Rootkit ZeroAcess is on my computer? I need help

December 16, 2011 at 16:02:28
Specs: Windows 7

So I got on my computer and noticed all these pop ups saying "your computer is infected blah blah" and i knew instantly that it was a virus since the only antivirus i use is malwarebytes. Since this virus wasn't allowing me to open malwarebytes i logged onto my guest account and ran it from there. It picked up several things in the registry so i deleted those. Thought that would fix my problem but i go to get back on and having the same probelm. Get back on malwarebytes to do a full system scan and finds 8 other things, delete those then try to use the internet and i get redirected to some other page than what i requested. I havn't attempted to get back on my master account yet but obviously if i still have a problem even on the guest account then its safe to assume that its on the master account as well. Started searching around this site to try to see if anyone had a similar problem and i kept seeing the program name "Roguekiller" so i downloaded that and scanned again. Not sure what to do from there but i desperately need help please.. here is the scan results if that will help.

RogueKiller V6.2.0 [12/12/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/file...
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Guest [Admin rights]
Mode: Scan -- Date : 12/16/2011 18:55:01

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] sys32\consrv.dll present!

¤¤¤ HOSTS File: ¤¤¤


¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] 62cc25cfbcb558f2981edac4c0fe486b
[BSP] c0fa0c0e981836701e4d42c6171c1c09 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 81920 | Size: 15728 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 30801920 | Size: 234287 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt


See More: Rootkit ZeroAcess is on my computer? I need help

Report •


#1
December 16, 2011 at 20:31:25

anthony80p,

Please do the following:

Step 1:
If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.

Note: For information on how to disable protective programs, refer to this link: http://www.bleepingcomputer.com/for...

If you have AVG Anti-Virus installed, stop, and post back before pressing on.

If not...

Right-click on ComboFix.exe and select: Run as Administrator.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply.

If you have problems posting it in the forum, post back for an alternative.


Notes:

1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Step 2:

Also, please download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

Right-click aswMBR.exe and select Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.

Note - Do NOT attempt any fix anything!!

Please post the aswMBR log in your reply.


Also, another file is created on the Desktop: MBR.dat

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file

Then, click the 'Open' button.
The file is now displayed in the 'Submit' Box.

Scroll down and click 'Send File', and wait for the results.

If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'.

Once scanned, please provide the link to the results page in your reply.


~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •
Related Solutions


Ask Question