Computer Support Forum

ZEROACCESS Reparse Point/Junction found with Rkill

Question: ZEROACCESS Reparse Point/Junction found with Rkill

Hi,
 
About an hour or two before posting, I ran Rkill and this is just a bit of what had come up (I have the rest of the list attached in the Rkill log due to the incredibly large list of items that were listed):
 

Rkill (26).txt 4.35MB
0 downloads
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
     * C:\Program Files\Windows Defender\MpCommu.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MpTpmAtt.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\NisIpsPlugin.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\NisLog.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\NisWfp.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\ProtectionManagement.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MpAsDesc.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\shellext.dll => <Unknown Target> [File]
 * Reparse Point/Junctions Found (These may be legitimate)!
     * C:\WINDOWS\AppPatch\AcSpecfc.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcXtrnal.dll => <Unknown Target> [File]
     * C:\WINDOWS\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll => <Unknown Target> [File]
     * C:\WINDOWS\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll => <Unknown Target> [File]
     * C:\WINDOWS\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll => <Unknown Target> [File]
     * C:\WINDOWS\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll => <Unknown Target> [File]
 
 
Rkill hasn't had this come up since the scan I've attached a log of. Also, I've ran RogueKiller after that rkill scan and I have the log from those results attached. AdwCleaner hasn't found anything but I haven't ran any other scans other than a recent FRST scan. The results of that scan and the Addition.txt are both attached.
 

ReportRogue.txt 13.32KB
0 downloads

FRST.txt 123.3KB
1 downloads

Addition.txt 127.73KB
1 downloads
 
Any help is greatly appreciated!
 
 

More replies
Relevance 100%
Preferred Solution: ZEROACCESS Reparse Point/Junction found with Rkill

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Relevance 136.59%

My PC's been acting weird lately so my friend recommended me to run rkill and it gave this long list of things I should be worried about but I cant make anything out of it.
A bit of help will be appreciated!
Output file attached.
 Rkill.txt   4.52MB
  7 downloads

Answer:My rkill result gave this "ALERT: ZEROACCESS Reparse Point/Junction found!"

Welcome to BC...
 
Run RKill again. Do not reboot the computer until one of the programs below asks you to.
 
Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the
Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.
After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.
CCleaner - PC Optimization and Cleaning - Free Download
 
Malwarebytes - Clean Mode
Download and install the free version of MalwarebytesNote: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
Let the scan run, the time required to complete the scan depends of your system and computer specs
Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
If it asks you to restart your computer to complete the removal, do so

Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in you... Read more

5 more replies
Relevance 136.59%

Hello,
 
Recently cloned an HDD (Windows 10). To get the tool I used to work, I turned off UEFI Secure Boot for one power cycle. After cloning the drive I ran an rkill and received the following results.
 
* ALERT: ZEROACCESS Reparse Point/Junction found!
     * C:\Program Files\Windows Defender\MpTpmAtt.dll => <Unknown Target> [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MpAsDesc.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MpClient.dll => <Unknown Target> [File]
     * C:\Program Files (x86)\Windows Defender\MsMpLics.dll => <Unknown Target> [File]
 
Also, hundreds or thousands like the ones below, appear to all be going to <Unknown Target>.
 
* Reparse Point/Junctions Found (These may be legitimate)!
     * C:\WINDOWS\AppPatch\AcGenral.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcSpecfc.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcWinRT.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\AcXtrnal.dll => <Unknown Target> [File]
     * C:\WINDOWS\AppPatch\apppatch64\AcWinRT.dll => <Unknown Target> [File]
 ... Read more

More replies
Relevance 118.32%

Hi, and thank you for this helpful site.  The pc running windows 7 32bit and NOD4 stopped updating.  About the same time a message would pop up during start up.  The message is as follows.
 
c:\users\end user\appdata\local\bvworks\vorbisfile_d.dll failed to load
 
I also noticed that nod was out of spec so I attempted to load the outstanding updates.  All but one loaded.  The one that didn't load said it had a virus and couldn't load so I went to the Microsoft website and got the same response.  it is "security update for windows 7 (kb2847927)" it is labeled as an important update.
 
I ran nod, ccleaner, and malware, then took the drive out and ran the Microsoft virus scan from my one laptop with the other drive attached as a portable drive and found a worm and another malware.  Once cleaned I ran it again and got nothing, so I then hooked the drive to my work pc and got another hit on malware and cleaned it.
 
Once I put the drive back in the laptop the error is still there.  When I look at ccleaner the only thing that has been loaded recently is thunderbird email (I think this must be an update since this is the mail he uses)
 
Fast forward to today.  I downloaded and ran several spyware, antivirus, and malware apps.  When I ran Rkill the Zeroaccess message came up and I have not be able to get rid of it.  When NOD was not updating I uninstalled it and found a copy of defender was caus... Read more

Answer:ZEROACCESS Reparse Point/Junction found!

ZEROACCESS rootkit is a serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.If you cannot complete a step, then skip it and continue with the next.In Step 6 there are instructions for downloading and running DDS which will create two logs. (Note: Windows 8.1 Users will not be able run DDS and create a log)When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.After doing this, please reply back in this thread with a link to the new topic so we can closed this one.

3 more replies
Relevance 118.32%

Hi, and thank you for this helpful site.  The pc running windows 7 32bit and NOD4 stopped updating.  About the same time a message would pop up during start up.  The message is as follows.
 
c:\users\end user\appdata\local\bvworks\vorbisfile_d.dll failed to load
 
I also noticed that nod was out of spec so I attempted to load the outstanding updates.  All but one loaded.  The one that didn't load said it had a virus and couldn't load so I went to the Microsoft website and got the same response.  it is "security update for windows 7 (kb2847927)" it is labeled as an important update.
 
I ran nod, ccleaner, and malware, then took the drive out and ran the Microsoft virus scan from my one laptop with the other drive attached as a portable drive and found a worm and another malware.  Once cleaned I ran it again and got nothing, so I then hooked the drive to my work pc and got another hit on malware and cleaned it.
 
Once I put the drive back in the laptop the error is still there.  When I look at ccleaner the only thing that has been loaded recently is thunderbird email (I think this must be an update since this is the mail he uses)
 
Fast forward to today.  I downloaded and ran several spyware, antivirus, and malware apps.  When I ran Rkill the Zeroaccess message came up and I have not be able to get rid of it.  When NOD was not updating I uninstalled it and found a copy of defender was caus... Read more

Answer:ZEROACCESS Reparse Point/Junction found!

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

28 more replies
Relevance 86.42%

I have enjoyed this site many times and read many helpful items.  As I regularly run Rkill & Malwarebytes on my machines, I thank this site.
 
Lately, my wife's laptop (Acer Aspire V5 touchscreen running windows 8.1, 4 gig memory, over 300 gig available space on C drive) is crazy slow and most of the time has serious issues with any web browser.  The browsers lock and freeze, if they connect at all (IE, Mozilla & Chrome).  Malwarebytes scans come up clean (and take a very long time) every time.  Update is refreshed before each scan.  Tonight I ran RKill on that machine for the first time.  After over 11 minutes it finally finishes and creates a .txt file that is over 65,000 pages long.  Every entry is under category:  Reparse Point/Junctions Found.  I attempted to Google it, but almost all the links pointed right back here, most also quoting ZEROACCESS.
 
I'm decent around a computer, but feel like I am over my head in figuring this out.  I ask the experts here to guide me in getting her laptop back up to speed.
 
Thank you in advance.

Answer:Very slow laptop, extremely large RKill txt file (Reparse Point/Junctions Found)

G'day KymsCowby, and Welcome to BC !
 
Because ZERO ACCESS has been mentioned, you will automatically be directed to the Malware Removal Area, which is inhabited by Specialists.
 
 
 

 
Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
If you cannot complete a step, then skip it and continue with the next.
 
 

In Step 6 there are instructions for downloading and running DDS which will create two logs. Note: Windows 8.1 Users will not be able run DDS and create a log
 
When you have done that, Copy and Paste your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

 
Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs or you're using Windows 8.1, then still start the new topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

 
After doing this, please reply back in this thread with a link to the new topic so we can close this one, to prevent others answering incorrectly.
 
Be AWARE....t... Read more

4 more replies
Relevance 104.14%

While preparing Win 8.1 laptop to be upgraded to Windows 10, I ran Rkill and found several issues
1) The folder C:\WINDOWS\Temp\46fed246-a20b-47f0-ae81-4936b8513516\Program Files\Common Files\Microsoft Shared\ink\en-us
contains thousands of entries which are Reparse Point/Junctions with <Unknown Target>.
As these are all temp files, can I SAFELY delete the folder?
 
2) SFC /scannow in safe mode found errors and has not been able to fix some of them (definitively related to the above)
C:\Windows\WinSxS\Temp\PendingRenames
8986 items
C:\Windows\WinSxS\Temp\PendingDeletes
6 items
 
I was unable to find sfcdetails.txt even with show hidden files.folders and show protected operating system files.
 
If it is safe to delete the temp files above, will I be able to upgrade to Windows 10 smoothly?
 
Thank you for your suggestions

Answer:Rkill finds thousands of Reparse Point/Junctions <Unknown Target>

Temp files can be removed. Please download Temp File Cleaner by Old Timer and save it to your desktop. 1. Save any unsaved work. (TFC will close ALL open programs including your browser!) 2. Double-click on TFC.exe to run it.  3. Click the Start button to begin the cleaning process and let it run uninterrupted to completion.  4.  After Temp Flie Cleaner has run, click on Exit.   Do the following to repair the corrupt files.  After you have done this run the sfc /scannow to make sure the files have been repaired. Press the Windows key and the X key, in the menu that opens click or tap on Command Prompt (Admin).  This will open the Elevated Command prompt. Copy and paste the command below, then press Enter. dism /online /cleanup-image /restorehealth Restart the computer to complete the repair.  If you have problems with your current operating system these problems could have an effect on your upgrade, depending of the problem.

29 more replies
Relevance 87.33%

I was having a problem running malwarebytes. It now runs after completely unistalling using their tool and re-installing after  using RKill and Superspiware remover.  RKill still finds symptoms of ZeroAccess on my computer in the way of several files in my local folder.  I do not know how to remove those files.  Something keeps disableing real-time protection in malware bytes.  Other than that I have not seen anything out of the ordinary.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420  BrowserJavaVersion: 10.51.2
Run by Mike at 19:16:49 on 2014-11-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8191.4039 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\s... Read more

Answer:ZeroAccess Symptoms found by RKill

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

16 more replies
Relevance 87.33%

I did an AVAST bootscan and ran RKILL. I posted results from FARBAR Recovery scan tool. SEE ATTACHED.*********************************************************************************************************************************************Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-12-2013 01Ran by SYSTEM on MININT-BR1785L on 27-12-2013 12:10:37Running from H:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 11Boot Mode: RecoveryThe current controlset is ControlSet001ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.==================== Registry (Whitelisted) ==================HKLM\...\Run: [dldwmon.exe] - C:\Program Files (x86)\Dell V505\dldwmon.exe [677104 2008-10-02] ()HKLM\...\Run: [dldwamon] - C:\Program Files (x86)\Dell V505\dldwamon.exe [16624 2008-10-02] ()HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)HKLM-x32\...\Run: [Dell V505] - C:\Program Files (x86)\Dell V505\fm3032.exe [312560 2008-10-02] ()HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.e... Read more

Answer:RKILL found ZEROACCESS ROOTKIT

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
If the computer is able to boot in Normal Mode please rerun FRST from there and post the logs in your next reply.
 
 
Regards,
Georgi

21 more replies
Relevance 87.33%

I normally running McAfee Security Suite which found some problems the other day. Today, I noticed that I am unable to run a couple of programs. Also, it appears that my virus scanner is shut down. I tried to install Malware Bytes but got an error and was unable to install. I ran RKILL and it gave me the following (ZEROACCESS rootkit found):

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/16/2013 06:31:12 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\New User\Desktop\rkill\rkill-01-16-2013-06-31-13.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\$Recycle.Bin\... Read more

Answer:RKILL found ZEROACCESS entry

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

23 more replies
Relevance 86.1%
Answer:RKill : ZEROACCESS rootkit symptoms found

deleted

5 more replies
Relevance 86.1%

Hi,
I need help with a virus infection.
 
PC: Windows 7 Ultimate Pro (64 bit)

A couple of weeks ago I picked up several virus's (Trojan.Gen2, Trojan.zeroacces.C, Trojan.zeroaccess!g46).  I ran the latest versions of the following programs.  I let them have control as to when to reboot, what to delete and fix. I also may have ran them a couple of times (before and after Rkill).
 
Norton Internet Security
Norton Power Erasure
Malwarebytes
Rkill
TDSSKiller
Rogue Killer
AdwCleaner
 

The problem is that my computer seems to be running fine now, but Rkill is showing:
 

  * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ﯹ๛\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\ [ZA Dir]
 
 

The full text is below.
 
 
My question:  Am I still infected?
... Read more

Answer:ZEROACCESS rootkit symptoms found! - by Rkill

Hello tweeettweeet I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

37 more replies
Relevance 86.1%

Hello, my computer started acting strane few days ago - high cpu usage (svchost.exe), so i scan it with rkill in safe mode, and foun some ZEROACCESS rootkit symptoms with strange symbols. Anyone to tell me what should I do?
 
Thanx
 
Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 02/16/2016 11:02:25 AM in x86 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\   \ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\   \...\ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\... Read more

Answer:Rkill - ZEROACCESS rootkit symptoms found!

Hi Gile My name is Aura and I'll be assisting you with your issue. To get started, I'll need you to provide me a fresh set of FRST logs. Follow the instructions below please.Farbar Recovery Scan Tool (FRST) - Scan modeFollow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;Check the Addition.txt option;Click on the Scan button;On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;Your next reply should include:Copy/pasted content of the FRST.txt log;Copy/pasted content of the Addition.txt log;

31 more replies
Relevance 86.1%

I have run Fixzero Access - Rootkitremover - adwcleaner - Combofix - FRST - Junkware Remover tool - TDSSKiller - and Microsoftfixit50535  
 
And nothing changes.  When I first got virus it changed proxy settings and I could not do anything but I was able to do system recovery and hoped that would fix my problem.  It did fix proxy problem and computer is running fine now but I know that if zeroaccess is there then my fix will be short lived.  Please help.  
 
   

Answer:Rkill says I have zeroaccess rootkit symptons found

Hello sharongv,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.I will be analyzing your log. I will get back to you with instructions.1.Download AdwCleanerDouble click on AdwCleaner.exe to run the tool.***Note: Windows Vista and Windows 7 users:Right click in the adwCleaner.exe and select "Run as administrator"Click the Scan button.A logfile will automatically open after the scan has finished.Please post the content of that logfile in your next reply.Or you can find... Read more

19 more replies
Relevance 86.1%

Symptoms on computer:
 
1. started with Adobe Reader trying to open all exe files 
2. ran Malwarebytes Chameleon
3. removed all Adobe products
RESOLVED: can now open exe files regularly
 
BUT, RKill tells me the following:
Program started at: 08/11/2014 11:23:36 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\❤≸⋙\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Instal... Read more

Answer:ZEROACCESS rootkit symptoms found via RKill

Please do the following:Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.NEXTPlease download Malwarebytes Anti-Rootkit (MBAR) from here and save it to your desktop.(Direct link to the file: http://downloads.malwarebytes.org/file/mbar)Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.Doubleclick on the MBAR file you downloaded and approve the UAC prompt in Vista and newer operating systems.Click OK on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.mbar.exe will launch automatically. On some systems, this may take a... Read more

2 more replies
Relevance 85.28%

I think I have a virus that has out smarted my Trend Micro Titanium version and Malwarebytes. I ran the full scans several times with no results. I see small blue and yellow shields attached to the front of my Malwarebytes, Trend Micro, and my Kodak printer icons on my desktop. I think this has something to do with the virus. I ran rkill in safemode and ran Malwarebites in safemode but Trend Micro made me get out of safemode to run it. * Also, when I entered safemode the first time it said that my recycle bin was corrupted. Delete contents? So, I deleted the contents. Then when I booted up in safemode again another time it said my recycle bin was corrupted again. Delete contents? So,I did.....   But it did't have anything in it anyway. so that was weird.

Answer:ran rkill and got this msg: * ALERT: ZEROACCESS rootkit symptoms found!

The best way to remove this is by starting a new topic with this ..... Please follow this Preparation Guide and post in a new topic.Let me know if all went well.

7 more replies
Relevance 85.28%

Even after running various malware and virus checks, rkill says there are symtoms of zeroaccess.
 
* c:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* c:\Windows\assembly\GAC_64\Desktop.ini [ZA File]
 
Not sure where to go from here. Please help!
 
Trish

Answer:Rkill says *Alert: zeroaccess rootkit symptoms found!

We need to repost...Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

3 more replies
Relevance 85.28%

My computer started slowing and wouldn't connect to internet after a file download. I did a system restore to a week ago when laptop was running good. After, was still same symptoms, so I did various scans. Anti malwarebytes can find no further threats, but rkill still says rootkit symptoms found. The laptop is managible as long as the wifi is off. If connected to the internet, it becomes unresponsive.
 
Here is dds log:
 
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16470
Run by shock at 14:06:03 on 2015-01-19
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2520.1284 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:... Read more

Answer:Rkill says *Alert: zeroaccess rootkit symptoms found!

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

26 more replies
Relevance 85.28%

Ran rkill and got "ALERT: ZEROACCESS rootkit symptoms found!" Any help would be appreciated.
 
 
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/12/2015 02:23:05 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\ [ZA Dir]
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\L\ [ZA Dir]
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\U\ [ZA Dir]
Checking Windows Service Integrity:
 * No issues found.
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * Cannot edit the HOST... Read more

Answer:rkill: "ALERT: ZEROACCESS rootkit symptoms found!"

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please download Combofix (by sUBs) and save it to your Desktop.Disable the realtime-protection ... Read more

13 more replies
Relevance 85.28%

Hi guys,
 
I have a ran Rkill on my machine after I thought it was not running so smooth...
 
There results have showed that rootkit symptoms have been found. Could you guys please help me trying to resolve this...
 
Below is the Rkill report:
 
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 11/05/2015 04:29:41 PM in x86 mode.
Windows Version: Windows Vista ™ Home Basic Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\ [ZA Dir]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\ [ZA Dir]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\[email protected] [ZA File]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\1afb2d56 [ZA Fil... Read more

Answer:Rkill found Zeroaccess Rootkit Symptoms! Win Vista SP2

Hello ndonaldson2912 and Welcome to the BleepingComputer.   
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
Ensure your external and/or USB drives are inserted during always the scan.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  the computer. How is open as administrator  the computer?
Disable your AntiVirus and AntiSpyware applic... Read more

11 more replies
Relevance 85.28%

When i ran rkill.exe it is showing following alert.
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
     * HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\n [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\L... Read more

Answer:Rkill alerts me ZEROACCESS rootkit symptoms found!

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the dis... Read more

4 more replies
Relevance 83.64%

As the good mama's boy I am, I am trying to ridd my mother's computer from a particularly malicious infection.
 
After a good amount of hours spent, I have managed to ridd the system of the Antivirus Security Pro malware, taking away all the annoying popups et al. Malwarebytes was used to try to clean out all there was.
 
Unfortunately some problems persist, and an infection is still preventing downloads from the web (and consequently e.g. upgrades to windows security essentials.
 
Rkill identifies the problem as ''zeroaccess rootkit symptoms found''.
 
Googling this took me to the following entry at this forum. I have run farbar recovery scan tool including drivers MD5 as instructed, and it did pick up on quite a few things. The question is how to write a proper fixlist.
 
I am extremely greatful for any help I can get in this regard. All I can really offer in return is topay it back or forward in terms of microsoft excel help, as that is an area of expertize.
 
Anyway, here is the log from farbar (also attached, felt I had mixed messages there as to custom on this forum):
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by SYSTEM on MININT-5BPMVLA on 13-11-2013 00:42:37
Running from G:\Sikkerhet
Windows 7 Starter (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from... Read more

Answer:Antivirus Security Pro + zeroaccess rootkit symptoms found (rkill, FRST)

Hello Black Monday I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

24 more replies
Relevance 78.72%

ZeroAccess Reparsing point Found:
 
I need your Help PLEASE! Thank you in advance.
 
I read a post by "backerfan",  which is almost identical to my problem.I'm working from my lap top to solve this problem which is on my PC.
 
 
I first notice a problem while using Internet Explorer, I could not access Google.com,
I then saw that Microsoft Security essentials was not running.
I tried to start MSE and just get an Error code: 0x80096001
I search for answers onthe internet from my laptop nad tried several programs:
Malwarebytes, Rkill, HitmanPro, etc. They have found varios PUP's and other maleware, and removed them. but i'm still having the same problem.
Rkill recognized a ZeroAccess point, but nothing has resolved this issue.
 
Windows Explorer stopped working, it will not allow me to search, it does nothing.
 
I was somehow able to indirectly get to microsofts website, tried to download MSE, it does nothing.
the Handwriting language toolbar started popping up when I had to allow AUC, i have since stopped it from popping up.
 
I've ran the DDS and posted text below.
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16428
Run by Brad at 12:30:05 on 2013-12-30
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3070.1405 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC... Read more

Answer:ZeroAccess Reparsing point Found - I need your Help! thnx

Editted original post to be more thorough.
 
Patiently waiting for your assitance, thanks in advance.

58 more replies
Relevance 74.62%
Question: Reparse point hell

So I managed to muck up my system slightly by using a live Linux USB stick and deleting a handful of reparse points. Fortunately if it hadn't been for me skimming around the Internet for quite some time, I was able to get my reparse points back, but, they don't do or say anything like "access denied" when you click them. Also, special folders like Pictures, Music, etc. have all turned into standard folder icons.

Answer:Reparse point hell

Lets see if this will help:

1. Click Start
2. In the search box, type cmd
3. In the list that appears, right-click on cmd.exe and choose Run as administrator
4. In the command window that opens, type sfc /scannow and hit enter.

Report the output from the command window once it finishes.

More detail: SFC /SCANNOW Command - System File Checker

Regards,
Golden

9 more replies
Relevance 72.98%

Hello,

Does anyone have experience of repeated 'extended attribute set and a reparse point detected in file xxxxx'errors in chkdsk in windows 10? - even though it apparently corrects the errors with 'deleting extended attribute set due to presence of reparse point in file xxx' - the errors are still there whern I reboot (immediately once Windws has loaded).

I've done the full chkdsk /f /r and repaired the image using DISM and the latest .iso from Techbench. sfc /scannow does not return any error messages.

Thanks.

More replies
Relevance 72.98%

After following this guide, Official Microsoft ISO/Media Creation Tool
I am stuck with a problem.

Trying to download a Windows 8.1.1 ISO from Microsoft with their mediacreationtool.exe. I downloaded the program, and I then run this little program and select
Language (Danish)
Edition (Windows 8.1 Pro)
Architecture (64-bit X64)

Then click NEXT

Here I can select either USB flash drive or ISO file. I select ISO-file and click NEXT

Then I select where it saves the ISO-file.

And then the error come allmost instant.

"Download did not complete successfully"
The download task did not complete.
The file or the folder is not a NTFS reparse-point.

I have tried to save on HDD, on a USB-stick formatted NTFS, formatted FAT32, but the same error shows up.

What can I do about this?
EDIT: I have now tried to make the same again, but in English, so it should not be the danish language that gives the error. In English I also got this error, so I would like to get help to this

Answer:Mediacreationtool gives an error - NTFS reparse-point?

Where are you saving the iso file?

12 more replies
Relevance 72.98%

Hello,

Does anyone have experience of repeated 'extended attribute set and a reparse point detected in file xxxxx'errors in chkdsk in windows 10? - even though it apparently corrects the errors with 'deleting extended attribute set due to presence of reparse point in file xxx' - the errors are still there whern I reboot (immediately once Windws has loaded).

I've done the full chkdsk /f /r and repaired the image using DISM and the latest .iso from Techbench. sfc /scannow does not return any error messages.

Thanks.

Answer:chkdsk reparse point errors - repeatedly

Please upload the log of chkdsk. I'm on phone now so cannot post instructions for how to upload the log.

10 more replies
Relevance 71.75%

Hi,

I discovered several issues immediately after installing the Creator's Update.
Several programs would not run (or not run properly), and these were sorted with a Revo uninstall followed by a re-install.
As a long time user of DFX Audio, I was crushed to find that it was hosed. At boot the tray icon would appear, but then vanish as soon as the Mouse pointer touched it...could not access the interface at all. I attempted uninstalling and re-installing it, but kept getting an error message that the driver name could not be set. I examined device manager and found that my Nvidia High Definition Sound driver had been replaced with another driver altogether. This was addressed by running the appropriate Graphics card driver installer. I decided to run a pre-scan using the tweaking.com all in one repair tool and found that several Reparse points were missing and that there were duplicate and many missing Environmental Variables. I ran the tool to repair these, then rebooted and suddenly the DFX interface appeared. I then ran the installer for DFX again and it ran to completion with no errors and now works fine. General performance and stability improved immediately as well. As usual, the update reset loads of settings, but time will get those sorted.

More replies
Relevance 70.52%

So I've read about how junctioning in Windows XP is great for making Windows think a folder has the contents of a different folder. So I want to do this:

I want to make a folder on my C: drive point to a folder on my T: drive (a USB flash drive). Is this recommended? If so, what would happen if the flash drive failed to start on a system restart (it's happened), and also, what would happen when the flash drive were to be removed?

Thanks!
 

More replies
Relevance 69.7%

Hello,I'm running Windows 7 Ultimate x64 on my machine. Since I didn't want to install my programs on the Windows partition, I booted into safe mode and moved the "Program Files" and the "Program Files (x86)" folders to a different partition. Afterwards, I created junction points on the Windows partition which point to the folders on the other partition. Here's the problem: The disk space management system of Windows 7 recognizes the junction points on my Windows partition as real folders with real data and decreases disk space on both partitions when I install new programs. I used the "Link Shell Extension" tool to create the junction points.(http://schinagl.priv.at/nt/hardlinkshellext/hardlinkshellext.html)How can I configure Windows so that it doesn't detect the junction points as real folders?Thanks for Your help.Best regards,Lysander H.

Answer:Junction point uses disk space

I don't want to call you on this but I think you may not know how to change the install path. Most times all that is required is to highlight the path shown and then change the drive letter while leaving the rest of the label. Some programs will only allow you to change the path if you choose the custom install option, which, IMO, is the way to always install programs.If you could, list those 6 programs you couldn't change the path on.According to the linked Wiki article, junction points should not take up any space.http://en.wikipedia.org/wiki/NTFS_j...Also see the second link below.http://msdn.microsoft.com/en-us/lib...

8 more replies
Relevance 68.47%

Hi all,

I recently bought a new Samsung 840 Evo 250GB SSD. Previously I had been using a Seagate 1TB platter-based HDD. I used Paragon Migrate OS to SSD to migrate most of my files over, leaving behind all my big games and my My Pictures, My Videos and My Music folders which all contained a lot of data and can't go on the SSD.

In order for my playlists (among other things) to work without having to go through and manually edit each file, I created junction points to my 1TB HDD. The problem with that is two-fold: First, the folders have the shortcut symbol on them. This is a very minor complaint, but ideally I want the folders to look exactly like folders. Second, the folders have to be named Pictures, Videos and Music, since that's what they're actually called. This is a problem because I want them to be visibly called My Music etc.

And this is my question: Is it possible to make a junction point look exactly like a My Music folder, including the fake name? Any ideas would be much appreciated

Answer:Give junction point Special Folder properties?

Unashamed bump-because-surely-someone-must-know-even-with-410-views.

9 more replies
Relevance 66.83%

hi
my documents folder[s] is on e: as c: is a ssd with limited space.
somehow i managed to end up with three 'documents' folders in explorer [actually dopus] of which two contain a few folders and the third one many folders, the latter is my real documents folder.
the os will not allow me to rename the redundant 'documents' folders and so it often happens that i pick the wrong one.
dopus does indicate the folder size, but that takes some time...
i know this must be a junction issue but am rather unwilling to play around with it - it might be that i have screwed it by unwittingly playing around with it in the 1st place
here is a screenshot of the situation

any help to sort this out will be highly appreciated
regards
in Christ
gabriel

Answer:junction point/symbolic link query : multiple DOCUMENTS folders

To get a better idea of what's on E:, launch a Command prompt
type:
cd e:\
e:
dir /a > %Temp%\eDirList.txt
exit

Then attach %Temp%\eDirList.txt to a new post
%Temp% is just an environment variable that points to your User's Temp folder, you can use the %Temp% string as a shortcut to that folder.

What does the location tab (middle properties screen shot) say about the reference - don't change anything, just look and report back - thanks.

7 more replies
Relevance 66.42%

I have a friends computer and it has a virus. I ran rkill and it said the following:
"Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/07/2012 09:30:21 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\ProgramData\TddGoDA02CJ3kA.exe (PID: 4780) [AU-HEUR]
* C:\ProgramData\cDwQgxKRTfxQaqo.exe (PID: 4788) [AU-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\Owner\AppData\Local\{052f2f05-cf29-8082-81ec-579075e42c41}\ [ZA Dir]
* C:\Users\Owner\Ap... Read more

Answer:Rkill says zeroaccess rootkit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

3 more replies
Relevance 65.6%

Working on a computer that is infected by ZEROACCESS. Removed with a combination of TDSS, MBAM, HitmanPRO, Combofix, RougeKiller, and AdwCleaner.
Unfortunately rKill still detects a reparse point junction (have included .txt below). I do not really know what this means but it leads me to believe that I am still infected. Thank you so much in advance.
DDS:
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635
Run by Mike at 16:28:45 on 2013-08-08
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3032.1534 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wirel... Read more

Answer:ZEROACCESS - Remnants detected by rKill

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download a new version of Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and pa... Read more

15 more replies
Relevance 65.6%

DDS hangs, will not produce reports.  However, I have several other logs from other programs.  Combofix just hangs as well.  But this issue with Combofix has been going on for eons.  I have no idea why it will not run on ther Win 7 Computer.  It works fabulously on the XP machines.
 
Back at the ranch,  I have not desktop icons, no task bar.  Explorer.exe will not run more than about 3 seconds then it crashes.  Access to files onlyh though Task manager, New task, browse.
 
I installed Avast AV but it would not run at all.  I tried Kaspersky Rescue Disk, No Avail, I performed online Scans with, Kaspersky, Trend Micro House Call. and McAfee. 
Also internet access on the affected computer is intermittent. 
 GMER Log 12-06-2013.txt   7.74KB
  1 downloads
 GMER Log 12-06-2013.txt   7.74KB
  1 downloads
Attached are the logs from other programs:
 
Other logs can be found here and   here

Answer:Rkill shows ZeroAccess Root Kit

Hello eclark53,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Install Recovery Console and Run ComboFixThis tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.Download Combofix from any of the links below, and save it to your desktop.Link 1Link 2Close/disable all anti-virus and anti-malware programs so they do not interfere with the r... Read more

25 more replies
Relevance 65.6%

How can IJ get rid of this ZeroZccess Root Kit from my computer.  I have tried many thing, but have been unsuccessful.   I have reports from many tools, but see no way to attach them to this message.
Please help
 
 
Estelle
 
 
 

Answer:Rkill shows ZeroAccess Root Kit

What tools have you tried? You can copy and paste the text from within the file here as well. Are the tools not successfully removing it?

4 more replies
Relevance 64.78%

Hi,
 
I am looking at an old Dell Dimension 1100.  The CPU is a Celeron, but it has 2 GB of RAM.  My mate says it is running a lot slower than usual.  I have done the following already:
 
Ran ccleaner:  Removed a start up error (ATS Hotkey.exe not found error)
Removed quite a few registry enties that were from programs no longer on the computer (AVG for instance)
Ran Disk Cleanup
Ran Disk Defrag
Removed McAfee Site advisor
and disabled several other IE addons
Downloaded and ran rkill.  Noted that it found two instances of symptoms of Zeroaccess rootkit.
Downloaded, installed, updated and ran full scan on Malwarebytes.  Found one instance of adware and 2 instances of PUP's.  Removed them
Ran sfc /scannow
Ran chkdsk /f
 
In both of the above saw nothing unusual.
Did a full scan with the installed security software (Panda Internet Security) .  Nothing found.
 
Rkill  still reports instances of zeroaccess symptoms.  Here is the log
 
Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 10/28/2013 05:32:52 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * C:\Program F... Read more

Answer:Cctster - Rkill shows 'symptoms of zeroaccess'

Hello Neil,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Download AdwCleanerDouble click on AdwCleaner.exe to run the tool.***Note: Windows Vista and Windows 7 users:Right click in the adwCleaner.exe and select "Run as administrator"Click the Scan button.A logfile will automatically open after the scan has finished.Please post the content of that logfile in your next reply.Or you can find the logfile at C:\AdwCleaner[R1].txt.2.Download RogueKiller on the desktop... Read more

17 more replies
Relevance 64.78%

Moved from AII to MRL - Hamluis.
 
Hello - I have been struggling with a computer that keeps using up very high CPU, Windows keeps having problems as does IE and frequently has  to close. I have been attempting to clean it and have tried many clean up facilities available, but still get the following from rkill.
 
Rkill 2.6.8 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 10/11/2014 09:10:37 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Users\Gusto\AppData\Local\Google\Desktop\Install\{20c6343b-f07a-c0e2-f411-17a0515252a3}\ [ZA Dir]
     * C:\Users\Gusto\AppData\Local\Google\Desktop\Install\{20c6343b-f07a-c0e2-f411-17a0515252a3}\❤≸⋙\ [ZA Dir]
... Read more

Answer:rkill find zeroaccess rootkit symptoms - any help?

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:
Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Lets get going now
==========================
 
Hi Voodoorae,
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, stea... Read more

21 more replies
Relevance 64.78%

Hello there!
 
I was running scans of different programs like mbam, Eset NOD32, Rkill, etc and came across the following that shows I'm infected with ZA rootkit.. I saw nothing come up in mbam or ESET.. only Rkill.
 
Any ideas on how to uninfect? It's odd that nothing showed up in mbam! I ran a quick scan and nothing like ZA showed up.
Thanks!
 
 
Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 08/13/2015 04:46:49 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\ [ZA Dir]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\@ [ZA File]
     * Z:\Users\Harsh\AppData\Local\{14c67c2f-333f-317c-62f5-3cad2853aeb3}\L\ [ZA Dir]
... Read more

Answer:Rkill showing symptoms of ZEROACCESS rootkit

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to the a new file.

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\...\Run: [AdobeBridge] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1723998114-1590031824-863500379-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2818425
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=v8UmGU_k4gmFXLIEwvyRinf70Qs?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1723998114-1590031824-863500379-1001 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT... Read more

11 more replies
Relevance 64.37%

Window 8.1

When I run File history backup, I get the following error:

Directory was not backed up because it is a reparse point:
C:\Users\(myname)\Documents\My Pictures
C:\Users\(myname)\Documents\My Music
C:\Users\(myname)\Documents\My Videos

If you want it to be protected, remove the reparse point.

-----------------------------------
When I run the following Command prompt: Dir/al/s
It show me these reparse points as follow
Directory of C:\Users\(myname)\Documents
09/09/2015 01:30 pm <JUNCTION> My Music (C:\users\(myname)\Music)
09/09/2015 01:30 pm <JUNCTION> My Pictures (C:\users\(myname)\Pictures)
09/09/2015 01:30 pm <JUNCTION> My Videos (C:\users\(myname)\Videos)
--------
When I use Files Explorer,
These files do not show up.
I see: C:\Users\(myname)\My Music / but I don?t see: C:\Users\(myname)\Documents\My Music
I see: C:\Users\(myname)\My Pictures / but I don?t see: C:\Users\(myname)\Documents\My Pictures
I see: C:\Users\(myname)\My Videos / but I don?t see: C:\Users\(myname)\Documents\My Videos
-------------
How do I Delete/Remove these reparse point?
 

More replies
Relevance 63.96%

Hello,
 
In general Unity 3D and Chrome started acting weird. In Unity 3D after selecting a project in the welcome screen it keeps running in the background but nothing shows up. After removing the user files or fresh uninstall/install online license manager doesn't work and require manual licensing. Chrome also started reporting some unresponsive pages. I also start seeing increasing CPU and disk usage from System and Windwos Defender in Task Manager. Then I suspected of a virus and run Rkill which reported a ZEROACCESS. Then I run FRST.
 
** Rkill log is so long that it gives server time out so I'm cropping the file list in the pasted log and attaching all logs to the post.

 Rkill.txt   3.61MB
  0 downloads

 FRST.txt   175.42KB
  0 downloads

 Addition.txt   136.82KB
  0 downloads
 
Thank you for any advice and help.
----------------------

 
Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 09/27/2016 10:22:12 PM in x64 mode.
Windows Version: Windows 10 Home Single Language 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
... Read more

More replies
Relevance 63.55%

Just FYI... I downloaded Junction Box from Sourceforge based on a recommendation from someone on this forum to ONLY download it from Sourceforge, and this was the result
(Sorry it got lumped together when I pasted it!)
SHA256: 8e79bdba58611b1cd9792f4f362d40115b055d1152446234e42896ad8aa210fd File name: Junctionbox100.zip Detection ratio: 22 / 57 Analysis date: 2015-03-25 00:38:53 UTC ( 2 months, 2 weeks ago )

Antivirus Result Update ALYac Trojan.Generic.12692334 20150324 AVware Trojan.Win32.Generic!BT 20150325 Ad-Aware Trojan.Generic.12692334 ... Read more

Answer:VirusTotal found 22/57 trojans etc. on Junction Box from Sourceforge

I went to the Junction Box developers website and read this... so it may be ok after all!

Executable and sourcecode are available on the project's Sourceforge page
Note that this utility has suffered some false antivirus alerts, notably from Norton and McAfee. From the coder's standpoint there is nothing much that can be done about this, it seems as if some antivirus vendors are nowadays writing code so trigger-happy that it flags ANY program which makes fundamental system-changes (which this has to do, or it would be of no use!) as potential malware. Notably, the better AV products produce no such false-alerts. My advice here is simple: If you want protection which actually works properly, you need to change your antivirus software.

3 more replies
Relevance 63.55%

Greetings from Corporate America!
 
Long time listener, first time caller.
 
One of my users complained to me that our AV kept popping up and wouldn't let him open anything. Naturally, I knew right away that wasn't our AV solution, and when I went back and checked, I regrettably confirmed this notion. It was 'Antivirus Security Pro', and I had recognized a few of the symptoms from other Malware I've dealt with in the past.
 
I performed my usual RKill >> MBAM solution (which works most of the time to at least get me into a workable state for deeper cleaning), however I noticed a couple things that were troubling about this particular instance. Firstly, RKill did not fully kill all malicious processes, as AVSP popped right back up after RKill did its work (I was able to kill it via Process Explorer manually, but not until after running RKill a second time, overwriting the original log). Secondly, I noticed a very troubling few lines in the RKill log, which I've pasted below, along with the MBAM Full Scan log. 
 
This is a Win 7 x64 laptop running on a Windows Domain. Our network AV is Trend Micro. I recommend to all of our users to use Chrome or FireFox, however it seems this one was using IE (IE 9, to be specific).
 
Important Note: The issues caught by MBAM where no action was taken are Group Policy implements within our domain; as far as know these are nothing to worry about, except the "don't load|wscui.cpl", I was a little unsure of thi... Read more

Answer:ZeroAccess Infection Discovered by RKill after 'Antivirus Security Pro' Malware

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

44 more replies
Relevance 63.55%

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 10.51.2
Run by Anna at 22:31:55 on 2014-07-08
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6051.3466 [GMT -7:00]
.
AV: Norton 360 Premier Edition *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton 360 Premier Edition *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 Premier Edition *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Program Files\Tablet\Pen\WacomHost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program... Read more

Answer:Was advised to post here when Rkill noticed ZEROACCESS rootkit symptoms

 
Please download Farbar Recovery Scan Tool and save it to your desktop.
 Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Make sure that under Optional Scans, there is a checkmark on Addition.txt and Shortcut.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another two logs (Addition.txt and Shortcut.txt). Please attach these to your reply.

2 more replies
Relevance 63.14%

Background (This topic probably applies to all windows versions)
I have a number of related software suites which would like to share core dependencies. Previously we used winsxs and created installers for our shared assemblies. This suffered from a serious disadvantage as we could not reliably uninstall our applications
cleanly (due to the winsxs all you can eat policy and lack of tools for manual cleanup, TrustedInstller permissions, lack of clear and concise documentation and so on..).  We also ran into installer issues with the install randomly occasionally failing
during installation of prerequisite MSI's that use MsiAssembly/MsiAssembly name tables. So we decide to go for private assemblies but our applications are unmanaged C++ and not using the GAC etc. Had we been using .net we might have been able to specify
codebase or probing path!!! So this meant placing a copy of each dependent assembly in each application folder. We thought rather than wasting extra gigabytes of disk space why not share them with symbolic links. Well symbolic links don't work as the loader
doesn't understand them so we thought lets try junctions... So what could possibly go wrong.. Well it seems that the loader won't generate an activation context as it does not like junctions!!! Perhaps this is a security feature? A sxstrace of one application
with the required core dependencies in suitably named sub folders yields a message Manifest XXX Crosses an unsafe repairs point.... Read more

More replies
Relevance 62.73%

Dell windows 7 home premium. 64bit Rkill finds several symptoms of zeroaccess rootkit your site has the mcaffe zeroaccess rootkit removal tool, but it scans for trojans and finds nothing. help!

Answer:Rkill finds zeroaccess rootkit, but scan tool does not find to remove

I thought I'd add the Rkill result page.
 
Rkill 2.6.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 01/13/2014 10:29:54 AM in x64 mode.
Windows Version: Windows 7 Home Premium
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html
 * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\L\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7a3730a\L\6715e287 [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$8f41707faa8719c6299ccc46a7... Read more

5 more replies
Relevance 62.73%

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
STEP 1
 
 
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the remo... Read more

Answer:Rkill finds zeroaccess rootkit, but scan tool does not find to remove

Thank you, I am running them now.

11 more replies
Relevance 61.5%

Hi all, having been a member at Seven then Ten forums for a fair while I'm hoping to find a straight answer here..? Apologies in advance if this is too verbose.
Windows 10 system booting from (UEFI) NVME with 2xSSDs + 2 MHDDs for storage...

An application (Xperia Companion) which will not let me select or personalise the location for saving backups of my cellular phone data...

Think I found a fair definition of the differences at the Computer hope site which would suggest it's a Junction I need:





What's the difference between a junction and a symlink (symbolic link)?

Although very similar, a junction is not the same as a symbolic link on a Windows computer. Below is a list of some of the major differences between a junction and a symbolic link.

A junction point can only be a link to a local volume path. Symbolic links can be a local and remote path. For example, a symbolic link can link to the network share \\hope\files.A junction point is designed for local directories, but a symbolic link can be used for directories, files, and shares.A symbolic link resolves to the local machine. If you create a symbolic link to c:\hope on your computer and someone accessed that link from a remote machine, it would try to open c:\hope on their machine, not yours.



I want Xperia companion to save backups to F:\Sony Backups NOT the default C:\Users\GD\Documents\Sony. Would the Junction (link) allow me to to fulfill my wants and could someone... Read more

Answer:Symbolic link (Junction/s), how-to mklink? Please help with Junction?

Tutorial:

Symlinks in Windows 10 - Windows 10 Forums

Don't forget to read the comments and links!

2 more replies
Relevance 61.5%

Hi all, having been a member at Seven then Ten forums for a fair while I'm hoping to find a straight answer here..? Apologies in advance if this is too verbose.
Windows 10 system booting from (UEFI) NVME with 2xSSDs + 2 MHDDs for storage...

An application (Xperia Companion) which will not let me select or personalise the location for saving backups of my cellular phone data...

Think I found a fair definition of the differences at the Computer hope site which would suggest it's a Junction I need:





What's the difference between a junction and a symlink (symbolic link)?

Although very similar, a junction is not the same as a symbolic link on a Windows computer. Below is a list of some of the major differences between a junction and a symbolic link.

A junction point can only be a link to a local volume path. Symbolic links can be a local and remote path. For example, a symbolic link can link to the network share \\hope\files.A junction point is designed for local directories, but a symbolic link can be used for directories, files, and shares.A symbolic link resolves to the local machine. If you create a symbolic link to c:\hope on your computer and someone accessed that link from a remote machine, it would try to open c:\hope on their machine, not yours.



I want Xperia companion to save backups to F:\Sony Backups NOT the default C:\Users\GD\Documents\Sony. Would the Junction (link) allow me to to fulfill my wants and could someone... Read more

Answer:Symbolic link (Junction/s), how-to mklink? Please help with Junction?

Tutorial:

Symlinks in Windows 10 - Windows 10 Forums

Don't forget to read the comments and links!

2 more replies
Relevance 61.5%

Hi I was wondering, and I should've asked here earlier, will the repair install re-create the "Public" and "Default" folders (which are in my "Users" folder) after I've deleted them? How about any junction for those two folders? I know I had one for "Default".

Thanks.

Answer:"Default User" junction point folder issue

  
Quote: Originally Posted by Wandering Flame


Hi I was wondering, and I should've asked here earlier, will the repair install re-create the "Public" and "Default" folders (which are in my "Users" folder) after I've deleted them? How about any junction for those two folders? I know I had one for "Default".

Thanks.


Try showing Hidden and OS files in Folder Options; see if the Default folder show up then.

Hidden Files and Folders - Show or Hide

9 more replies
Relevance 61.09%

Hello,

My computer is setup to use a 120gb SSD for my OS (Windows 7 ultimate 64bit) and a 2Tb hard drive for my program files, user folders etc. I use junction points to link the program files and user files from C:\ to D:\. This normally works like a charm however I recently updated iTunes and it deleted my C:\Program Files (x86) junction point and created a Program Files (x86) folder on the C:\ drive, this completely roots my system as all my Program Files (x86) are stored on my D:\ drive and now my computer can't find them since the junction point has been deleted. How can it do this and most importantly any reason as to why it's doing this? It's an easy fix on my end as all I have to do is put back in my windows installation disk boot from it and remake the junction point but it's a real pain to do it when it shouldn't happen in the first place.

Also after remaking the Junction point I decided to uninstall iTunes and it once again deleted my junction point while uninstalling.

(Note: My Program Files, and User, junction points have worked as normal and have not been deleted just my Program Files (x86) junction point. I am creating my junction points using the command mklink "C:\Program Files (x86)" "D:\Program Files (x86)" /J)

Does anyone have any ideas to why this is happening? Any help is much appreciated.

Thanks

Nairda.

More replies
Relevance 59.45%

Hi and thanks for a very helpful forum. I read through all the malware removal instructions and have completed the step-by-step cleaning process (which seems to have worked) and now would like to confirm that my system is actually clean. Please see attached logs. Note: ComboFix did run but then froze during the "preparing log report" phase, so the attached ComboFix log is just the txt I found in the folder, not the full zip log. Also, RootRepeal failed to run at all (in normal or safe mode).

More infor about infection:

AVG found Crypt.AQLW but couldn't fully clean it
CPU & HD constantly at 100%, firewall had been disabled, internet traffic going mad & link redirection - immediately disconnected from internet
SUPERAntiSpyware found and cleaned Trojan.Agent/Gen-Loader
MalwareBytes Anti-Malware found and cleaned Exploit.Drop.CFG
ComboFix found and cleaned Rootkit.ZeroAccess ... but failed to generate full report. CPU dropped to normal after this!
RootRepeal failed to run
MGTools ran normally

Note: Before finding this forum, I also found advice to run Kaspersky TDSSKiller which I did, and it did find something, but didn't fix the issue. Log for that attached as well.
 

Answer:AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

More logs ...

Note: It says in the ComboFix.txt that AVG was still enabled (and it also gave me that warning message) but I had already used the recommended AVG removal tool and AVG was no longer installed or running at the time.

I've now updated my OS and all my software, have switched to MS Security Essentials and re-enabled firewall etc.
 

17 more replies
Relevance 56.99%

a few days ago i was on my old windows xp computer and i ran the following programs just to check it was in good health.
MiniToolBox.exe  (found nothing)
JRT.exe (found nothing)
AdwCleaner.exe (found nothing but the setting for google as my default search engine)
tdsskiller.exe (found nothing)
rkill.exe( found two "things")
FSS.exe(found nothing)
malwarebytes(found nothing)
norton antivirus(found nothing)
 
the two things found were HWDeviceService.exe   and    ouc.exe, respectively in folders
C:\Documents and Settings\All Users\Application Data\DatacardService\
C;\Documents and settings\Administrator\Application Data\\T-Mobile Internet Manager\
 
both were shown as terminated processes but rkill found no windows services to stop, no registry issues, no miscellaneous issues, no windows service integrity issues and no missing digital signatures. i navigated to the files of the processes it terminated and scanned both with norton and mbam which both turned up no results, norton even said that the files were considered trustworthy by large numbers of norton users. does this just mean rkill  is being heavy handed (it has a short comment in the log after each process terminated calling HWDeviceService.exe an [AU-HEUR] and calling ouc.exe a [UP-HEUR] ) or are the two files/processes dangerous? by viewing their properties ouc.exe shows as being created on 8th april 2013 and modified 31 december 2009, HwDeviceService.exe shows as being created and m... Read more

More replies
Relevance 56.58%

Greetings!

I'm running Windows 7 64 on a laptop, and have been attacked!

After hours of googling, I've discovered that pmmupdate.exe is running from program files, (as opposed to system 32 where it's supposed to be).

I found the rkill link, downloaded and ran it.

It seems to be terminating the following two things:

C:\Program Files (x86)Skype\Updater|Updater.exe
C:\Program Data\FLEXnet\Connect\11\ISUSPM.exe

My system has been crashing anytime I try and go online (system freezes indefinitely / hard reboot) and is slowing up my music production (glitching / pauses).

Any guidance is GREATLY appreciated

SL

Answer:pmmupdate.exe + rkill found two things

Hi SuperLost, and to Bleeping Computer. My name is Pizza and Pepsi and I will try to solve your problem. In the case that I am unsuccessful (lets hope that doesn't happen ) I will direct you to someone more experienced. As we are going through the cleanup process, please tell me what problems the computer is experiencing. Please download TDSS killer and save it to your desktop(this is important)Double-click on TDSSKiller.exe on your desktop to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it.To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.Click on change parametersCheck the boxes next to Verify file digital signatures and Detect TDLFS file system, then click OK.Click the Start Scan button.Do not use the computer during the scanIf the scan completes with nothing found, click Close to exit.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not an option, Skip instead, do NOT choose Delete or Quarantine unless instructed.A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26... Read more

14 more replies
Relevance 56.58%

I have included the log from Rkill below
 

 
Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 03/13/2016 12:20:31 PM in x64 mode.
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\system32\valWBFPolicyService.exe (PID: 2460) [WD-HEUR]
 * C:\Users\Soggyz\AppData\Local\Apps\2.0\9GC279Q9.P5T\YTJ7ETAM.PA8\curs..tion_9e9e83ddf3ed3ead_0005.0001_fb8944c2684f5b6c\CurseClient.exe (PID: 5252) [UP-HEUR]
 * C:\Users\Soggyz\AppData\Local\Temp\ocr93D0.tmp\bin\rubyw.exe (PID: 4972) [UP-HEUR]
 * C:\Users\Soggyz\AppData\Local\Temp\ocrB870.tmp\bin\rubyw.exe (PID: 6792) [UP-HEUR]
 
4 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
... Read more

Answer:Did a scan with Rkill, found a few things.

See info at PIA_VPN (Private Internet Access – Virtual Private Network) - Look 'n' Stop Plugin | Wilders Security Forums

1 more replies
Relevance 56.58%

i will like to thank you in advance
i am running window 7
 
 
my computer has been acting up lately
the outlook was feezing and i was gettin the not responsding message
 
well after investigating i found out that my computer hasnt been updated in along time
i was able to change somethings (dont remember everything ) and get the system updated and it has been running better
but then i found that adobe flash player has totally stopped working - it wont work in any browser
 
so i ran every sacn and i cant find anything
so i decided to run RKILL and this is what i found
 
Rkill 2.4.5 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 06/10/2013 10:52:28 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * ALERT: ZEROACCESS rootkit symptoms found!
     * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
     * C:\... Read more

Answer:rkill Zeroacces symptoms found

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully.First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up any importan... Read more

14 more replies
Relevance 55.76%

I am trying to fix my sisters Acer 3680-2682 laptop which is running vista basic 32 bit. I have ran many of the programs available here so I am going to explain the process I have completed and hopefully someone can stear me in the right direction from here. First off the machine was running really slow it only has 512 mb of ram to start with but was basically at a crawl. I did not put the machine online I was worried of messing up my network by doing so. I installed rkill and there were malicious processes running and she had limewire and that coupon printer so i just assumed it was bad. I am learning how to work on computers so I have some knowledge of the field but basically just relying on programs to do the work at this point. I installed tdsskiller and combo fix and ran both combofix did find issues and found something down in the kernal files and the machine shut down while it was being deleted and when it tried to reboot windows would not reload so the startup fix tool repaired it and windows loaded. Combofix finished building the report and then I rebooted the machine and then ran combofix again. It ran thru with no problems this time so I rebooted the machine and ran it again. Again there was no issues so I rebooted and uninstalled it thru the dos prompt. I then went thru the program add and remove and uninstalled all of adobe and java and any tool bar or coupon printer, basically anything she didn't need or what I couldnt update the download. Then in... Read more

Answer:Processes found by Rkill after many types of scans

Please note the message text in blue at the top of this forum. No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here. If you ran ComboFix on your own due to malware infection, please be aware that using ComboFix is only one part of the disinfection process. With that said, all files listed in an RKill log are not necessarily malware related. In addition to terminating the most common bad processes that prevent other tools from being executed, Rkill also terminates executable files running from a user profile by design. Programs should not be running from a userprofile as they are meant to hold data, preferences, settings, and configuration files. Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there.DllHost.exe (aka COM Surrogate or DCOM DLL host process) is a process that supports D... Read more

2 more replies
Relevance 55.76%

I uninstalled ZoneAlarm Firewalla and now strange things happens...............

rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll

Whenever i log in to windows i get

userinit rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll

winlogon rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll
When i right click "MY PC" i get
rundll32.exe - Entry point not found
The procedure entry point LdrResfindResource could not be located in the dynamic link library ntdll.dll

I tried sfc /scannow without any success :/

Answer:rundll32.exe - Entry point not found The procedure entry point LdrResfindResource could not be located in the dynamic link libr...

You currently have an open Malware Removal Logs citing same issue, http://www.bleepingcomputer.com/forums/topic473316.html .

Since you have the open malware topic, we request that you pursue that and resolve any/all issues there...before proceeding with a topic in a different forum, citing the same issues.

At the conclusion/resolution of your MRL topic...you should then initiate a topic in the appropriate forum for any system issues that you may then have.

To avoid confusion, this topic is now closed.

Louis

1 more replies
Relevance 54.53%

As the title says, I'm getting a clean report from MBAM and MSE, but when I run rkill, it is terminating the process:
 
C:\Windows\SysWOW64\ACEngSvr.exe (PID: 4916) [WD-HEUR]
 
Just curious whether this means anything?

Answer:Rkill found one process to terminate, but MBAM and MSE show clean

Heur is the keyword there for questioning whether it is malware or a false-positive.
 
From the net.....The average file size is about 169.29 KB. The file is a digitally signed and issued to ASUSTeK Computer Inc. by VeriSign.
The programs ASUS Splendid Video Enhancement Technology, NVIDIA Stereoscopic 3D Driver and USBCharge+ have been observed as
installing specific variations of acengsvr.exe.
 
Most likely a false-positive if you have any of the products mentioned. You can also go to the file and verify the size.
You can submit the file to VirusTotal - Free Online Virus and Malware Scan  to be scanned by 50 security programs for further analysis.

2 more replies
Relevance 53.71%
Question: Found ZeroAccess

Sorry I thought the FRST and addition logs were already taken care of by the last post. They are both pasted below because I can't figure out how to attach the addition log
 
FRST Log
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-02-2015
Ran by Josh (administrator) on JOSH-PC on 07-02-2015 11:28:24
Running from C:\Users\Josh\Downloads
Loaded Profiles: Josh & Tiff (Available profiles: Josh & Tiff)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Tool... Read more

Answer:Found ZeroAccess

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Run this tool to clean your Temporary files/Folders.Download TFC to your desktopClose any open windows.Double click the TFC icon to run the program.TFC will close all open programs itself in order to run.Click the Start button to begin the process.Allow TFC to run uninterrupted, it should not take long to finish.Once it's finished, click OK to reboot.If it does not reboot, reboot your system manually.===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

CloseProcesses:

(Company) C:\Program Files\Popcorn Time\Updater.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-562459901-1482382580-3887097223-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin HKU\S-1-5-21-562459901-1482382580-3887097223-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\Josh\AppData\Roaming
\CATALI~1\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF Extension: 50Ceouponss - C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\ds7b9x07.default\Extensio... Read more

11 more replies
Relevance 53.71%
Question: Found ZeroAccess

I recently was instructed to create another post about finding ZeroAccess and reference my other post here:
 
http://www.bleepingcomputer.com/forums/t/565155/ads-by-randomprice-adware/#entry3613691
 
Any help would be greatly appreciated. Thank you.

Answer:Found ZeroAccess

Ok, so you still need to follow the Prep Guide as instructed in Post 7 of that other topic.

4 more replies
Relevance 53.3%

I'm including and attaching the dds results from today's boot. I'll include those results from Rkill if you wish. I had posted a very detailed post with all the history last night, but when I did, I got redirected to a page that said your site was offline. Suspicious, I ran Major Geeks' Google redirecting program and was able to get back on your site just fine. When I did, my post was no longer there. It had taken me about 2 hours to compile; and, I'm sorry, but I just can't do that again. I was in tears when I saw it wasn't there. (I have Asperger syndrome, a high-functioning form of autism, and I react even worse than neurotypical people when things like that happen.)
 
Anyway, here's the dds.txt file:
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by Carol at 21:01:03 on 2014-02-25
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.503.226 [GMT -5:00]
.
AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Enabled* 
.
============== Running Processes ================
.
C:\Program Files\Common Files\COMODO\launcher_service.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\alg.exe... Read more

Answer:Ran Rkill in Infected XPSP3 Pro Laptop, Found Tons of Missing Digital Sigs

Was supposed to post a link to my original post, which I put in the wrong place, which contains said Rkill report. I just ran it again, though, because I again got redirected from your site saying it was offline. This time, though, my post is intact! :D
 
Here's the link to my original post:
http://www.bleepingcomputer.com/forums/t/525595/ran-rkill-immed-on-boot-got-many-missing-digital-signatures-regedit-wont-run/
 
Thanks again for your help!
nondenomifan

33 more replies
Relevance 52.89%

ZeroAccess Rootkit found. Combofix repaired Internet access issue.

I just need help to find any leftover issues. I was able to run all progams, and get logs.


Any help would be greatly appreciated.


Viking62
 

Answer:ZeroAccess rootkit found.

Second batch of logs.
 

2 more replies
Relevance 52.89%

Rkill 2.6.5 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 05/16/2014 01:13:39 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* ALERT: ZEROACCESS rootkit symptoms found!
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\@ [ZA File]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\ [ZA Dir]
* ALERT: ZEROACCESS Reparse Point/Junction found!
* C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
* C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
* C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
* C:\Program Files... Read more

Answer:ZeroAccess Infection Found

attached dss zip file

40 more replies
Relevance 52.89%

 This is what came up after using RKILL
 
* ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\ [ZA Dir]
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\L\ [ZA Dir]
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\U\ [ZA Dir]
 
I have followed the instructions for downloading and running DDS.  I hope the files attach ok ( I am a complete novice)
 
I would be so grateful if you could help me with this problem. Many thanks in advance x

Answer:Zeroaccess rootkit found

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

58 more replies
Relevance 52.89%

I was given this Dell laptop (windows 7 premium SP1) to work on because the owner couldn't even get windows to start. While playing around with it, I found that it wouldn't even start up in safe mode. So, I finally got it to boot up with an earlier restore point and man this thing is messed up. I noticed right off that the desktop was littered with the users icons including pdf files, shortcuts and leftovers from install packages. The first windows problem I noticed was that the mousepad lost it's buttons abilities. No drag and drop/resize with left button, no right click for anything else. I also noticed no ability to do a windows update, for which an error message stated the service not started. I looked at windows services and update wasn't even available. I compared windows services with those at Black Viper and saw that many would not start or were not even listed. Very few programs would load up, no firefox or chrome browser working and mcafee seemed to be getting in the way of everything. Everything I tried issued a popup of some sort with an error.

I got IE to run and logged into majorgeeks but any download was deemed a virus and deleted! Upon further investigation, I found this to be a characteristic of the ZeroAccess rootkit so I renamed the windows defender folder to defender_old and headed over here to run the "Read & Run Me". I'm posting the log files from the scans but you must keep in mind, without the use of the mouse... Read more

Answer:ZeroAccess rootkit found

...and here's MGlogs.zip!
 

15 more replies
Relevance 52.48%

Hello,
 
A colleague's browser is being redirected - both IE and Firefox on a 64 bit machine running Win7.
 
AVG Antivirus Business Edition moved some items to the virus vault, but the problem continued.
 
We ran Malwarebytes, which found Scorpion Saver and SavingBull, which were deleted.
 
We downdownloaded and ran RKill - which found ZeroAccess toolkit.
 
We downloaded and ran Hitman Pro, which found nothing.
 
We re-ran Malwarebytes, and nothing was found.
 
I see lots of suggestion for dealing with ZeroAccess toolkit.  Is there a consensus on the best method to do so?
 
Pam H.

Answer:Redirection - ZeroAccess Toolkit found

Hi,
 
You are infected with ZeroAccess, we will need more advanced tools to deal with it:
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
xXToffeeXx~ 

2 more replies
Relevance 52.48%

My brother borrowed my laptop and downloaded some things he shouldn't have. I managed to clean most of the problems up with a combination of Malwarebytes, Adwcleaner, and Security Essentials, but Rkill found 3 instances of a rootkit.  I would like some help removing these since I have never done it before. Here is the DDS log, and thanks for your help.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Skootch at 12:01:22 on 2013-10-09
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4061.1750 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync... Read more

Answer:Zeroaccess rootkit symptoms found

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.  Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if you want to run scan... Read more

25 more replies
Relevance 52.48%

I have a Window 7 Toshiba laptop with all service pack and updates applied.  I was trying to set up file sharing on my network and found that I had lost access to do that on this laptop.  Every time I turned on network discovery it would shut itself off.  All of the default firewall rules were missing so I couldn't restore them.  I was able to finally get the rules from another Win 7 machine and get them restored and working again and I can now connect to my network.  Network discovery stays on.
 
However, I now had a notification " Zeroaccess Rootkit symptoms found" when I ran rkill and adwcleaner to remove Sweetpacks.  I am comfortable that Sweetpacks and remnants are removed.
 
Please help me remove the Zeroaccess Rootkit before it takes any further hold.
 
Here is rkill log info.
 
Rkill 2.6.2 by Lawrence Abrams (Grinler)
 
Program started at: 10/18/2013 09:48:29 AM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 * No malware services found to stop.
 
Checking for processes to terminate:
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to !
  * HKCU\SOFTWARE\Classes\.exe has been deleted!
 
Performing miscella... Read more

Answer:Zeroaccess Rootkit symptoms found

Hello DakotaCatPlease repost this log and a DDS log by following this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

2 more replies
Relevance 52.48%

I ran Malware, Spybot, SpyHunter, TDSSKiller, Crap Cleaner,
Malicious Software Removal (MRT) tool, AVG Anti-virus, and Avast Boot time scan.

Avast and Spybot each found an infection, but the re-direct issue continued.

Every time I go to Google and search the links returned are bogus and re-direct elsewhere.

My Outlook was acting up and I thought it could be connected.

I panicked and downloaded and ran Combofix.

Here's the log:
ComboFix 12-06-20.02 - Administrator 06/20/2012 15:21:34.1.2 - x86
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\19cfc9e0
c:\documents and settings\Administrator\Application Data\eeb7be1a
c:\documents and settings\Administrator\Application Data\f912361f
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\ifuttbsqrh.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\AOL\Adobe\ruscoraw.dll
c:\documents and settings\All Users\Ap... Read more

Answer:RootKit.ZeroAccess found by Combofix

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

5 more replies
Relevance 52.48%

I got an email from the campus administrator that ShadowServer found ZeroAccess rootkit on my laptop.
This is the message: (i've cut out the ip addresses)

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
> "2013-09-15
> 20:00:09","(IP)",52001,1103,"NL","(city)","(city)",,"udp",
> "ZeroAccess",,,"(ip cut out)",16465,22773,"US","ip(ip)",1,,,,,
>
> ---- end complaint ----

I've ran all the required softwares but no rootkit was found. Is it possible that ShadowServer gave false alarm? Or is the virus hiding so well?

I've attached all the logfiles required, except TDSSKiller, it didn't find any infected files.

Thanks!
 

Answer:ZeroAccess rootkit found by ShadowServer

You're getting a false positive.
 

3 more replies
Relevance 52.48%

I have a Window 7 Toshiba laptop with all current service pack and updates applied.  I was trying to set up file sharing on my network and found that I had lost access to do that on this laptop.  Every time I turned on network discovery it would shut itself off.  All of the default firewall rules were missing so I couldn't restore them.  I was able to finally get the rules from another Win 7 machine and get them restored and working again and I can now connect to my network.  Network discovery now stays on.
 
Someone had installed games on my computer and with it came Sweetpacks malware.  I removed Sweetpacks and remnants but while running rkill I got a notification " Zeroaccess Rootkit symptoms found".  I am comfortable that Sweetpacks is removed but I need help to remove the Zeroaccess Rootkit before it takes any further hold.
 
dds.txt log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.25.2
Run by Main at 18:35:30 on 2013-10-18
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.841 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Win... Read more

Answer:Zeroaccess Rootkit symptoms found

Hello DakotaCat I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same... Read more

14 more replies
Relevance 52.48%

So I was browsing the internet earlier when my screen suddenly changed to one of those ransomware screens, more specifically the Police Central e-crime Unit one (description here: http://forums.anvisoft.com/viewtopic-45-973-0.html). I did the usual system restore, full scan with Malwarebytes and Microsoft Security Essentials which seemed to do the trick as the computer is running fine again. I wanted to be sure though so I ran rkill and it came up with this: Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/23/2012 10:12:07 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues foun... Read more

Answer:ZEROACCESS rootkit symptoms found

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here.If you get crashes in normal mode,run it in safemode with networkingDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

3 more replies
Relevance 52.48%

A few days ago I started getting the fake Acrobat and Java update requests. I ignored them and then started getting random redirects to http://63.209.69.107 with IE using any search engine as well as directed to other random sites.
I ran a full scan with McAfee and it found ZeroAccess!cfg, along with Exploit-CVE2012-1723 in 3 different locations, and JV/Exploit-Blacole.q that was located in a Sun/Java folder. It cleaned and deleted them.
Continued to get the same symptoms.
Ran Malwarebytes which came back clean.
Ran a McAfee Stinger, no change
Ran TDSSKILLER, clean
Ran DDS and it ran and attached logs
Ran GMER, it only allowed me to select Services, Registry, Files, C:, and ADS. All other boxes are greyed out and can not be selected
I tried the instance of GMER on another machine and all options were selectable

Answer:Found ZeroAccess!cfg with McAfee, but still getting redirects

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

25 more replies
Relevance 52.48%

My pc was giving errors when I tried to change my firewall settings: Error code 0x80070424
I ran Rkill t and this is what I got:
Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/25/2013 07:52:27 PM in x64 mode.
Windows Version: Windows 8 Pro
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\Windows\SysWOW64\ChgService.exe (PID: 1904) [WD-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* ALERT: ZEROACCESS rootkit symptoms found!
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\x202exfbf9x0e5b\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\x202exfbf9x0e5b\{6c76f889-4758-ee39-d... Read more

Answer:Zeroaccess rootkit symptoms found

Boot to SAFE Mode and run Malwarebytes Anti-Rootkit Beta and restart. After restart continue with other virus removal software such as Combofix (run CCleaner first it'll go faster), ADWCleaner, Malwarebytes, and do a boot-time scan to finish it up. http://www.malwarebytes.org/products/other_tools/

3 more replies
Relevance 52.48%

Hi Guys, Been reading through the forums but this one has me a little stumped... Most cases I have been able to remedy myself but then I came across you tool of Rkill... which when run comes up with "ZeroAccess rootkit symptoms found.. Anyhow I have run pretty much in this order, Rkill - Malwarebytes - Nod32 - Combofix... and ran Rkill one last time after this to see if it detected anything else.. so here I am.. I have downloaded the Farbar Recovery Scantool and hit scan.. below I post the log files, anyhelp please greatly appreciated. Rkill Logfile Rkill 2.6.1 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2013 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 09/26/2013 08:08:09 AM in x86 mode.Windows Version: Windows 7 Home Premium Service Pack 1Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * C:\Users\user\AppData\Local\Temp\TeamViewer\Version8\TeamViewer.exe (PID: 6128) [T-HEUR] * C:\Users\user\AppData\Local\Temp\TeamViewer\Version8\tv_w32.exe (PID: 4252) [T-HEUR]2 proccesses terminated!Checking Registry for malware related settings: * No issues found in the Registry.Resetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * Windows Defender Disabled   [HKLM\SOFTWARE\Microsoft... Read more

Answer:ZEROACCESS rootkit symptoms found.

Also ran TDSS killer... and it came back with no threats found...

23 more replies
Relevance 52.48%

Basic help found Zeroaccess rootkit after running Adware Cleaner, Rkill, Est.  I am running Windows XP SP3.  They referred me to you through the Preparation Guide.
 
Please let me know if you need anything else to help with virus.
 
Thank you.
 
Sandhill
 
Follows is DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.40.2
Run by Jeff at 20:10:53 on 2014-04-24
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.1998 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\P... Read more

Answer:Zeroaccess rootkit found by helper

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:
Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Lets get going now
==========================
 
Hi sandhill,
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, ... Read more

12 more replies
Relevance 52.48%

this is very weird
I have no restore points, so I create a new one, get a success message
then when I go to see the restore point, 7 comes back and sez no restore points there!!!
I ran a sfc /scannow, it came back ok
did my commodo full scan, it finds issues with office 365 but no rootkits etc, lol
ran malware bytes and other rootkit revealers, nothing found there
I have 8gb set aside for restore points, that has been plenty in the past
I did have restore points at one point, did not check too recently though
any ideas what this could be???
 

Answer:restore point create success... but no restore point found????

After creating the new restore point and receiving the success message did you click on OK to finish the process?

8 more replies
Relevance 52.07%

Hello, I was requested to post a new topic in this forum. My earlier thread is here: http://www.bleepingcomputer.com/forums/t/501452/need-advice-ive-removed-0access-from-my-system-but-now-what/ 
Boopme has been helping me, and thinks there is still something left on my system, so that I still need help in finding/removing whatever is left. Thanks in advance :-)
 
In review: I had my system infected 3-4 weeks ago (through a Java exploit), couldn't find what it was for a while, but it had disabled MSE, BFE service, Windows firewall and some other stuff. I got MSE working again and scanned with it, it removed a Java exploit and a trojan dropper. Then I kept scanning with various scanners, not finding anything else, till I used MBAR which found 15 Backdoor 0Access and removed them. 
When boopme had me run TDSSKiller with the TDLFS file system option, it found this thing: Device\Harddisk0\DR0 ( TDSS File System ), which we then removed. 
Windows Updates are still not working for me (80073712), and neither is sfc /scannow or checkSUR, just fyi. But that probably doesn't matter, if I have to format and reinstall at some point anyway, right?
 
Here is DDS log from tonight:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.25.2
Run by Leaf at 21:56:38 on 2013-07-22
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2940.1780 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/... Read more

Answer:Found/removed ZeroAccess with MBAR; what is left ?

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if yo... Read more

29 more replies
Relevance 52.07%

Hi, This is my original post:  http://www.bleepingcomputer.com/forums/t/527610/chase-online-wont-recognize-my-computer-after-running-combofix-jrt-and-adwclea/?view=getnewpost
 
Quietman7 told me to run dds and post the logs here and reference this original post, so this is what I'm doing. 
 
Combofix said it found ZeroAccess and attempted to removed it.  It seemed to hang up mid-way for quite some time so I rebooted and ran it again and this time it completed.  Then I ran Symantec's ZeroAccess tool and it didn't find anything.  But quietman7 said the logs should be reviewed by the experts (which I am certainly not).  To be honest I wasn't even really concerned about this, my original post was because after running Junkware Removal Tool, Combofix and Adwcleaner something got erased that allowed Chase online to recognize my computer.  Now every single time I want to check my accounts online I have to call in for a security code.  This is the problem I was trying to fix by joining this forum.  I did not have this problem before running the cleaners (all sequentially) only after.
 
Thank you for your help!!!  I am also attaching the JRT log created when it ran.

 

Answer:Ran Combofix, found ZeroAccess, logs attached

Hello ValleA I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", ... Read more

37 more replies
Relevance 52.07%

Hi
 
I have been told to continue my previously topic in this section.
Already scanned my system as told with superantispyware, eset scanner, spybot S-D, Malwarebytes and AdwCleaner.
 
dds log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16502  BrowserJavaVersion: 10.25.2
Run by lal at 18:38:03 on 2013-09-05
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.31.1033.18.2046.481 [GMT 2:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\System32\alg.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\iashost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET... Read more

Answer:Alert zeroaccess rootkit symptoms found

Thank you everyone, this problem is over now. The rootkits zeroaccess are cleaned.

2 more replies
Relevance 52.07%

Tried running malwarebytes and removed two problems but did not fix the problem. McAfee still finding trojan and firewall continues to turn itself off. Help is appreciated on where to start. Thanks.
 
Virus I believe came off of a video file from a co-workers hard drive. I knew better than to install an unknown codec but it looked like the file for windows media player and started it without paying close enough attention. There was also no cancel button.
 
Will get DDS downloaded and a log up tomorrow. All I have at the moment is work access which I can not download from.

Answer:windows 7 zeroAccess-FAT!CBB5F2DB64C0 virus found

to BC Forums, ars2210!! Please do the following...    Download the Farbar Recovery Scan Tool:Link: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/Select the version that applies to your system.Save it to your Desktop. Double-click the downloaded file to run it.When the tool opens click Yes to the disclaimer. Press the Scan button. The tool creates a log (FRST.txt) in the same directory from which the tool is run (Desktop).Please provide the FRST.txt in your reply. The first time the tool is run, it also makes another log: Addition.txtAlso post the Addition.txt in your reply.  Next, download the Farbar Service Scanner:Link: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/Save to the Desktop  Make sure the following options are checked:Internet Services Windows Firewall System Restore Security Center Windows Update Windows Defender  Press: Scan  When done, FSS creates a log, FSS.txt, on the Desktop.  Please provide the FSS.txt in your reply. 

20 more replies
Relevance 52.07%

Need help please. I ran Rkill and log has "ALERT: ZEROACCESS rootkit symptoms found!", I'm assuming this is not a good thing? I am a noob to computer stuff. Here is the Rkill log. Do i have a virus? What should i do now?

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/30/2012 12:59:26 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\ [ZA Dir]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\@ [ZA File]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\L\ [ZA Dir]
* C:\Users\Elan\AppData\... Read more

Answer:ALERT: ZEROACCESS rootkit symptoms found!

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

2 more replies
Relevance 52.07%

McAfee cannot successfully remove ZeroAccess Trojans. It finds 6 different ZeroAccess Trojans as well as two others Generic.dx!b2qj and Generic.dx!b2y4.

Also, McAfee firewall will not turn on.

Any help would be greatly appreciated. Thank you.
HijackThis and DDS Logs:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:15:53 PM, on 7/10/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Program Files (x86)\Office Depot PC Support Agent\escont.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Anne\Desktop\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/H... Read more

Answer:I Need Help Removing ZeroAccess Trojans Found by McAfee

6 more replies
Relevance 52.07%

Hi,
I received a suspicious email and by accident clicked the attachment-i came to this forum to find out if there was a way teo tell if i got a virus from that.  computer is not acting up-i also did system restore and then  posted in "am i infected forum" and was told to run rkill and post my log in which i did.  They also told me to run malware and i previously had it on my computer and it has expired-it let me run it but i could not copy to clipboard my results.  AII topic referenced is here: http://www.bleepingcomputer.com/forums/t/559116/did-i-download-a-virus/ ~ OB
i then was told i possibly had a serious malware infection and was told to follow instructions and post to here my log instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
 
here is my log, i am hoping someone will be able to help and thanks in advance. 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Chari at 23:15:56 on 2014-12-08
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.678 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Su... Read more

Answer:* ALERT: ZEROACCESS rootkit symptoms found!

I think i was supposed to attach this file as well-hoping someone can help!
 

 attach.txt   27.56KB
  0 downloads

6 more replies
Relevance 52.07%

I was told to post this and start at step six by another moderator in the help forum after running malwarebytes and posting the logs. My computer is freezing and running terribly. I tried running the dds as told and it starts and then stops about three quarters of the way through so i am unable to post the logs from it as i was directed. Please help as this is the computer that i use for my home business. Thanks in advance for anything you can do.

Answer:ALERT: ZEROACCESS rootkit symptoms found!

Hello bigjimoo and welcome to Bleeping Computer!
I am D-FRED-BROWN and I will be helping you.
Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.
----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.
----------Step 2----------------
Please... Read more

1 more replies
Relevance 52.07%

Hello,Rkill has found ZEROACCESS rootkit symptoms on my desktop. Here is all that happened in the last 10 days of usage (I've been away 15 days).On 11/8 AVG Resident Shield detected the following:May be infected by unknown virus Win32/DH{LgMPNg} in "c:\Users\Marcello\AppData\Local\Temp\nmrxscaweo.exe"; Action taken:"Object is inaccessible."; Process:"C:\Windows\System32\cmd.exe"May be infected by unknown virus Win32/DH{LgMPNg} in "c:\Users\Marcello\AppData\Local\Temp\nmrxscaweo.exe"; Action taken:"Moved to Virus Vault"; Process:"C:\Windows\System32\rundll32.exe"Trojan horse BackDoor.Generic15.BHGZ in "c:\Users\Marcello\AppData\Local\{f0f4eb1d-0609-2b50-2c39-9e4219ad9f0b}\n"; Action taken:"Moved to Virus Vault"; Process:"C:\Windows\explorer.exe"This folder is the same that is present in the Rkill report.The last one had an unknown malware, and AVG killed 3 processes and deleted 2 files:c:\Users\<username>\AppData\Local\Temp\MSIMG32.DLLc:\Users\<username>\AppData\Local\Temp\AEMWROSXCN.EXEMeanwhile, ZoneAlarm blocked several connections attempt.A full scan revealed trojan Java/Exploit.BAH, and I quarantined it.After that, whenever I reboot or log-off, my desktop resets the icons order to ... Read more

Answer:ZEROACCESS rootkit symptoms found (after a few problems)

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

29 more replies
Relevance 52.07%

Computer redirecting and running extremely slow last week, so I ran a scan. Spybot S&D and combofix and found a zeroaccess rootkit, quarantined and removed some files. Seemed to work temporarily but came back. Ran TDSS Killer, found rootkits again, cured, restarted, then another rootkit popped up in a different file. Installed malwarebytes, ran a couple times. Mbytes says no infections found...still getting redirects sometimes but not always and my sound is not working. Opened device manager and found the yellow exclamation point beside the sigma tel audio codec, I then uninstalled the audio codec, restarted the cpu and let it load again, but still gives the error code 31, says windows can't load the driver for this.DELL/Inspiron 6400Windows XP SP2Last combofix log:ComboFix 12-02-08.02 - Admin 02/16/2012 18:23:10.7.2 - x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1693 [GMT -6:00]Running from: c:\documents and settings\Admin\My Documents\Downloads\ComboFix.exe.- REDUCED FUNCTIONALITY MODE -..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\system32\drivers\etc\hosts.ics..((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 )))))))))))))))))))))))))))))))..2012-02-13 13:58 . 2012-02-13 13:58 -------- d-----w- C:\TDSSKiller_Quarantine2012-02-11 17:01 . 2012-02-15 13:58 162816 -c--a-w- c:\windows&... Read more

Answer:rootkit.zeroaccess found/cured hopefully...but now I have no sound.

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please d... Read more

2 more replies
Relevance 51.25%

Hi guys, I have run malwarebytes and rkill. The results are the following:


Code:
* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\ [ZA Dir]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\ [ZA Dir]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\[email protected] [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\201d3dde [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\76603ac3 [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\U\ [ZA Dir]

Checking Windows Service Integrity:

* Base Filtering Engine (BFE) is not Running.
Startup Type set to: Automatic

* Windows Update (wuauserv) is not Running.
Startup Type set to: Disabled

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]

* SharedAccess [Missing ImagePath]
Should I be worry about this? Thanks!

Answer:ZEROACCESS rootkit symptoms found, and missing some Services

Hello Rus mate run the TDSS Killer from this and there are more you can run if it doesn't work but it usually is pretty good.
Best Free Rootkit Scanner and Remover

Let us know how it goes and there is an another option if it doesn't cure the problem.

9 more replies
Relevance 51.25%

HiI'm helping a friend and ComboFix found and apparently cleaned ZeroAccess. However, it looks like there is other stuff that should be cleaned.Thank you for the help.Jim ComboFix 13-02-20.01 - xxxxxx 02/20/2013  16:55:53.4.1 - x86Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3191.1436 [GMT -6:00]Running from: c:\documents and settings\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}AV: Norton 360 Premier Edition *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton 360 Premier Edition *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}..(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))..c:\docume~1\CRAIGB~1\LOCALS~1\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dllc:\documents and settings\Craig xxxxxx\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dllc:\documents and settings\Desktop\ComboFix.exec:\documents and settings\Desktop\sc-cleaner.exe..(((((((((((((((((((((((((   Files Created from 2013-01-20 to 2013-02-20  )))))))))))))))))))))))))))))))..2013-02-20 23:11 . 2013-02-20 23:11 -------- d-----w- c:\windows\LastGood.Tmp2013-02-20 18:09 . 2013-02-20 18:59 -------- d-----w- c:\documents and settings\Desktop\Office Ally ERAs2013-02-20 08:16 . 2013-02-20 08:16 60872 ----a-w- c:\documents and s... Read more

Answer:Combofix found ZeroAccess rootkit - want to ensure it is cleaned

Hello whatisavailable Welcome to The Forums!!Around here they call me Gringo and I'll be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking ba... Read more

37 more replies
Relevance 51.25%

As requested you will find the attach.txt log attached in zipped format and here is my DDS log file:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Eugenia at 16:11:58 on 2013-12-06
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3895.2504 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k L... Read more

Answer:Windows 7 laptop ZEROACCESS rootkit symptoms found

Hello jackhammer I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies