Announcement

Collapse
No announcement yet.

having trouble removing Trojan ZEROACCESS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • having trouble removing Trojan ZEROACCESS

    having trouble removing this from my laptop! this thing will not go away. recently malwarebyte has been reporting a trojan called trojan.zaccess (registry key). i've tryed to remove it several times but after reboots it just keeps coming back!

    steps i've taken and ran in this order..
    *safe mode
    *Rkill
    *Malwarebytes Anti-Malware









    .
    Last edited by scootro; 08-20-2013, 04:30 AM.

  • #2
    Rkill 2.6.1 by Lawrence Abrams (Grinler)
    BleepingComputer is a premier destination for cybersecurity news for over 20 years, delivering breaking stories on the latest hacks, malware threats, and how to protect your devices.

    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    Page 1 of 72 - RKill - What it does and What it Doesn't - A brief introduction to the program - posted in Anti-Virus, Anti-Malware, and Privacy Software: This topic was created to provide a very brief introduction as to what RKill does and to provide a way a way for people to report false positives of processes that are terminated. Even though false positives may occur, this should not be considered a problem as you can always launch the programs again or reboot your computer as no fil...


    Program started at: 08/20/2013 0514 AM in x86 mode.
    Windows Version: Windows Vista (TM) Home Basic Service Pack 2

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * ALERT: ZEROACCESS rootkit symptoms found!

    * C:\Users\Shannon\AppData\Local\Google\Desktop\Inst all\{f9d7409b-aa9d-f02b-b844-881bc559cec8}\ [ZA Dir]
    * C:\Users\Shannon\AppData\Local\Google\Desktop\Inst all\{f9d7409b-aa9d-f02b-b844-881bc559cec8}\❤≸⋙\ [ZA Dir]
    * C:\Users\Shannon\AppData\Local\Google\Desktop\Inst all\{f9d7409b-aa9d-f02b-b844-881bc559cec8}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
    * C:\Users\Shannon\AppData\Local\Google\Desktop\Inst all\{f9d7409b-aa9d-f02b-b844-881bc559cec8}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\ [ZA Dir]
    * C:\Users\Shannon\AppData\Local\Google\Desktop\Inst all\{f9d7409b-aa9d-f02b-b844-881bc559cec8}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{f9d7409b-aa9d-f02b-b844-881bc559cec8}\ [ZA Dir]

    Checking Windows Service Integrity:

    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * Cannot edit the HOSTS file.
    * Permissions Fixed. Administrators can now edit the HOSTS file.

    * HOSTS file entries found:

    127.0.0.1 localhost
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com

    20 out of 15491 HOSTS entries shown.
    Please review HOSTS file for further entries.

    Program finished at: 08/20/2013 0545 AM
    Execution time: 0 hours(s), 3 minute(s), and 30 seconds(s)

    Comment


    • #3
      Malwarebytes Anti-Malware 1.75.0.1300
      Malwarebytes offers real-time antivirus, advanced anti-malware and privacy protection for all your devices. Launched in 2004 as a free virus scan, we still offer a free basic version 20 years later. Learn more.


      Database version: v2013.08.19.06

      Windows Vista Service Pack 2 x86 NTFS
      Internet Explorer 9.0.8112.16421
      Shannon :: SCOOTER [administrator]

      8/20/2013 5:21:03 AM
      mbam-log-2013-08-20 (05-21-03).txt

      Scan type: Quick scan
      Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
      Scan options disabled: P2P
      Objects scanned: 206143
      Time elapsed: 6 minute(s), 22 second(s)

      Memory Processes Detected: 0
      (No malicious items detected)

      Memory Modules Detected: 0
      (No malicious items detected)

      Registry Keys Detected: 0
      (No malicious items detected)

      Registry Values Detected: 1
      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |Google Update (Trojan.Zaccess) -> Data: -> Quarantined and deleted successfully.

      Registry Data Items Detected: 0
      (No malicious items detected)

      Folders Detected: 0
      (No malicious items detected)

      Files Detected: 0
      (No malicious items detected)

      (end)

      Comment


      • #4
        Best practices dictate that where rootkit activity is present, a format/reinstall is in order. The reason for the strong action is the nature of how a rootkit works. They alter system code and there's no way to ensure with 100% certainty that your pc is secure after cleanup, short of formatting.

        If you don't have the means to do that, I'd be happy to take care of it for you.


        Saved and Texan by the Grace of God, Redneck by choice.

        Comment


        • #5
          Originally posted by Tx Redneck View Post
          Best practices dictate that where rootkit activity is present, a format/reinstall is in order. The reason for the strong action is the nature of how a rootkit works. They alter system code and there's no way to ensure with 100% certainty that your pc is secure after cleanup, short of formatting.

          If you don't have the means to do that, I'd be happy to take care of it for you.


          Saved and Texan by the Grace of God, Redneck by choice.
          I agree.

          Comment


          • #6
            Originally posted by Tx Redneck View Post
            Best practices dictate that where rootkit activity is present, a format/reinstall is in order. The reason for the strong action is the nature of how a rootkit works. They alter system code and there's no way to ensure with 100% certainty that your pc is secure after cleanup, short of formatting.

            If you don't have the means to do that, I'd be happy to take care of it for you.


            Saved and Texan by the Grace of God, Redneck by choice.
            thanks for the offer. i believe i got it fixed. i followed this guys instructions

            here

            Comment


            • #7
              Fair enough, but don't dismiss my warning, it's not of my opinion nor is it my notion, it comes from the mouths of countless MSMVP'S, whitehat hackers when reverse engineer malware and folks who write software to remove/cleanup after infections.

              If you value your private and sensitive data, don't not use pc for anything but casual browsing as you cannot ensure its integrity.

              Saved and Texan by the Grace of God, Redneck by choice.

              Comment


              • #8
                yea i understand i do not use this laptop for nothing more than browsing. no online banking or bill paying. any suggestions on what you would have done to fix it?

                Comment


                • #9
                  Originally posted by Tx Redneck View Post
                  Best practices dictate that where rootkit activity is present, a format/reinstall is in order.
                  Listen to this man.
                  WRX

                  Comment


                  • #10
                    Originally posted by scootro View Post
                    yea i understand i do not use this laptop for nothing more than browsing. no online banking or bill paying. any suggestions on what you would have done to fix it?
                    Upon learning of the rootkit's presence, I would have backed up any data I needed/didn't want to lose and formatted. It's a pita, I know, but I value my pc's integrity too much.





                    Originally posted by mustang_revival View Post
                    Listen to this man.
                    Grassy keester senior.

                    Comment


                    • #11
                      thanks for the replies. i'll see if i can find my windows vista install cd

                      Comment


                      • #12
                        Originally posted by scootro View Post
                        thanks for the replies. i'll see if i can find my windows vista install cd
                        Find/borrow a copy of windows 7 and ditch Vista if you have the means. Win 7 is much better.

                        Comment

                        Working...
                        X