Sign in to follow this  
Followers 0

Trojan.Zeroaccess!inf4 Removal

7 posts in this topic


My sisters computer has recently been infected by the above trojan and a quick search indicates I'll need the help of the awesome people on here to get rid of it as Norton and MB doesn't seem to do the job. Here are the FRST logs:


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2012

Ran by SYSTEM at 12-11-2012 22:37:26

Running from H:\

(X64) OS Language: English(US)

Attention: Could not load system hive.Attention: System hive is missing.

==================== Registry (Whitelisted) ===================

Attention: Software hive is missing.

ATTENTION: Unable to load Software hive.

==================== Services (Whitelisted) ===================

==================== Drivers (Whitelisted) =====================

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

==================== One Month Modified Files and Folders =======

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.

C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.

C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

c:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!

HKLM\...\exefile\DefaultIcon: <===== ATTENTION!

HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================

==================== Memory info ===========================

Percentage of memory in use: 18%

Total physical RAM: 3001.89 MB

Available physical RAM: 2457.48 MB

Total Pagefile: 3000.04 MB

Available Pagefile: 2437.56 MB

Total Virtual: 8192 MB

Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive d: () (Fixed) (Total:284.21 GB) (Free:221.33 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive e: (RECOVERY) (Fixed) (Total:13.58 GB) (Free:1.69 GB) NTFS ==>[system with boot components (obtained from reading drive)]

3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32

4 Drive g: (Sims3) (CDROM) (Total:5.56 GB) (Free:0 GB) UDF

5 Drive h: (WIN8) (Removable) (Total:3.77 GB) (Free:3.76 GB) FAT32

6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from reading drive)]

==================== End Of Log =============================


Farbar Recovery Scan Tool (x64) Version: 12-11-2012

Ran by SYSTEM at 2012-11-12 22:37:53

Running from H:\

================== Search: "services.exe" ===================

====== End Of Search ======

Thanks in advance :),


Share this post

Link to post
Share on other sites

Welcome to the forum.

Those scans don't look correct, something went wrong.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.


------->Your topic will be closed if you haven't replied within 3 days!<--------

Share this post

Link to post
Share on other sites

Hi, thanks for the quick reply.

RogueKiller V8.2.3 [11/07/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com




Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Laura [Admin rights]

Mode : Scan -- Date : 11/12/2012 22:49:03

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤

[RUN][ROGUE ST] HKLM\[...]\Run : HPWirelessAssistant (C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden) -> FOUND

[TASK][sUSP PATH] Update Check : C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe /s /p 1 -> FOUND

[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : C:\Windows\Installer\{ec33501a-4ccc-5055-382d-11e4e0c8280d}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{ec33501a-4ccc-5055-382d-11e4e0c8280d}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Windows\Installer\{ec33501a-4ccc-5055-382d-11e4e0c8280d}\L --> FOUND

[ZeroAccess][FILE] @ : C:\Users\Laura\AppData\Local\{ec33501a-4ccc-5055-382d-11e4e0c8280d}\@ --> FOUND

[ZeroAccess][FOLDER] U : C:\Users\Laura\AppData\Local\{ec33501a-4ccc-5055-382d-11e4e0c8280d}\U --> FOUND

[ZeroAccess][FOLDER] L : C:\Users\Laura\AppData\Local\{ec33501a-4ccc-5055-382d-11e4e0c8280d}\L --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

[susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS543232A7A384 +++++

--- User ---

[MBR] 74bd9ded22244f564c8487082294412e

[bSP] 247e38e0ff099243dcf9193fbe782c0c : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 291033 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 596445184 | Size: 13908 Mo

3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 624928768 | Size: 103 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_11122012_02d2249.txt >>


Share this post

Link to post
Share on other sites

Please don't put the logs in quotes...Thanks, MrC

Here you go......

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.



One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please create a new system restore point before running Malwarebytes Anti-Malware.

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.


New window that comes up.



Share this post

Link to post
Share on other sites

Your missing the one system-log.txt that shows the malware being deleted.

Can you find and post it please.


1>Scan the system with RogueKiller again and post the new log.

2>Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.


Share this post

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.