Caught something this morning and I have been getting pop ups regularly from comodo saying:

Malware Blocked
Object C:\windows\assembly\temp\U\800000cf.@
Infection Win32:Malware-gen

Google is being redirected.

I tried MalwareBytes and Comodo for removal without any luck.

Your forum has a maximum attachment size limit of 192k.

My otl log file is 211k so I will attach the first part here and attach otl-part2, extras and mbam logs in the following post.

I do not want to restore from a backup. Any help appreciated.

other logs attached

Try to use tdsskiller. tdsskiller.notlong.com

Thanks, I will give it a try. I tried the sophos version without luck.

Hi,

You seem to be infected with the ZeroAccess rootkit.

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

Hi opetero,

Follow jeffce’s instructions meticulously. He will lead you through the removal of this malware,

polonus

Thanks for your help. Had to run out for a few hours and fix someone else’s computer.

After combofix ran something internal to windows broke the internet connection for all windows programs. Windows said I was connected to the internet and although I could still ping out to both ips and domains from dos nothing inside windows could connect after resetting everything and multiple boots.

I mucked around with the network drivers and protection for a bit trying to get the connection back up without success. I had already wasted the better part of a day so I gave up and restored from yesterdays backup. I don’t keep any data on the boot drive so nothing was lost.

Probably unwisely I ran the restore from inside the corrupted W7 instead of wiping the partition and starting clean. During the restore I got a message I hadn’t seen before from Acronis. Something about I was trying to run programs from the quarantine while restoring. Earlier on I kind of suspected whatever it was might be acting from the quarantine but I didn’t think that was possible. That message made me suspect I was right. Makes me wonder how safe quarantining files is?

Hi opetero,

Sorry to hear about your problems with this infection. It really is the real-deal and is known to destroy an internet connection unfortunately. It seems that you got it back though?

Were you able to run ComboFix through and if so did it produce a log?

Yes I did get combofix to run all the way through. The log is attached.

I see a number of services running which don’t need to/shouldn’t be. It’s been awhile since I did any housecleaning.

I’d be interested in your opinion on the log. Anything that concerns you?

- - - - ORPHANS REMOVED - - - - . Wow6432Node-HKCU-Run-USB Safely Remove - c:\program files (x86)\(010) FILE UTILS\USB Safely Remove\USBSafelyRemove.exe ShellIconOverlayIdentifiers-MacDrive volume icons - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\7AF0.tmp"

It appears memsweep2 service was the problem.

Whats the best protection against this type of malware getting through? It’s very rare that anything gets onto my machine and if it did I’m sure I’ll be called on to resolve similar problems on other local machines.

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:

ClearJavaCache::

DDS::
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi

Firefox::
FF - ProfilePath - c:\users\coolM\AppData\Roaming\Mozilla\Firefox\Profiles\ktv8chpr.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 1
FF - user.js: network.proxy.no_proxies_on -
FF - user.js: network.proxy.share_proxy_settings - true
FF - user.js: network.proxy.type - 1);user_pref(network.proxy.socks,
FF - user.js: network.proxy.socks_port - 0

File::
c:\windows\system32\7AF0.tmp
c:\windows\system32\F842.tmp
C:\DUMP610b.tmp

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]

Driver::
BC_3DES
BC_BF128
BC_BF448
BC_BFish
BC_CAST
BC_DES
BC_Gost
BC_IDEA
BC_RC6
BC_RIJN
BC_SERP
BC_TFISH
fsh
mhk
moh

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Hi,

Are you still with us?

Sorry… Yes I am. I mentioned in the post above that because I was pressed for time I restored the system disk from a backup made the day before I got the infection. Everything is working normally again and I’ve done several checks since and the system seems to be clear.

Thanks for your help.

Peter

Ok thanks for letting me know.

Glad we could help with what we could.