Computer Support Forum

ZEROACCESS Reparse Point/Junction found!

Question: ZEROACCESS Reparse Point/Junction found!

Hi, and thank you for this helpful site.  The pc running windows 7 32bit and NOD4 stopped updating.  About the same time a message would pop up during start up.  The message is as follows.
 
c:\users\end user\appdata\local\bvworks\vorbisfile_d.dll failed to load
 
I also noticed that nod was out of spec so I attempted to load the outstanding updates.  All but one loaded.  The one that didn't load said it had a virus and couldn't load so I went to the Microsoft website and got the same response.  it is "security update for windows 7 (kb2847927)" it is labeled as an important update.
 
I ran nod, ccleaner, and malware, then took the drive out and ran the Microsoft virus scan from my one laptop with the other drive attached as a portable drive and found a worm and another malware.  Once cleaned I ran it again and got nothing, so I then hooked the drive to my work pc and got another hit on malware and cleaned it.
 
Once I put the drive back in the laptop the error is still there.  When I look at ccleaner the only thing that has been loaded recently is thunderbird email (I think this must be an update since this is the mail he uses)
 
Fast forward to today.  I downloaded and ran several spyware, antivirus, and malware apps.  When I ran Rkill the Zeroaccess message came up and I have not be able to get rid of it.  When NOD was not updating I uninstalled it and found a copy of defender was causing issues with installing av and malware software.  I have since been able to get the software to load.
 
Thanks for your help.

Relevance 100%
Preferred Solution: ZEROACCESS Reparse Point/Junction found!

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: ZEROACCESS Reparse Point/Junction found!

ZEROACCESS rootkit is a serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.If you cannot complete a step, then skip it and continue with the next.In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.After doing this, please reply back in this thread with a link to the new topic so we can closed this one.

3 more replies
Relevance 118.32%

Hi, and thank you for this helpful site.  The pc running windows 7 32bit and NOD4 stopped updating.  About the same time a message would pop up during start up.  The message is as follows.
 
c:\users\end user\appdata\local\bvworks\vorbisfile_d.dll failed to load
 
I also noticed that nod was out of spec so I attempted to load the outstanding updates.  All but one loaded.  The one that didn't load said it had a virus and couldn't load so I went to the Microsoft website and got the same response.  it is "security update for windows 7 (kb2847927)" it is labeled as an important update.
 
I ran nod, ccleaner, and malware, then took the drive out and ran the Microsoft virus scan from my one laptop with the other drive attached as a portable drive and found a worm and another malware.  Once cleaned I ran it again and got nothing, so I then hooked the drive to my work pc and got another hit on malware and cleaned it.
 
Once I put the drive back in the laptop the error is still there.  When I look at ccleaner the only thing that has been loaded recently is thunderbird email (I think this must be an update since this is the mail he uses)
 
Fast forward to today.  I downloaded and ran several spyware, antivirus, and malware apps.  When I ran Rkill the Zeroaccess message came up and I have not be able to get rid of it.  When NOD was not updating I uninstalled it and found a copy of defender was caus... Read more

Answer:ZEROACCESS Reparse Point/Junction found!

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

28 more replies
Relevance 117.16%

Hi,
 
About an hour or two before posting, I ran Rkill and this is just a bit of what had come up (I have the rest of the list attached in the Rkill log due to the incredibly large list of items that were listed):
 

 Rkill (26).txt   4.35MB
  0 downloads
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
     * C:\Program Files\Windows Defender\MpCommu.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MpTpmAtt.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\NisIpsPlugin.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\NisLog.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\NisWfp.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\ProtectionManagement.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MpAsDesc.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\shellext.dll => <Unknown Target> [File]
 * Reparse Point/Jun... Read more

More replies
Relevance 113.39%

Hello,
 
Recently cloned an HDD (Windows 10). To get the tool I used to work, I turned off UEFI Secure Boot for one power cycle. After cloning the drive I ran an rkill and received the following results.
 
* ALERT: ZEROACCESS Reparse Point/Junction found!
     * C:\Program Files\Windows Defender\MpTpmAtt.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MpAsDesc.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MpClient.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MsMpLics.dll => <Unknown Target> [File]
 
Also, hundreds or thousands like the ones below, appear to all be going to <Unknown Target>.
 
* Reparse Point/Junctions Found (These may be legitimate)!
     * C:\WINDOWS\AppPatch\AcGenral.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcSpecfc.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcWinRT.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcXtrnal.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\apppatch64\AcWinRT.dll => <Unknown Target> [File]
 ... Read more

More replies
Relevance 113.39%

My PC's been acting weird lately so my friend recommended me to run rkill and it gave this long list of things I should be worried about but I cant make anything out of it.
A bit of help will be appreciated!
Output file attached.
 Rkill.txt   4.52MB
  7 downloads

Answer:My rkill result gave this "ALERT: ZEROACCESS Reparse Point/Junction found!"

Welcome to BC...
 
Run RKill again. Do not reboot the computer until one of the programs below asks you to.
 
Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the
Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.
After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.
CCleaner - PC Optimization and Cleaning - Free Download
 
Malwarebytes - Clean Mode
Download and install the free version of MalwarebytesNote: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
Let the scan run, the time required to complete the scan depends of your system and computer specs
Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
If it asks you to restart your computer to complete the removal, do so

Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in you... Read more

5 more replies
Relevance 89.79%

I have enjoyed this site many times and read many helpful items.  As I regularly run Rkill & Malwarebytes on my machines, I thank this site.
 
Lately, my wife's laptop (Acer Aspire V5 touchscreen running windows 8.1, 4 gig memory, over 300 gig available space on C drive) is crazy slow and most of the time has serious issues with any web browser.  The browsers lock and freeze, if they connect at all (IE, Mozilla & Chrome).  Malwarebytes scans come up clean (and take a very long time) every time.  Update is refreshed before each scan.  Tonight I ran RKill on that machine for the first time.  After over 11 minutes it finally finishes and creates a .txt file that is over 65,000 pages long.  Every entry is under category:  Reparse Point/Junctions Found.  I attempted to Google it, but almost all the links pointed right back here, most also quoting ZEROACCESS.
 
I'm decent around a computer, but feel like I am over my head in figuring this out.  I ask the experts here to guide me in getting her laptop back up to speed.
 
Thank you in advance.

Answer:Very slow laptop, extremely large RKill txt file (Reparse Point/Junctions Found)

G'day KymsCowby, and Welcome to BC !
 
Because ZERO ACCESS has been mentioned, you will automatically be directed to the Malware Removal Area, which is inhabited by Specialists.
 
 
 

 
Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
If you cannot complete a step, then skip it and continue with the next.
 
 

In Step 6 there are instructions for downloading and running DDS which will create two logs. Note: Windows 8.1 Users will not be able run DDS and create a log
 
When you have done that, Copy and Paste your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

 
Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs or you're using Windows 8.1, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

 
After doing this, please reply back in this thread with a link to the new topic so we can close this one, to prevent others answering incorrectly.
 
Be AWARE....t... Read more

4 more replies
Relevance 78.72%

ZeroAccess Reparsing point Found:
 
I need your Help PLEASE! Thank you in advance.
 
I read a post by "backerfan",  which is almost identical to my problem.I'm working from my lap top to solve this problem which is on my PC.
 
 
I first notice a problem while using Internet Explorer, I could not access Google.com,
I then saw that Microsoft Security essentials was not running.
I tried to start MSE and just get an Error code: 0x80096001
I search for answers onthe internet from my laptop nad tried several programs:
Malwarebytes, Rkill, HitmanPro, etc. They have found varios PUP's and other maleware, and removed them. but i'm still having the same problem.
Rkill recognized a ZeroAccess point, but nothing has resolved this issue.
 
Windows Explorer stopped working, it will not allow me to search, it does nothing.
 
I was somehow able to indirectly get to microsofts website, tried to download MSE, it does nothing.
the Handwriting language toolbar started popping up when I had to allow AUC, i have since stopped it from popping up.
 
I've ran the DDS and posted text below.
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16428
Run by Brad at 12:30:05 on 2013-12-30
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3070.1405 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC... Read more

Answer:ZeroAccess Reparsing point Found - I need your Help! thnx

Editted original post to be more thorough.
 
Patiently waiting for your assitance, thanks in advance.

58 more replies
Relevance 74.62%
Question: Reparse point hell

So I managed to muck up my system slightly by using a live Linux USB stick and deleting a handful of reparse points. Fortunately if it hadn't been for me skimming around the Internet for quite some time, I was able to get my reparse points back, but, they don't do or say anything like "access denied" when you click them. Also, special folders like Pictures, Music, etc. have all turned into standard folder icons.

Answer:Reparse point hell

Lets see if this will help:

1. Click Start
2. In the search box, type cmd
3. In the list that appears, right-click on cmd.exe and choose Run as administrator
4. In the command window that opens, type sfc /scannow and hit enter.

Report the output from the command window once it finishes.

More detail: SFC /SCANNOW Command - System File Checker

Regards,
Golden

9 more replies
Relevance 72.98%

Hello,

Does anyone have experience of repeated 'extended attribute set and a reparse point detected in file xxxxx'errors in chkdsk in windows 10? - even though it apparently corrects the errors with 'deleting extended attribute set due to presence of reparse point in file xxx' - the errors are still there whern I reboot (immediately once Windws has loaded).

I've done the full chkdsk /f /r and repaired the image using DISM and the latest .iso from Techbench. sfc /scannow does not return any error messages.

Thanks.

Answer:chkdsk reparse point errors - repeatedly

Please upload the log of chkdsk. I'm on phone now so cannot post instructions for how to upload the log.

10 more replies
Relevance 72.98%

Hello,

Does anyone have experience of repeated 'extended attribute set and a reparse point detected in file xxxxx'errors in chkdsk in windows 10? - even though it apparently corrects the errors with 'deleting extended attribute set due to presence of reparse point in file xxx' - the errors are still there whern I reboot (immediately once Windws has loaded).

I've done the full chkdsk /f /r and repaired the image using DISM and the latest .iso from Techbench. sfc /scannow does not return any error messages.

Thanks.

More replies
Relevance 72.98%

After following this guide, Official Microsoft ISO/Media Creation Tool
I am stuck with a problem.

Trying to download a Windows 8.1.1 ISO from Microsoft with their mediacreationtool.exe. I downloaded the program, and I then run this little program and select
Language (Danish)
Edition (Windows 8.1 Pro)
Architecture (64-bit X64)

Then click NEXT

Here I can select either USB flash drive or ISO file. I select ISO-file and click NEXT

Then I select where it saves the ISO-file.

And then the error come allmost instant.

"Download did not complete successfully"
The download task did not complete.
The file or the folder is not a NTFS reparse-point.

I have tried to save on HDD, on a USB-stick formatted NTFS, formatted FAT32, but the same error shows up.

What can I do about this?
EDIT: I have now tried to make the same again, but in English, so it should not be the danish language that gives the error. In English I also got this error, so I would like to get help to this

Answer:Mediacreationtool gives an error - NTFS reparse-point?

Where are you saving the iso file?

12 more replies
Relevance 71.75%

Hi,

I discovered several issues immediately after installing the Creator's Update.
Several programs would not run (or not run properly), and these were sorted with a Revo uninstall followed by a re-install.
As a long time user of DFX Audio, I was crushed to find that it was hosed. At boot the tray icon would appear, but then vanish as soon as the Mouse pointer touched it...could not access the interface at all. I attempted uninstalling and re-installing it, but kept getting an error message that the driver name could not be set. I examined device manager and found that my Nvidia High Definition Sound driver had been replaced with another driver altogether. This was addressed by running the appropriate Graphics card driver installer. I decided to run a pre-scan using the tweaking.com all in one repair tool and found that several Reparse points were missing and that there were duplicate and many missing Environmental Variables. I ran the tool to repair these, then rebooted and suddenly the DFX interface appeared. I then ran the installer for DFX again and it ran to completion with no errors and now works fine. General performance and stability improved immediately as well. As usual, the update reset loads of settings, but time will get those sorted.

More replies
Relevance 70.93%

While preparing Win 8.1 laptop to be upgraded to Windows 10, I ran Rkill and found several issues
1) The folder C:\WINDOWS\Temp\46fed246-a20b-47f0-ae81-4936b8513516\Program Files\Common Files\Microsoft Shared\ink\en-us
contains thousands of entries which are Reparse Point/Junctions with <Unknown Target>.
As these are all temp files, can I SAFELY delete the folder?
 
2) SFC /scannow in safe mode found errors and has not been able to fix some of them (definitively related to the above)
C:\Windows\WinSxS\Temp\PendingRenames
8986 items
C:\Windows\WinSxS\Temp\PendingDeletes
6 items
 
I was unable to find sfcdetails.txt even with show hidden files.folders and show protected operating system files.
 
If it is safe to delete the temp files above, will I be able to upgrade to Windows 10 smoothly?
 
Thank you for your suggestions

Answer:Rkill finds thousands of Reparse Point/Junctions <Unknown Target>

Temp files can be removed. Please download Temp File Cleaner by Old Timer and save it to your desktop. 1. Save any unsaved work. (TFC will close ALL open programs including your browser!) 2. Double-click on TFC.exe to run it.  3. Click the Start button to begin the cleaning process and let it run uninterrupted to completion.  4.  After Temp Flie Cleaner has run, click on Exit.   Do the following to repair the corrupt files.  After you have done this run the sfc /scannow to make sure the files have been repaired. Press the Windows key and the X key, in the menu that opens click or tap on Command Prompt (Admin).  This will open the Elevated Command prompt. Copy and paste the command below, then press Enter. dism /online /cleanup-image /restorehealth Restart the computer to complete the repair.  If you have problems with your current operating system these problems could have an effect on your upgrade, depending of the problem.

29 more replies
Relevance 70.52%

So I've read about how junctioning in Windows XP is great for making Windows think a folder has the contents of a different folder. So I want to do this:

I want to make a folder on my C: drive point to a folder on my T: drive (a USB flash drive). Is this recommended? If so, what would happen if the flash drive failed to start on a system restart (it's happened), and also, what would happen when the flash drive were to be removed?

Thanks!
 

More replies
Relevance 69.7%

Hello,I'm running Windows 7 Ultimate x64 on my machine. Since I didn't want to install my programs on the Windows partition, I booted into safe mode and moved the "Program Files" and the "Program Files (x86)" folders to a different partition. Afterwards, I created junction points on the Windows partition which point to the folders on the other partition. Here's the problem: The disk space management system of Windows 7 recognizes the junction points on my Windows partition as real folders with real data and decreases disk space on both partitions when I install new programs. I used the "Link Shell Extension" tool to create the junction points.(http://schinagl.priv.at/nt/hardlinkshellext/hardlinkshellext.html)How can I configure Windows so that it doesn't detect the junction points as real folders?Thanks for Your help.Best regards,Lysander H.

Answer:Junction point uses disk space

I don't want to call you on this but I think you may not know how to change the install path. Most times all that is required is to highlight the path shown and then change the drive letter while leaving the rest of the label. Some programs will only allow you to change the path if you choose the custom install option, which, IMO, is the way to always install programs.If you could, list those 6 programs you couldn't change the path on.According to the linked Wiki article, junction points should not take up any space.http://en.wikipedia.org/wiki/NTFS_j...Also see the second link below.http://msdn.microsoft.com/en-us/lib...

8 more replies
Relevance 68.47%

Hi all,

I recently bought a new Samsung 840 Evo 250GB SSD. Previously I had been using a Seagate 1TB platter-based HDD. I used Paragon Migrate OS to SSD to migrate most of my files over, leaving behind all my big games and my My Pictures, My Videos and My Music folders which all contained a lot of data and can't go on the SSD.

In order for my playlists (among other things) to work without having to go through and manually edit each file, I created junction points to my 1TB HDD. The problem with that is two-fold: First, the folders have the shortcut symbol on them. This is a very minor complaint, but ideally I want the folders to look exactly like folders. Second, the folders have to be named Pictures, Videos and Music, since that's what they're actually called. This is a problem because I want them to be visibly called My Music etc.

And this is my question: Is it possible to make a junction point look exactly like a My Music folder, including the fake name? Any ideas would be much appreciated

Answer:Give junction point Special Folder properties?

Unashamed bump-because-surely-someone-must-know-even-with-410-views.

9 more replies
Relevance 66.83%

hi
my documents folder[s] is on e: as c: is a ssd with limited space.
somehow i managed to end up with three 'documents' folders in explorer [actually dopus] of which two contain a few folders and the third one many folders, the latter is my real documents folder.
the os will not allow me to rename the redundant 'documents' folders and so it often happens that i pick the wrong one.
dopus does indicate the folder size, but that takes some time...
i know this must be a junction issue but am rather unwilling to play around with it - it might be that i have screwed it by unwittingly playing around with it in the 1st place
here is a screenshot of the situation

any help to sort this out will be highly appreciated
regards
in Christ
gabriel

Answer:junction point/symbolic link query : multiple DOCUMENTS folders

To get a better idea of what's on E:, launch a Command prompt
type:
cd e:\
e:
dir /a > %Temp%\eDirList.txt
exit

Then attach %Temp%\eDirList.txt to a new post
%Temp% is just an environment variable that points to your User's Temp folder, you can use the %Temp% string as a shortcut to that folder.

What does the location tab (middle properties screen shot) say about the reference - don't change anything, just look and report back - thanks.

7 more replies
Relevance 64.37%

Window 8.1

When I run File history backup, I get the following error:

Directory was not backed up because it is a reparse point:
C:\Users\(myname)\Documents\My Pictures
C:\Users\(myname)\Documents\My Music
C:\Users\(myname)\Documents\My Videos

If you want it to be protected, remove the reparse point.

-----------------------------------
When I run the following Command prompt: Dir/al/s
It show me these reparse points as follow
Directory of C:\Users\(myname)\Documents
09/09/2015 01:30 pm <JUNCTION> My Music (C:\users\(myname)\Music)
09/09/2015 01:30 pm <JUNCTION> My Pictures (C:\users\(myname)\Pictures)
09/09/2015 01:30 pm <JUNCTION> My Videos (C:\users\(myname)\Videos)
--------
When I use Files Explorer,
These files do not show up.
I see: C:\Users\(myname)\My Music / but I don?t see: C:\Users\(myname)\Documents\My Music
I see: C:\Users\(myname)\My Pictures / but I don?t see: C:\Users\(myname)\Documents\My Pictures
I see: C:\Users\(myname)\My Videos / but I don?t see: C:\Users\(myname)\Documents\My Videos
-------------
How do I Delete/Remove these reparse point?
 

More replies
Relevance 63.55%

Just FYI... I downloaded Junction Box from Sourceforge based on a recommendation from someone on this forum to ONLY download it from Sourceforge, and this was the result
(Sorry it got lumped together when I pasted it!)
SHA256: 8e79bdba58611b1cd9792f4f362d40115b055d1152446234e42896ad8aa210fd File name: Junctionbox100.zip Detection ratio: 22 / 57 Analysis date: 2015-03-25 00:38:53 UTC ( 2 months, 2 weeks ago )

Antivirus Result Update ALYac Trojan.Generic.12692334 20150324 AVware Trojan.Win32.Generic!BT 20150325 Ad-Aware Trojan.Generic.12692334 ... Read more

Answer:VirusTotal found 22/57 trojans etc. on Junction Box from Sourceforge

I went to the Junction Box developers website and read this... so it may be ok after all!

Executable and sourcecode are available on the project's Sourceforge page
Note that this utility has suffered some false antivirus alerts, notably from Norton and McAfee. From the coder's standpoint there is nothing much that can be done about this, it seems as if some antivirus vendors are nowadays writing code so trigger-happy that it flags ANY program which makes fundamental system-changes (which this has to do, or it would be of no use!) as potential malware. Notably, the better AV products produce no such false-alerts. My advice here is simple: If you want protection which actually works properly, you need to change your antivirus software.

3 more replies
Relevance 63.14%

Background (This topic probably applies to all windows versions)
I have a number of related software suites which would like to share core dependencies. Previously we used winsxs and created installers for our shared assemblies. This suffered from a serious disadvantage as we could not reliably uninstall our applications
cleanly (due to the winsxs all you can eat policy and lack of tools for manual cleanup, TrustedInstller permissions, lack of clear and concise documentation and so on..).  We also ran into installer issues with the install randomly occasionally failing
during installation of prerequisite MSI's that use MsiAssembly/MsiAssembly name tables. So we decide to go for private assemblies but our applications are unmanaged C++ and not using the GAC etc. Had we been using .net we might have been able to specify
codebase or probing path!!! So this meant placing a copy of each dependent assembly in each application folder. We thought rather than wasting extra gigabytes of disk space why not share them with symbolic links. Well symbolic links don't work as the loader
doesn't understand them so we thought lets try junctions... So what could possibly go wrong.. Well it seems that the loader won't generate an activation context as it does not like junctions!!! Perhaps this is a security feature? A sxstrace of one application
with the required core dependencies in suitably named sub folders yields a message Manifest XXX Crosses an unsafe repairs point.... Read more

More replies
Relevance 61.5%

Hi all, having been a member at Seven then Ten forums for a fair while I'm hoping to find a straight answer here..? Apologies in advance if this is too verbose.
Windows 10 system booting from (UEFI) NVME with 2xSSDs + 2 MHDDs for storage...

An application (Xperia Companion) which will not let me select or personalise the location for saving backups of my cellular phone data...

Think I found a fair definition of the differences at the Computer hope site which would suggest it's a Junction I need:





What's the difference between a junction and a symlink (symbolic link)?

Although very similar, a junction is not the same as a symbolic link on a Windows computer. Below is a list of some of the major differences between a junction and a symbolic link.

A junction point can only be a link to a local volume path. Symbolic links can be a local and remote path. For example, a symbolic link can link to the network share \\hope\files.A junction point is designed for local directories, but a symbolic link can be used for directories, files, and shares.A symbolic link resolves to the local machine. If you create a symbolic link to c:\hope on your computer and someone accessed that link from a remote machine, it would try to open c:\hope on their machine, not yours.



I want Xperia companion to save backups to F:\Sony Backups NOT the default C:\Users\GD\Documents\Sony. Would the Junction (link) allow me to to fulfill my wants and could someone... Read more

Answer:Symbolic link (Junction/s), how-to mklink? Please help with Junction?

Tutorial:

Symlinks in Windows 10 - Windows 10 Forums

Don't forget to read the comments and links!

2 more replies
Relevance 61.5%

Hi all, having been a member at Seven then Ten forums for a fair while I'm hoping to find a straight answer here..? Apologies in advance if this is too verbose.
Windows 10 system booting from (UEFI) NVME with 2xSSDs + 2 MHDDs for storage...

An application (Xperia Companion) which will not let me select or personalise the location for saving backups of my cellular phone data...

Think I found a fair definition of the differences at the Computer hope site which would suggest it's a Junction I need:





What's the difference between a junction and a symlink (symbolic link)?

Although very similar, a junction is not the same as a symbolic link on a Windows computer. Below is a list of some of the major differences between a junction and a symbolic link.

A junction point can only be a link to a local volume path. Symbolic links can be a local and remote path. For example, a symbolic link can link to the network share \\hope\files.A junction point is designed for local directories, but a symbolic link can be used for directories, files, and shares.A symbolic link resolves to the local machine. If you create a symbolic link to c:\hope on your computer and someone accessed that link from a remote machine, it would try to open c:\hope on their machine, not yours.



I want Xperia companion to save backups to F:\Sony Backups NOT the default C:\Users\GD\Documents\Sony. Would the Junction (link) allow me to to fulfill my wants and could someone... Read more

Answer:Symbolic link (Junction/s), how-to mklink? Please help with Junction?

Tutorial:

Symlinks in Windows 10 - Windows 10 Forums

Don't forget to read the comments and links!

2 more replies
Relevance 61.5%

Hi I was wondering, and I should've asked here earlier, will the repair install re-create the "Public" and "Default" folders (which are in my "Users" folder) after I've deleted them? How about any junction for those two folders? I know I had one for "Default".

Thanks.

Answer:"Default User" junction point folder issue

  
Quote: Originally Posted by Wandering Flame


Hi I was wondering, and I should've asked here earlier, will the repair install re-create the "Public" and "Default" folders (which are in my "Users" folder) after I've deleted them? How about any junction for those two folders? I know I had one for "Default".

Thanks.


Try showing Hidden and OS files in Folder Options; see if the Default folder show up then.

Hidden Files and Folders - Show or Hide

9 more replies
Relevance 61.09%

Hello,

My computer is setup to use a 120gb SSD for my OS (Windows 7 ultimate 64bit) and a 2Tb hard drive for my program files, user folders etc. I use junction points to link the program files and user files from C:\ to D:\. This normally works like a charm however I recently updated iTunes and it deleted my C:\Program Files (x86) junction point and created a Program Files (x86) folder on the C:\ drive, this completely roots my system as all my Program Files (x86) are stored on my D:\ drive and now my computer can't find them since the junction point has been deleted. How can it do this and most importantly any reason as to why it's doing this? It's an easy fix on my end as all I have to do is put back in my windows installation disk boot from it and remake the junction point but it's a real pain to do it when it shouldn't happen in the first place.

Also after remaking the Junction point I decided to uninstall iTunes and it once again deleted my junction point while uninstalling.

(Note: My Program Files, and User, junction points have worked as normal and have not been deleted just my Program Files (x86) junction point. I am creating my junction points using the command mklink "C:\Program Files (x86)" "D:\Program Files (x86)" /J)

Does anyone have any ideas to why this is happening? Any help is much appreciated.

Thanks

Nairda.

More replies
Relevance 59.45%

Hi and thanks for a very helpful forum. I read through all the malware removal instructions and have completed the step-by-step cleaning process (which seems to have worked) and now would like to confirm that my system is actually clean. Please see attached logs. Note: ComboFix did run but then froze during the "preparing log report" phase, so the attached ComboFix log is just the txt I found in the folder, not the full zip log. Also, RootRepeal failed to run at all (in normal or safe mode).

More infor about infection:

AVG found Crypt.AQLW but couldn't fully clean it
CPU & HD constantly at 100%, firewall had been disabled, internet traffic going mad & link redirection - immediately disconnected from internet
SUPERAntiSpyware found and cleaned Trojan.Agent/Gen-Loader
MalwareBytes Anti-Malware found and cleaned Exploit.Drop.CFG
ComboFix found and cleaned Rootkit.ZeroAccess ... but failed to generate full report. CPU dropped to normal after this!
RootRepeal failed to run
MGTools ran normally

Note: Before finding this forum, I also found advice to run Kaspersky TDSSKiller which I did, and it did find something, but didn't fix the issue. Log for that attached as well.
 

Answer:AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

More logs ...

Note: It says in the ComboFix.txt that AVG was still enabled (and it also gave me that warning message) but I had already used the recommended AVG removal tool and AVG was no longer installed or running at the time.

I've now updated my OS and all my software, have switched to MS Security Essentials and re-enabled firewall etc.
 

17 more replies
Relevance 55.76%

I uninstalled ZoneAlarm Firewalla and now strange things happens...............

rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll

Whenever i log in to windows i get

userinit rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll

winlogon rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll
When i right click "MY PC" i get
rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll

I tried sfc /scannow without any success :/

Answer:rundll32.exe - Entry point not found The procedure entry point LdrResfindResource could not be located in the dynamic link libr...

You currently have an open Malware Removal Logs citing same issue, http://www.bleepingcomputer.com/forums/topic473316.html .

Since you have the open malware topic, we request that you pursue that and resolve any/all issues there...before proceeding with a topic in a different forum, citing the same issues.

At the conclusion/resolution of your MRL topic...you should then initiate a topic in the appropriate forum for any system issues that you may then have.

To avoid confusion, this topic is now closed.

Louis

1 more replies
Relevance 53.71%
Question: Found ZeroAccess

Sorry I thought the FRST and addition logs were already taken care of by the last post. They are both pasted below because I can't figure out how to attach the addition log
 
FRST Log
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-02-2015
Ran by Josh (administrator) on JOSH-PC on 07-02-2015 11:28:24
Running from C:\Users\Josh\Downloads
Loaded Profiles: Josh & Tiff (Available profiles: Josh & Tiff)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Tool... Read more

Answer:Found ZeroAccess

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Run this tool to clean your Temporary files/Folders.Download TFC to your desktopClose any open windows.Double click the TFC icon to run the program.TFC will close all open programs itself in order to run.Click the Start button to begin the process.Allow TFC to run uninterrupted, it should not take long to finish.Once it's finished, click OK to reboot.If it does not reboot, reboot your system manually.===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

CloseProcesses:

(Company) C:\Program Files\Popcorn Time\Updater.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-562459901-1482382580-3887097223-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin HKU\S-1-5-21-562459901-1482382580-3887097223-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\Josh\AppData\Roaming
\CATALI~1\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF Extension: 50Ceouponss - C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\ds7b9x07.default\Extensio... Read more

11 more replies
Relevance 53.71%
Question: Found ZeroAccess

I recently was instructed to create another post about finding ZeroAccess and reference my other post here:
 
http://www.bleepingcomputer.com/forums/t/565155/ads-by-randomprice-adware/#entry3613691
 
Any help would be greatly appreciated. Thank you.

Answer:Found ZeroAccess

Ok, so you still need to follow the Prep Guide as instructed in Post 7 of that other topic.

4 more replies
Relevance 52.89%

I was given this Dell laptop (windows 7 premium SP1) to work on because the owner couldn't even get windows to start. While playing around with it, I found that it wouldn't even start up in safe mode. So, I finally got it to boot up with an earlier restore point and man this thing is messed up. I noticed right off that the desktop was littered with the users icons including pdf files, shortcuts and leftovers from install packages. The first windows problem I noticed was that the mousepad lost it's buttons abilities. No drag and drop/resize with left button, no right click for anything else. I also noticed no ability to do a windows update, for which an error message stated the service not started. I looked at windows services and update wasn't even available. I compared windows services with those at Black Viper and saw that many would not start or were not even listed. Very few programs would load up, no firefox or chrome browser working and mcafee seemed to be getting in the way of everything. Everything I tried issued a popup of some sort with an error.

I got IE to run and logged into majorgeeks but any download was deemed a virus and deleted! Upon further investigation, I found this to be a characteristic of the ZeroAccess rootkit so I renamed the windows defender folder to defender_old and headed over here to run the "Read & Run Me". I'm posting the log files from the scans but you must keep in mind, without the use of the mouse... Read more

Answer:ZeroAccess rootkit found

...and here's MGlogs.zip!
 

15 more replies
Relevance 52.89%

 This is what came up after using RKILL
 
* ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\ [ZA Dir]
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\L\ [ZA Dir]
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\U\ [ZA Dir]
 
I have followed the instructions for downloading and running DDS.  I hope the files attach ok ( I am a complete novice)
 
I would be so grateful if you could help me with this problem. Many thanks in advance x

Answer:Zeroaccess rootkit found

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

58 more replies
Relevance 52.89%

ZeroAccess Rootkit found. Combofix repaired Internet access issue.

I just need help to find any leftover issues. I was able to run all progams, and get logs.


Any help would be greatly appreciated.


Viking62
 

Answer:ZeroAccess rootkit found.

Second batch of logs.
 

2 more replies
Relevance 52.89%

Rkill 2.6.5 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 05/16/2014 01:13:39 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* ALERT: ZEROACCESS rootkit symptoms found!
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\@ [ZA File]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\ [ZA Dir]
* ALERT: ZEROACCESS Reparse Point/Junction found!
* C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
* C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
* C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
* C:\Program Files... Read more

Answer:ZeroAccess Infection Found

attached dss zip file

40 more replies
Relevance 52.48%

So I was browsing the internet earlier when my screen suddenly changed to one of those ransomware screens, more specifically the Police Central e-crime Unit one (description here: http://forums.anvisoft.com/viewtopic-45-973-0.html). I did the usual system restore, full scan with Malwarebytes and Microsoft Security Essentials which seemed to do the trick as the computer is running fine again. I wanted to be sure though so I ran rkill and it came up with this: Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/23/2012 10:12:07 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues foun... Read more

Answer:ZEROACCESS rootkit symptoms found

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here.If you get crashes in normal mode,run it in safemode with networkingDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

3 more replies
Relevance 52.48%

I got an email from the campus administrator that ShadowServer found ZeroAccess rootkit on my laptop.
This is the message: (i've cut out the ip addresses)

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
> "2013-09-15
> 20:00:09","(IP)",52001,1103,"NL","(city)","(city)",,"udp",
> "ZeroAccess",,,"(ip cut out)",16465,22773,"US","ip(ip)",1,,,,,
>
> ---- end complaint ----

I've ran all the required softwares but no rootkit was found. Is it possible that ShadowServer gave false alarm? Or is the virus hiding so well?

I've attached all the logfiles required, except TDSSKiller, it didn't find any infected files.

Thanks!
 

Answer:ZeroAccess rootkit found by ShadowServer

You're getting a false positive.
 

3 more replies
Relevance 52.48%

I was having a problem running malwarebytes. It now runs after completely unistalling using their tool and re-installing after  using RKill and Superspiware remover.  RKill still finds symptoms of ZeroAccess on my computer in the way of several files in my local folder.  I do not know how to remove those files.  Something keeps disableing real-time protection in malware bytes.  Other than that I have not seen anything out of the ordinary.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420  BrowserJavaVersion: 10.51.2
Run by Mike at 19:16:49 on 2014-11-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8191.4039 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\s... Read more

Answer:ZeroAccess Symptoms found by RKill

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

16 more replies
Relevance 52.48%

Basic help found Zeroaccess rootkit after running Adware Cleaner, Rkill, Est.  I am running Windows XP SP3.  They referred me to you through the Preparation Guide.
 
Please let me know if you need anything else to help with virus.
 
Thank you.
 
Sandhill
 
Follows is DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.40.2
Run by Jeff at 20:10:53 on 2014-04-24
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.1998 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\P... Read more

Answer:Zeroaccess rootkit found by helper

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:
Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Lets get going now
==========================
 
Hi sandhill,
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, ... Read more

12 more replies
Relevance 52.48%

My brother borrowed my laptop and downloaded some things he shouldn't have. I managed to clean most of the problems up with a combination of Malwarebytes, Adwcleaner, and Security Essentials, but Rkill found 3 instances of a rootkit.  I would like some help removing these since I have never done it before. Here is the DDS log, and thanks for your help.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Skootch at 12:01:22 on 2013-10-09
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4061.1750 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync... Read more

Answer:Zeroaccess rootkit symptoms found

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.  Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if you want to run scan... Read more

25 more replies
Relevance 52.48%

I did an AVAST bootscan and ran RKILL. I posted results from FARBAR Recovery scan tool. SEE ATTACHED.*********************************************************************************************************************************************Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-12-2013 01Ran by SYSTEM on MININT-BR1785L on 27-12-2013 12:10:37Running from H:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 11Boot Mode: RecoveryThe current controlset is ControlSet001ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.==================== Registry (Whitelisted) ==================HKLM\...\Run: [dldwmon.exe] - C:\Program Files (x86)\Dell V505\dldwmon.exe [677104 2008-10-02] ()HKLM\...\Run: [dldwamon] - C:\Program Files (x86)\Dell V505\dldwamon.exe [16624 2008-10-02] ()HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)HKLM-x32\...\Run: [Dell V505] - C:\Program Files (x86)\Dell V505\fm3032.exe [312560 2008-10-02] ()HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.e... Read more

Answer:RKILL found ZEROACCESS ROOTKIT

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
If the computer is able to boot in Normal Mode please rerun FRST from there and post the logs in your next reply.
 
 
Regards,
Georgi

21 more replies
Relevance 52.48%

I normally running McAfee Security Suite which found some problems the other day. Today, I noticed that I am unable to run a couple of programs. Also, it appears that my virus scanner is shut down. I tried to install Malware Bytes but got an error and was unable to install. I ran RKILL and it gave me the following (ZEROACCESS rootkit found):

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/16/2013 06:31:12 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\New User\Desktop\rkill\rkill-01-16-2013-06-31-13.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\$Recycle.Bin\... Read more

Answer:RKILL found ZEROACCESS entry

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

23 more replies
Relevance 52.48%

I have a Window 7 Toshiba laptop with all current service pack and updates applied.  I was trying to set up file sharing on my network and found that I had lost access to do that on this laptop.  Every time I turned on network discovery it would shut itself off.  All of the default firewall rules were missing so I couldn't restore them.  I was able to finally get the rules from another Win 7 machine and get them restored and working again and I can now connect to my network.  Network discovery now stays on.
 
Someone had installed games on my computer and with it came Sweetpacks malware.  I removed Sweetpacks and remnants but while running rkill I got a notification " Zeroaccess Rootkit symptoms found".  I am comfortable that Sweetpacks is removed but I need help to remove the Zeroaccess Rootkit before it takes any further hold.
 
dds.txt log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.25.2
Run by Main at 18:35:30 on 2013-10-18
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.841 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Win... Read more

Answer:Zeroaccess Rootkit symptoms found

Hello DakotaCat I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same... Read more

14 more replies
Relevance 52.48%

My pc was giving errors when I tried to change my firewall settings: Error code 0x80070424
I ran Rkill t and this is what I got:
Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/25/2013 07:52:27 PM in x64 mode.
Windows Version: Windows 8 Pro
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\Windows\SysWOW64\ChgService.exe (PID: 1904) [WD-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* ALERT: ZEROACCESS rootkit symptoms found!
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\x202exfbf9x0e5b\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\x202exfbf9x0e5b\{6c76f889-4758-ee39-d... Read more

Answer:Zeroaccess rootkit symptoms found

Boot to SAFE Mode and run Malwarebytes Anti-Rootkit Beta and restart. After restart continue with other virus removal software such as Combofix (run CCleaner first it'll go faster), ADWCleaner, Malwarebytes, and do a boot-time scan to finish it up. http://www.malwarebytes.org/products/other_tools/

3 more replies
Relevance 52.48%

I have a Window 7 Toshiba laptop with all service pack and updates applied.  I was trying to set up file sharing on my network and found that I had lost access to do that on this laptop.  Every time I turned on network discovery it would shut itself off.  All of the default firewall rules were missing so I couldn't restore them.  I was able to finally get the rules from another Win 7 machine and get them restored and working again and I can now connect to my network.  Network discovery stays on.
 
However, I now had a notification " Zeroaccess Rootkit symptoms found" when I ran rkill and adwcleaner to remove Sweetpacks.  I am comfortable that Sweetpacks and remnants are removed.
 
Please help me remove the Zeroaccess Rootkit before it takes any further hold.
 
Here is rkill log info.
 
Rkill 2.6.2 by Lawrence Abrams (Grinler)
 
Program started at: 10/18/2013 09:48:29 AM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 * No malware services found to stop.
 
Checking for processes to terminate:
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to !
  * HKCU\SOFTWARE\Classes\.exe has been deleted!
 
Performing miscella... Read more

Answer:Zeroaccess Rootkit symptoms found

Hello DakotaCatPlease repost this log and a DDS log by following this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

2 more replies
Relevance 52.48%

Hi Guys, Been reading through the forums but this one has me a little stumped... Most cases I have been able to remedy myself but then I came across you tool of Rkill... which when run comes up with "ZeroAccess rootkit symptoms found.. Anyhow I have run pretty much in this order, Rkill - Malwarebytes - Nod32 - Combofix... and ran Rkill one last time after this to see if it detected anything else.. so here I am.. I have downloaded the Farbar Recovery Scantool and hit scan.. below I post the log files, anyhelp please greatly appreciated. Rkill Logfile Rkill 2.6.1 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2013 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 09/26/2013 08:08:09 AM in x86 mode.Windows Version: Windows 7 Home Premium Service Pack 1Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * C:\Users\user\AppData\Local\Temp\TeamViewer\Version8\TeamViewer.exe (PID: 6128) [T-HEUR] * C:\Users\user\AppData\Local\Temp\TeamViewer\Version8\tv_w32.exe (PID: 4252) [T-HEUR]2 proccesses terminated!Checking Registry for malware related settings: * No issues found in the Registry.Resetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * Windows Defender Disabled   [HKLM\SOFTWARE\Microsoft... Read more

Answer:ZEROACCESS rootkit symptoms found.

Also ran TDSS killer... and it came back with no threats found...

23 more replies
Relevance 52.48%

I ran Malware, Spybot, SpyHunter, TDSSKiller, Crap Cleaner,
Malicious Software Removal (MRT) tool, AVG Anti-virus, and Avast Boot time scan.

Avast and Spybot each found an infection, but the re-direct issue continued.

Every time I go to Google and search the links returned are bogus and re-direct elsewhere.

My Outlook was acting up and I thought it could be connected.

I panicked and downloaded and ran Combofix.

Here's the log:
ComboFix 12-06-20.02 - Administrator 06/20/2012 15:21:34.1.2 - x86
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\19cfc9e0
c:\documents and settings\Administrator\Application Data\eeb7be1a
c:\documents and settings\Administrator\Application Data\f912361f
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\ifuttbsqrh.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\AOL\Adobe\ruscoraw.dll
c:\documents and settings\All Users\Ap... Read more

Answer:RootKit.ZeroAccess found by Combofix

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

5 more replies
Relevance 52.48%

Hello,
 
A colleague's browser is being redirected - both IE and Firefox on a 64 bit machine running Win7.
 
AVG Antivirus Business Edition moved some items to the virus vault, but the problem continued.
 
We ran Malwarebytes, which found Scorpion Saver and SavingBull, which were deleted.
 
We downdownloaded and ran RKill - which found ZeroAccess toolkit.
 
We downloaded and ran Hitman Pro, which found nothing.
 
We re-ran Malwarebytes, and nothing was found.
 
I see lots of suggestion for dealing with ZeroAccess toolkit.  Is there a consensus on the best method to do so?
 
Pam H.

Answer:Redirection - ZeroAccess Toolkit found

Hi,
 
You are infected with ZeroAccess, we will need more advanced tools to deal with it:
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
xXToffeeXx~ 

2 more replies
Relevance 52.48%

A few days ago I started getting the fake Acrobat and Java update requests. I ignored them and then started getting random redirects to http://63.209.69.107 with IE using any search engine as well as directed to other random sites.
I ran a full scan with McAfee and it found ZeroAccess!cfg, along with Exploit-CVE2012-1723 in 3 different locations, and JV/Exploit-Blacole.q that was located in a Sun/Java folder. It cleaned and deleted them.
Continued to get the same symptoms.
Ran Malwarebytes which came back clean.
Ran a McAfee Stinger, no change
Ran TDSSKILLER, clean
Ran DDS and it ran and attached logs
Ran GMER, it only allowed me to select Services, Registry, Files, C:, and ADS. All other boxes are greyed out and can not be selected
I tried the instance of GMER on another machine and all options were selectable

Answer:Found ZeroAccess!cfg with McAfee, but still getting redirects

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

25 more replies
Relevance 52.48%

this is very weird
I have no restore points, so I create a new one, get a success message
then when I go to see the restore point, 7 comes back and sez no restore points there!!!
I ran a sfc /scannow, it came back ok
did my commodo full scan, it finds issues with office 365 but no rootkits etc, lol
ran malware bytes and other rootkit revealers, nothing found there
I have 8gb set aside for restore points, that has been plenty in the past
I did have restore points at one point, did not check too recently though
any ideas what this could be???
 

Answer:restore point create success... but no restore point found????

After creating the new restore point and receiving the success message did you click on OK to finish the process?

8 more replies
Relevance 52.07%

Hi,
I received a suspicious email and by accident clicked the attachment-i came to this forum to find out if there was a way teo tell if i got a virus from that.  computer is not acting up-i also did system restore and then  posted in "am i infected forum" and was told to run rkill and post my log in which i did.  They also told me to run malware and i previously had it on my computer and it has expired-it let me run it but i could not copy to clipboard my results.  AII topic referenced is here: http://www.bleepingcomputer.com/forums/t/559116/did-i-download-a-virus/ ~ OB
i then was told i possibly had a serious malware infection and was told to follow instructions and post to here my log instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
 
here is my log, i am hoping someone will be able to help and thanks in advance. 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Chari at 23:15:56 on 2014-12-08
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.678 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Su... Read more

Answer:* ALERT: ZEROACCESS rootkit symptoms found!

I think i was supposed to attach this file as well-hoping someone can help!
 

 attach.txt   27.56KB
  0 downloads

6 more replies
Relevance 52.07%

Computer redirecting and running extremely slow last week, so I ran a scan. Spybot S&D and combofix and found a zeroaccess rootkit, quarantined and removed some files. Seemed to work temporarily but came back. Ran TDSS Killer, found rootkits again, cured, restarted, then another rootkit popped up in a different file. Installed malwarebytes, ran a couple times. Mbytes says no infections found...still getting redirects sometimes but not always and my sound is not working. Opened device manager and found the yellow exclamation point beside the sigma tel audio codec, I then uninstalled the audio codec, restarted the cpu and let it load again, but still gives the error code 31, says windows can't load the driver for this.DELL/Inspiron 6400Windows XP SP2Last combofix log:ComboFix 12-02-08.02 - Admin 02/16/2012 18:23:10.7.2 - x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1693 [GMT -6:00]Running from: c:\documents and settings\Admin\My Documents\Downloads\ComboFix.exe.- REDUCED FUNCTIONALITY MODE -..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\system32\drivers\etc\hosts.ics..((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 )))))))))))))))))))))))))))))))..2012-02-13 13:58 . 2012-02-13 13:58 -------- d-----w- C:\TDSSKiller_Quarantine2012-02-11 17:01 . 2012-02-15 13:58 162816 -c--a-w- c:\windows&... Read more

Answer:rootkit.zeroaccess found/cured hopefully...but now I have no sound.

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please d... Read more

2 more replies
Relevance 52.07%

McAfee cannot successfully remove ZeroAccess Trojans. It finds 6 different ZeroAccess Trojans as well as two others Generic.dx!b2qj and Generic.dx!b2y4.

Also, McAfee firewall will not turn on.

Any help would be greatly appreciated. Thank you.
HijackThis and DDS Logs:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:15:53 PM, on 7/10/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Program Files (x86)\Office Depot PC Support Agent\escont.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Anne\Desktop\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/H... Read more

Answer:I Need Help Removing ZeroAccess Trojans Found by McAfee

6 more replies
Relevance 52.07%

Hello,Rkill has found ZEROACCESS rootkit symptoms on my desktop. Here is all that happened in the last 10 days of usage (I've been away 15 days).On 11/8 AVG Resident Shield detected the following:May be infected by unknown virus Win32/DH{LgMPNg} in "c:\Users\Marcello\AppData\Local\Temp\nmrxscaweo.exe"; Action taken:"Object is inaccessible."; Process:"C:\Windows\System32\cmd.exe"May be infected by unknown virus Win32/DH{LgMPNg} in "c:\Users\Marcello\AppData\Local\Temp\nmrxscaweo.exe"; Action taken:"Moved to Virus Vault"; Process:"C:\Windows\System32\rundll32.exe"Trojan horse BackDoor.Generic15.BHGZ in "c:\Users\Marcello\AppData\Local\{f0f4eb1d-0609-2b50-2c39-9e4219ad9f0b}\n"; Action taken:"Moved to Virus Vault"; Process:"C:\Windows\explorer.exe"This folder is the same that is present in the Rkill report.The last one had an unknown malware, and AVG killed 3 processes and deleted 2 files:c:\Users\<username>\AppData\Local\Temp\MSIMG32.DLLc:\Users\<username>\AppData\Local\Temp\AEMWROSXCN.EXEMeanwhile, ZoneAlarm blocked several connections attempt.A full scan revealed trojan Java/Exploit.BAH, and I quarantined it.After that, whenever I reboot or log-off, my desktop resets the icons order to ... Read more

Answer:ZEROACCESS rootkit symptoms found (after a few problems)

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

29 more replies
Relevance 52.07%

Hi,
I need help with a virus infection.
 
PC: Windows 7 Ultimate Pro (64 bit)

A couple of weeks ago I picked up several virus's (Trojan.Gen2, Trojan.zeroacces.C, Trojan.zeroaccess!g46).  I ran the latest versions of the following programs.  I let them have control as to when to reboot, what to delete and fix. I also may have ran them a couple of times (before and after Rkill).
 
Norton Internet Security
Norton Power Erasure
Malwarebytes
Rkill
TDSSKiller
Rogue Killer
AdwCleaner
 

The problem is that my computer seems to be running fine now, but Rkill is showing:
 

  * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ﯹ๛\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\ [ZA Dir]
 
 

The full text is below.
 
 
My question:  Am I still infected?
... Read more

Answer:ZEROACCESS rootkit symptoms found! - by Rkill

Hello tweeettweeet I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

37 more replies
Relevance 52.07%
Answer:RKill : ZEROACCESS rootkit symptoms found

deleted

5 more replies
Relevance 52.07%

Hello, I was requested to post a new topic in this forum. My earlier thread is here: http://www.bleepingcomputer.com/forums/t/501452/need-advice-ive-removed-0access-from-my-system-but-now-what/ 
Boopme has been helping me, and thinks there is still something left on my system, so that I still need help in finding/removing whatever is left. Thanks in advance :-)
 
In review: I had my system infected 3-4 weeks ago (through a Java exploit), couldn't find what it was for a while, but it had disabled MSE, BFE service, Windows firewall and some other stuff. I got MSE working again and scanned with it, it removed a Java exploit and a trojan dropper. Then I kept scanning with various scanners, not finding anything else, till I used MBAR which found 15 Backdoor 0Access and removed them. 
When boopme had me run TDSSKiller with the TDLFS file system option, it found this thing: Device\Harddisk0\DR0 ( TDSS File System ), which we then removed. 
Windows Updates are still not working for me (80073712), and neither is sfc /scannow or checkSUR, just fyi. But that probably doesn't matter, if I have to format and reinstall at some point anyway, right?
 
Here is DDS log from tonight:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.25.2
Run by Leaf at 21:56:38 on 2013-07-22
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2940.1780 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/... Read more

Answer:Found/removed ZeroAccess with MBAR; what is left ?

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if yo... Read more

29 more replies
Relevance 52.07%

Hi
 
I have been told to continue my previously topic in this section.
Already scanned my system as told with superantispyware, eset scanner, spybot S-D, Malwarebytes and AdwCleaner.
 
dds log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16502  BrowserJavaVersion: 10.25.2
Run by lal at 18:38:03 on 2013-09-05
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.31.1033.18.2046.481 [GMT 2:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\System32\alg.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\iashost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET... Read more

Answer:Alert zeroaccess rootkit symptoms found

Thank you everyone, this problem is over now. The rootkits zeroaccess are cleaned.

2 more replies
Relevance 52.07%

Tried running malwarebytes and removed two problems but did not fix the problem. McAfee still finding trojan and firewall continues to turn itself off. Help is appreciated on where to start. Thanks.
 
Virus I believe came off of a video file from a co-workers hard drive. I knew better than to install an unknown codec but it looked like the file for windows media player and started it without paying close enough attention. There was also no cancel button.
 
Will get DDS downloaded and a log up tomorrow. All I have at the moment is work access which I can not download from.

Answer:windows 7 zeroAccess-FAT!CBB5F2DB64C0 virus found

to BC Forums, ars2210!! Please do the following...    Download the Farbar Recovery Scan Tool:Link: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/Select the version that applies to your system.Save it to your Desktop. Double-click the downloaded file to run it.When the tool opens click Yes to the disclaimer. Press the Scan button. The tool creates a log (FRST.txt) in the same directory from which the tool is run (Desktop).Please provide the FRST.txt in your reply. The first time the tool is run, it also makes another log: Addition.txtAlso post the Addition.txt in your reply.  Next, download the Farbar Service Scanner:Link: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/Save to the Desktop  Make sure the following options are checked:Internet Services Windows Firewall System Restore Security Center Windows Update Windows Defender  Press: Scan  When done, FSS creates a log, FSS.txt, on the Desktop.  Please provide the FSS.txt in your reply. 

20 more replies
Relevance 52.07%

I have run Fixzero Access - Rootkitremover - adwcleaner - Combofix - FRST - Junkware Remover tool - TDSSKiller - and Microsoftfixit50535  
 
And nothing changes.  When I first got virus it changed proxy settings and I could not do anything but I was able to do system recovery and hoped that would fix my problem.  It did fix proxy problem and computer is running fine now but I know that if zeroaccess is there then my fix will be short lived.  Please help.  
 
   

Answer:Rkill says I have zeroaccess rootkit symptons found

Hello sharongv,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.I will be analyzing your log. I will get back to you with instructions.1.Download AdwCleanerDouble click on AdwCleaner.exe to run the tool.***Note: Windows Vista and Windows 7 users:Right click in the adwCleaner.exe and select "Run as administrator"Click the Scan button.A logfile will automatically open after the scan has finished.Please post the content of that logfile in your next reply.Or you can find... Read more

19 more replies
Relevance 52.07%

Symptoms on computer:
 
1. started with Adobe Reader trying to open all exe files 
2. ran Malwarebytes Chameleon
3. removed all Adobe products
RESOLVED: can now open exe files regularly
 
BUT, RKill tells me the following:
Program started at: 08/11/2014 11:23:36 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\❤≸⋙\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Instal... Read more

Answer:ZEROACCESS rootkit symptoms found via RKill

Please do the following:Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.NEXTPlease download Malwarebytes Anti-Rootkit (MBAR) from here and save it to your desktop.(Direct link to the file: http://downloads.malwarebytes.org/file/mbar)Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.Doubleclick on the MBAR file you downloaded and approve the UAC prompt in Vista and newer operating systems.Click OK on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.mbar.exe will launch automatically. On some systems, this may take a... Read more

2 more replies
Relevance 52.07%

Hi, This is my original post:  http://www.bleepingcomputer.com/forums/t/527610/chase-online-wont-recognize-my-computer-after-running-combofix-jrt-and-adwclea/?view=getnewpost
 
Quietman7 told me to run dds and post the logs here and reference this original post, so this is what I'm doing. 
 
Combofix said it found ZeroAccess and attempted to removed it.  It seemed to hang up mid-way for quite some time so I rebooted and ran it again and this time it completed.  Then I ran Symantec's ZeroAccess tool and it didn't find anything.  But quietman7 said the logs should be reviewed by the experts (which I am certainly not).  To be honest I wasn't even really concerned about this, my original post was because after running Junkware Removal Tool, Combofix and Adwcleaner something got erased that allowed Chase online to recognize my computer.  Now every single time I want to check my accounts online I have to call in for a security code.  This is the problem I was trying to fix by joining this forum.  I did not have this problem before running the cleaners (all sequentially) only after.
 
Thank you for your help!!!  I am also attaching the JRT log created when it ran.

 

Answer:Ran Combofix, found ZeroAccess, logs attached

Hello ValleA I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", ... Read more

37 more replies
Relevance 52.07%

Hello, my computer started acting strane few days ago - high cpu usage (svchost.exe), so i scan it with rkill in safe mode, and foun some ZEROACCESS rootkit symptoms with strange symbols. Anyone to tell me what should I do?
 
Thanx
 
Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 02/16/2016 11:02:25 AM in x86 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\   \ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\   \...\ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\... Read more

Answer:Rkill - ZEROACCESS rootkit symptoms found!

Hi Gile My name is Aura and I'll be assisting you with your issue. To get started, I'll need you to provide me a fresh set of FRST logs. Follow the instructions below please.Farbar Recovery Scan Tool (FRST) - Scan modeFollow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;Check the Addition.txt option;Click on the Scan button;On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;Your next reply should include:Copy/pasted content of the FRST.txt log;Copy/pasted content of the Addition.txt log;

31 more replies
Relevance 52.07%

Need help please. I ran Rkill and log has "ALERT: ZEROACCESS rootkit symptoms found!", I'm assuming this is not a good thing? I am a noob to computer stuff. Here is the Rkill log. Do i have a virus? What should i do now?

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/30/2012 12:59:26 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\ [ZA Dir]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\@ [ZA File]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\L\ [ZA Dir]
* C:\Users\Elan\AppData\... Read more

Answer:ALERT: ZEROACCESS rootkit symptoms found!

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

2 more replies
Relevance 52.07%

I was told to post this and start at step six by another moderator in the help forum after running malwarebytes and posting the logs. My computer is freezing and running terribly. I tried running the dds as told and it starts and then stops about three quarters of the way through so i am unable to post the logs from it as i was directed. Please help as this is the computer that i use for my home business. Thanks in advance for anything you can do.

Answer:ALERT: ZEROACCESS rootkit symptoms found!

Hello bigjimoo and welcome to Bleeping Computer!
I am D-FRED-BROWN and I will be helping you.
Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.
----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.
----------Step 2----------------
Please... Read more

1 more replies
Relevance 51.25%

When i ran rkill.exe it is showing following alert.
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
     * HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\n [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\L... Read more

Answer:Rkill alerts me ZEROACCESS rootkit symptoms found!

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the dis... Read more

4 more replies
Relevance 51.25%

Hi guys, I have run malwarebytes and rkill. The results are the following:


Code:
* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\ [ZA Dir]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\ [ZA Dir]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\[email protected] [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\201d3dde [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\76603ac3 [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\U\ [ZA Dir]

Checking Windows Service Integrity:

* Base Filtering Engine (BFE) is not Running.
Startup Type set to: Automatic

* Windows Update (wuauserv) is not Running.
Startup Type set to: Disabled

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]

* SharedAccess [Missing ImagePath]
Should I be worry about this? Thanks!

Answer:ZEROACCESS rootkit symptoms found, and missing some Services

Hello Rus mate run the TDSS Killer from this and there are more you can run if it doesn't work but it usually is pretty good.
Best Free Rootkit Scanner and Remover

Let us know how it goes and there is an another option if it doesn't cure the problem.

9 more replies
Relevance 51.25%

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

Answer:svchost.exe playing audio, found zeroaccess on my computer

Thank you Georgi for taking the time looking into this....
 
FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-01-2014
Ran by Johnny (administrator) on JOHNNY-PC on 02-01-2014 20:31:40
Running from C:\Users\Johnny\Desktop
Windows 7 Ultimate (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apache Software Foundation) C:\AppServ\Apache2.2\bin\httpd.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apache Software Foundation) C:\AppServ\Apache2.2\bin\httpd.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(FileZilla Project) C:\Program Files (x86)\FileZilla Server\FileZilla server.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit\fitbit.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\... Read more

10 more replies
Relevance 51.25%

As requested you will find the attach.txt log attached in zipped format and here is my DDS log file:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Eugenia at 16:11:58 on 2013-12-06
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3895.2504 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k L... Read more

Answer:Windows 7 laptop ZEROACCESS rootkit symptoms found

Hello jackhammer I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 51.25%

I think I have a virus that has out smarted my Trend Micro Titanium version and Malwarebytes. I ran the full scans several times with no results. I see small blue and yellow shields attached to the front of my Malwarebytes, Trend Micro, and my Kodak printer icons on my desktop. I think this has something to do with the virus. I ran rkill in safemode and ran Malwarebites in safemode but Trend Micro made me get out of safemode to run it. * Also, when I entered safemode the first time it said that my recycle bin was corrupted. Delete contents? So, I deleted the contents. Then when I booted up in safemode again another time it said my recycle bin was corrupted again. Delete contents? So,I did.....   But it did't have anything in it anyway. so that was weird.

Answer:ran rkill and got this msg: * ALERT: ZEROACCESS rootkit symptoms found!

The best way to remove this is by starting a new topic with this ..... Please follow this Preparation Guide and post in a new topic.Let me know if all went well.

7 more replies
Relevance 51.25%

Hi guys,
 
I have a ran Rkill on my machine after I thought it was not running so smooth...
 
There results have showed that rootkit symptoms have been found. Could you guys please help me trying to resolve this...
 
Below is the Rkill report:
 
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 11/05/2015 04:29:41 PM in x86 mode.
Windows Version: Windows Vista ™ Home Basic Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\ [ZA Dir]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\ [ZA Dir]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\[email protected] [ZA File]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\1afb2d56 [ZA Fil... Read more

Answer:Rkill found Zeroaccess Rootkit Symptoms! Win Vista SP2

Hello ndonaldson2912 and Welcome to the BleepingComputer.   
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
Ensure your external and/or USB drives are inserted during always the scan.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  the computer. How is open as administrator  the computer?
Disable your AntiVirus and AntiSpyware applic... Read more

11 more replies
Relevance 51.25%

Ran rkill and got "ALERT: ZEROACCESS rootkit symptoms found!" Any help would be appreciated.
 
 
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/12/2015 02:23:05 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\ [ZA Dir]
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\L\ [ZA Dir]
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\U\ [ZA Dir]
Checking Windows Service Integrity:
 * No issues found.
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * Cannot edit the HOST... Read more

Answer:rkill: "ALERT: ZEROACCESS rootkit symptoms found!"

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please download Combofix (by sUBs) and save it to your Desktop.Disable the realtime-protection ... Read more

13 more replies
Relevance 51.25%

My computer started slowing and wouldn't connect to internet after a file download. I did a system restore to a week ago when laptop was running good. After, was still same symptoms, so I did various scans. Anti malwarebytes can find no further threats, but rkill still says rootkit symptoms found. The laptop is managible as long as the wifi is off. If connected to the internet, it becomes unresponsive.
 
Here is dds log:
 
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16470
Run by shock at 14:06:03 on 2015-01-19
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2520.1284 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:... Read more

Answer:Rkill says *Alert: zeroaccess rootkit symptoms found!

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

26 more replies
Relevance 51.25%

HiI'm helping a friend and ComboFix found and apparently cleaned ZeroAccess. However, it looks like there is other stuff that should be cleaned.Thank you for the help.Jim ComboFix 13-02-20.01 - xxxxxx 02/20/2013  16:55:53.4.1 - x86Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3191.1436 [GMT -6:00]Running from: c:\documents and settings\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}AV: Norton 360 Premier Edition *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton 360 Premier Edition *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}..(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))..c:\docume~1\CRAIGB~1\LOCALS~1\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dllc:\documents and settings\Craig xxxxxx\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dllc:\documents and settings\Desktop\ComboFix.exec:\documents and settings\Desktop\sc-cleaner.exe..(((((((((((((((((((((((((   Files Created from 2013-01-20 to 2013-02-20  )))))))))))))))))))))))))))))))..2013-02-20 23:11 . 2013-02-20 23:11 -------- d-----w- c:\windows\LastGood.Tmp2013-02-20 18:09 . 2013-02-20 18:59 -------- d-----w- c:\documents and settings\Desktop\Office Ally ERAs2013-02-20 08:16 . 2013-02-20 08:16 60872 ----a-w- c:\documents and s... Read more

Answer:Combofix found ZeroAccess rootkit - want to ensure it is cleaned

Hello whatisavailable Welcome to The Forums!!Around here they call me Gringo and I'll be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking ba... Read more

37 more replies
Relevance 51.25%

Even after running various malware and virus checks, rkill says there are symtoms of zeroaccess.
 
* c:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* c:\Windows\assembly\GAC_64\Desktop.ini [ZA File]
 
Not sure where to go from here. Please help!
 
Trish

Answer:Rkill says *Alert: zeroaccess rootkit symptoms found!

We need to repost...Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

3 more replies
Relevance 51.25%

Computer specs:
Windows 7 x64 with SP 1
2GB memory
Intel i3 processor
 
Initial symptoms:
Computer was slow, despite having cleared browser cache and unchecked any unnecessary startup processes or services via msconfig
 
Initial scanning:
Ran rkill, found zeroaccess rootkit reparse points
Ran malwarebytes, found several hundred detected objects, attempted remove, restarted computer
Ran malwarebytes, found most of the same infected objects as before, restarted computer
Ran spybot S&D and removed all found, restarted computer
Ran SuperAntiSpyware and removed all found, restarted computer
Ran rkill, still finding zeroaccess signs
Ran malwarebytes, still finding many detected objects
Ran a tool which shall not be named without staff approval
Ran rkill, still signs of zeroaccess
Ran malwarebytes "Custom Scan", selected only the rootkit option, still detected objects found, they all seem to reference MindSpark, C:\Qoobox\Quarantine and something about RadioRage_4j
 
I'll paste rkill and malwarebytes logs below.  I'll be greatly appreciative of any help that could be given!
 
Kind regards,
Mike
 
Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 02/06/2015 09:08:03 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
C... Read more

Answer:Slow PC, malware found, ZeroAccess rootkit suspected

I have used this "use at your own risk" tool before when I had the zeroaccess rootkit : http://kb.eset.com/esetkb/index?page=content&id=SOLN2895
 
It seemed to find and clean it up for me even when malwarebytes wouldn't.

3 more replies
Relevance 50.84%

Our laptop was infected with Disk Antivirus Professional. Followed the self help tutorial from bleeping computers. I than ran malwarebytes again to confim successful removal, it says no infections all clear but when i ran rkill again it said ZEROACCESS rootkit symptoms found. My avast internet security did not pick anything up aswell.
 
I have also noticed that in task manager a number of blank pages - internet explorer running but i have not run or opened internet explorer.
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by Nathan at 15:53:05 on 2013-02-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.8108.5535 [GMT 10:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\TrueSuite\TrueSuite.Service.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k... Read more

Answer:removed 1 virus still left with ZEROACCESS rootkit symptoms found

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate N... Read more

14 more replies
Relevance 50.84%

First thank you for running this site. I guess I've been downloading code from all the wrong places . . . . A week ago, I noticed that I was routinely getting the "program has stopped working" error dialog box with Notepad, Outlook, Word, Excel, Powerpoint, Adobe Acrobat and other programs. At first, I was getting a dialog box that said an add-in was the problem and asked me if I wanted to remove it by clicking. I did this a few times but still could not launch the program I was trying to open which was most often Outlook. I'm sure now that I should not have clicked. At this point, I only get the Program has stopped working dialog box with an option to close program. This all started on 9-13-13.

I have followed the Read & Run Me First instructions to the letter. If I am reading it correctly, my RogueKiller log shows a ZeroAccess infection. Help!!

Also, when I was backing up my Outlook.pst file following the forum prep instructions, I noticed that the file format is no longer ".pst" but rather it's in adobe acrobat "PDF" format. I think I need help in uncorrupting or resetting the format of my Outlook file.

I have attached all five log files as requested.
 

Answer:ZeroAccess Found + Multiple Program Has Stopped Working Errors

Welcome to Major Geeks!

Uninstall the below programs. If you do not find them or they will not uninstall, just keep going.
Java 7 Update 11

Now install the current version of Sun Java from: Sun Java Runtime Environment Make sure that when you see the form asking about installing Ask Toolbar that you uncheck this.


Please download OTM by Old Timer and save it to your Desktop.

Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
(or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
the code box

Code:

:Processes
explorer.exe

:Files
C:\$Recycle.Bin\S-1-5-21-3019333746-1946228393-2518998603-500\$c04b48aa4877a95f781f1d768985161d\n.
C:\$Recycle.Bin\S-1-5-21-3019333746-1946228393-2518998603-500\$c04b48aa4877a95f781f1d768985161d
C:\WINDOWS\TEMP\*.*
C:\Users\Administrator\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\s]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

Return to OTM, right click in the Paste List of Files/Folders to M... Read more

11 more replies
Relevance 50.43%

Hello there,
A friend of mine said that her computer had been acting up, so she was planning on taking it to Best Buy to let the Geek Squad take a look at it and fix it. I've had problems with the Geek Squad's service in the past, so I offered to take a look at her computer for her, and if what I found was beyond what I could do then she could take it in. First thing I noticed was a lot of programs on startup, but that's easy enough to fix. Went to the browser (IE at the time) to grab avg and mbam, and noticed that the default page was set to this "Swag Bucks" site, and that there was a "Swag Bucks" toolbar on the browser as well. Decided to get Firefox first, and as soon as it was finished installing, the "Swag Bucks" toolbar installed itself on that as well. Uninstalled anything and everything that I could find with Swag or Bucks in its name, and set up multiple runs of avg and mbam. Once those were done, I decided that I'd check for any rootkits while I was at it, since it seemed like Swag Bucks was an easy vector for malware given that it was already redirecting to its page from any other search engine and "tracking shopping habits." It seems like it bills itself as a shopping tool that rewards you for using it, searching through it, and buying stuff from the links it provides. I installed and ran RogueKiller just to see if anything popped, and it came back with a couple of registry keys, a couple of files, and a page on how to remove ZeroAccess. Went with ComboFix next, ... Read more

Answer:Cleaning computer for a friend, found ZeroAccess, root.mbr, browser redirects

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/496607 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

11 more replies
Relevance 50.43%

As the good mama's boy I am, I am trying to ridd my mother's computer from a particularly malicious infection.
 
After a good amount of hours spent, I have managed to ridd the system of the Antivirus Security Pro malware, taking away all the annoying popups et al. Malwarebytes was used to try to clean out all there was.
 
Unfortunately some problems persist, and an infection is still preventing downloads from the web (and consequently e.g. upgrades to windows security essentials.
 
Rkill identifies the problem as ''zeroaccess rootkit symptoms found''.
 
Googling this took me to the following entry at this forum. I have run farbar recovery scan tool including drivers MD5 as instructed, and it did pick up on quite a few things. The question is how to write a proper fixlist.
 
I am extremely greatful for any help I can get in this regard. All I can really offer in return is topay it back or forward in terms of microsoft excel help, as that is an area of expertize.
 
Anyway, here is the log from farbar (also attached, felt I had mixed messages there as to custom on this forum):
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by SYSTEM on MININT-5BPMVLA on 13-11-2013 00:42:37
Running from G:\Sikkerhet
Windows 7 Starter (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from... Read more

Answer:Antivirus Security Pro + zeroaccess rootkit symptoms found (rkill, FRST)

Hello Black Monday I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

24 more replies
Relevance 50.43%

For the past few months the computer has been run only in safe mode. Initially the computer would boot in normal mode but after about 5 minutes all of the windows would say "not responding". I couldnt get any program to work and it seemed as though the computer was constantly processing something that prevented me from using it correctly. This didnt happen in safe mode so that was the only way I could use it. Fast forward to now and Vista won't even load past the welcome screen. It just goes to the dark screen but the desktop background never shows, nor does any programs...just completely black after the welcome screen.
I've searched online for ways to fix it, some involving the regsvr32.exe file, but while in safe mode it says that it cannot be found, although I do see it in the System32 folder on my C drive. I've scanned using malwarebytes, ms security essentials, rkill, spybot, kaspersky rescue disk, microsoft malware removal...but unfortunately I'm still having this issue. Some viruses were detected earlier (and i thought removed) including ZeroAccess, but apparently it's still wreaking havoc on the computer!
I can only use it in safemode. I also have no ability to system restore because all of the points are gone.
A few times upon signing in normal mode there was a prompt that read "login process has failed to create the security option"
I also have issues with uninstalling various programs...my system just wont allow me to
In regards to regsvr2, i get the prompt "Canno... Read more

Answer:ZeroAccess? regsvr32.exe cant be found, vista wont load in normal mode

Mod Edit: merged these 2 posts with original.~~ boopmeFor the past few months the computer has been run only in safe mode. Initially the computer would boot in normal mode but after about 5 minutes all of the windows would say "not responding". I couldnt get any program to work and it seemed as though the computer was constantly processing something that prevented me from using it correctly. This didnt happen in safe mode so that was the only way I could use it. Fast forward to now and Vista won't even load past the welcome screen. It just goes to the dark screen but the desktop background never shows, nor does any programs...just completely black after the welcome screen.I've searched online for ways to fix it, some involving the regsvr32.exe file, but while in safe mode it says that it cannot be found, although I do see it in the System32 folder on my C drive. I've scanned using malwarebytes, ms security essentials, rkill, spybot, kaspersky rescue disk, microsoft malware removal...but unfortunately I'm still having this issue. Some viruses were detected earlier (and i thought removed) including ZeroAccess, but apparently it's still wreaking havoc on the computer!I can only use it in safemode. I also have no ability to system restore because all of the points are gone.A few times upon signing in normal mode there was a prompt that read "login process has failed to create the security option"I also have issues with uninstalling various programs...my system just wont allow me ... Read more

3 more replies
Relevance 50.43%

I have an old Asus Eee PC 1005HA, running Windows XP SP3, that I'm having trouble with. (Since XP is obsolete, I'm planning to replace the OS with either Windows7 or Linux Mint, but I want to get rid of the malware first).
 
I noticed the computer running extremely slowly, so I ran TDSSKiller (which didn't find anything) and RKill (which found ZeroAccess). Initially I tried running MalwareBytes Anti-Malware but got an Access Denied error when I tried to install it. I couldn't update Avast Antivirus either. I was able to run MalwareBytes Anti-Rootkit Beta, after which I was able to install and run MalwareBytes Anti-Malware and update Avast.
 
I've also run RogueKiller a few times and it keeps finding malicious registry keys and SSDT hooks, which I have no idea how to remove. Also I have a Windows Security Alert telling me my antivirus software is out of date, but Avast is showing everything is fine. If needed I can run RogueKiller or other diagnostic tools, but I'll wait until instructed in case you'd rather I use something else. Any help you can give is greatly appreciated. I've provided the DDS logs below as a start:
 
 
DDS.txt
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by RLE at 19:19:09 on 2014-07-10
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.263 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes =========... Read more

Answer:ZeroAccess rookit found, persistent SSDT hooks and registry keys

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/540546 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

22 more replies
Relevance 49.61%

Mini toolbox
 
MiniToolBox by Farbar  Version: 16-06-2013
Ran by Carla's ASUS Laptop (administrator) on 22-06-2013 at 10:57:29
Running from "C:\Users\Carla's ASUS Laptop\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
 
 
 
========================= IP Configuration: ================================
 
Intel® Centrino® Wireless-N 1030 = Wireless Network Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20) = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (M... Read more

Answer:ALERT: ZEROACCESS rootkit symptoms found!+yellow&blue shields all over the place

Hello cfox73 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", ... Read more

18 more replies
Relevance 49.61%

Trouble started with google redirecting to 63.209.69.107 when i clicked on any search results. Looked it up on this site,and found some procedures that seemed reasonable...used symantec removal tool, no problems but it didn't fix anything. Tried TDSSKiller from kapersky...same basic result, it found and fixed a few things but problems persisted. Ended up at this forum topic- http://www.bleepingcomputer.com/forums/topic473358.html because I got the TDSS file system found error. Followed all procedures from that topic it had me run TDSSKiller again with a different setting, then AdwCleaner, then ESET, then aswMBR. Again a few suspect items found and fixed. Google problem persisted. Found this topic- http://www.bleepingcomputer.com/forums/topic480929.html/page__pid__2941122#entry2941122 and my results pretty much matched the original poster of this topic. Ran AdwCleaner again, downloaded and ran Malwarebytes Anti Malware, and RogueKiller.

RogueKiller found the same infection as that guy had, "ZeroAccess"...which according to Gunto is "nasty" and requires "advanced help". Followed instructions, ran DDS, created logs and now I'm here. I have logs from every fix I have tried starting back with the symantec tool, I don't know if they would be helpful or not, but I have them. I am only including the DDS results as instructed in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help", but ... Read more

Answer:infected with zeroaccess found with roguekiller & google redirects search result links

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

49 more replies
Relevance 49.2%

Every time I try to open system restore I get 'the procedure entry point RemoteAssistancePrepareSystemRestore could not be located in the dynamic link library WINSTA.dll

I have tried to open system restore all through the computer but it will not allow me too. Also I am having problems updating my computer. It says that I have installation files missing. All this happened when I tried to install systemworks and also Nero. I also tried to udate XP using the CD. Nothing works. I still get the pop up. When I run regsvr32 WINSTA.dll another pop up comes that the WINSTA.dll was loaded but that the DllRegister Server entry point was not found. This file can not be registered.
When I find a system restore folder, I am not able to access it.
I have tried to go to my computer and disable the system restore tab on all the drives, but the pop up comes up.
 

Answer:entry point not found XP

16 more replies
Relevance 49.2%

When I try and run a game (AOM) I get "The procedure entry point DdEntry1 could not be located in the dynamic link library GDI32.dll"Can anyone out there help me please.

Answer:Entry point not found

have u tried re-installing the game ?

4 more replies
Relevance 49.2%

error message shows
Startup monitor.exe Entry Point not found

The procedure entry point reinitializing critical section could not be located in the dynamic link library Kernel 32 dll
 

More replies
Relevance 49.2%

The message I'm getting is the following
Norton Antivirus:navapw32.exe-Entry Point Not Found
the proceure enrty point? [email protected]@[email protected] could not be located in the dynamic link library SymRedir.dll.

This when my windows(xp) is starting back up.
Can someone help????
 

Answer:Entry Point Not Found

Here's Symantec's solution (I found this by using Google and searching for "[email protected]@[email protected]").

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001091211120006&src=n
 

1 more replies
Relevance 49.2%

I get this error when I try to access the manage computer or device manager.

MMC.EXE - Entry Point Not Found
The procedure entry [email protected]@[email protected]@[email protected] could not be located in the dynamic link library mmcbase.dll.

The only changes i've made was update to SP3. It seems to have started sometime after that.

Answer:MMC.EXE - Entry Point Not Found

Hi gr00m,

just found this:
http://www.winforums.com/showthread.php?p=67718

If you scroll down you will see a resolution is to uninstall SP3 and the reinstall using the standalone version.

Hope that helps

3 more replies
Relevance 49.2%

Hi all,

Brand new here, and I look forward to your help.

I have athlon xp 1900+ processor, and was running xp sp3. The computer was just getting slower and slower over time, and I decided to try running a virus scan in safe mode. When I tried rebooting and hitting F8, it still booted normally, and never gave me the safe mode options. So I used system configuration to change boot.ini to safe mode.

When I then rebooted, I got the endless reboot cycle. I then got out my Windows installation disk, selected install windows, and when it recognized a previous installation, I chose Repair.

During the (lengthy) repair process, I got messages telling me that the following two files were either corrupted or didn't install:

Windows\system32\inetcomm.dll
ProgramFiles\OutlookExpress\msoe.dll

Then it told me that Windows MediaPlayer needed to be reinstalled, and I chose to do it manually later.

Now, I am able to boot up normally, but of course it's now Windows XP sp1, with no updates yet. My computer is connected to the internet (I can tell because I'm logged in to LogMeIn, and I was able to update my Spybot definitions), but I can't open Internet Explorer. I get the error message titled "iexplore.exe - Entry Point Not Found". The message says, "The procedure entry point SetDllDirectoryW could not be located in the dynamic link library KERNEL32.dll"

When I try to log into Windows Live Messenger, I get two of those messages, one referencing... Read more

Answer:Entry Point Not Found

First go to Start/All Programs and click the shortcut at the top to go to Windows Update, see if that works. If not, Go to Start/Run and type SFC /scannow and hit enter. The Windows File Protection window pops up. You may need to put in your XP disc. It will now try and copy and missing system files from the disc (make sure it is clean of any smudges, or scratches). If this doesn't work try it with another XP disc that is the same version (Pro, Home or MCE)

13 more replies
Relevance 49.2%

My screen and icons were large. I went to reboot my computer (I have WIndows XP) and I am getting an error message. It says "Isass.exe Entry Point Not Found". Then it states "The procedure entry point_resetstkoflow could not be located in the dynamic link library msvcrt.dll" I then click okay and the screen is black. Nothing happens. I rebooted and got the same error but instead of saying Isass.exe, It says services.exe.
I don't know what to do. I cannot even get into my computer at all. I am using a different computer right now.
Please help. I hope this is somthing that is fixable and I hope somebody is familiar with this.
I have put in search terms with different terms in the error message and have come up empty handed each time.
If anyone can help, "thanks" in advance!

Cathy421
 

Answer:Entry Point Not Found

14 more replies
Relevance 49.2%

Hello All.

Please let me know if I'm in the wrong place with my question.

Every time I reboot/start-up my laptop, I get a dialog box: WZCSLDR2.exe - Entry Point Not Found "The procedure entry point apsInitialize could not be located in the dynamic link library wlanapi.dll."

It does not appear to be causing any problems except as being an annoyance at start-up.

I'm running Windows XP Home Edition, Version 2002, Service Pack 3. I have a Toshiba Satellite Laptop.

If you need any additional information, please let me know.

Any help would be greatly appreciated to help solve this problem.

Thanks,
Global
 

Answer:Entry Point Not Found

Hello Mark Trent,

Thanks for taking the time to check out my problem.

I do not know if I have ALPHA Networks Wireless driver. I also don't know what my wireless software is. Sorry.

I downloaded and installed the recommended program but do not know how to find it to run.

Sorry for not being much help.

Cheers,
Global
 

4 more replies
Relevance 49.2%

Hi everyone,

I keep getting this error message when I boot up occasionally. It says-

"The procedure entry point_crtCreateSymbolicLinkW could not be located in the dynamic link library C:\Program Files(x86)\Norton Security\Engine64\22.7.1.32\MSVCP110.dll"

The image shows what I see on my desktop immediately after I enter my password.

Does anyone have any idea how I could go about this? It doesn't seem to affect the general running of my PC.
Thanks in advance.

More replies
Relevance 49.2%

I am trying to load an Online MMORPG. I keep getting the error:

*****.exe dentry point 10 not found in the dl library ddraw.dll

What does this mean and how can I fix it. Do I need to get another OS or what. I'm in over my head and getting frustrated. Please help me out.
 

Answer:.exe entry point not found

I'm only having an "educated guess" here, anyway,

ddraw.dll is Micro$$oft Direct Draw and it's used by Windows to provide DirectX function for Windows 98.

Try updating to DirectX 9c if you haven't already.
 

1 more replies