ZeroAccess problem

[thefirehairman]

Hello everyone, my name's Louis-Philippe and I'm french (so my english may not be perfect)

After reading a lot of forums and such, it seems I have the zeroaccess problem. I'll try to write my situation as simple as possible but ... it's complicated!

It pretty much started when I tried to execute SFC / scannow on my desktop. A window appeared for half a second, and from what I remember, the computer restarted by itself 5 minutes later. And it stopped at the ''Starting Windows'' screen. I waited like, 30 minutes, until I shut it down. Since then, it doesn't boot, pretty much like this guy ( http://forum.avast.com/index.php?topic=120531.0 ) It stops at aswrvrt.sys

UNTIL yesterday, which, for whatever reason, I was able to log in (I wish I could tell you more, but I have no idea why it worked) First thing I did was removing Avast, thinking I would figure out later how to put it back. I checked my emails and such, then I opened a program (which I forget the name) to convert videos for PS3 systems. When I clicked on convert, my computer restarted.

It doesn't boot, and when I try the safe mode with command prompt, it stops at system32\drivers\classpnp.sys

I tried booting with a Windows 7 DVD that I downloaded from piratebay, it doesn't work. Blank screen
Same with booting with USB key (with rufus, Windows 7 64bit RC, Farbar Recovery Scan Tool x64 ) - Blank screen.

I sincerely have no idea what to do anymore. I tried removing the battery on the motherboard and putting it back, the computer made a lot of noise but it eventually stopped to go back to the ''Starting Windows'' screen.

If you're asking how many hard drives I have, I have one internal and one external. The external is off for the moment.

Thanks.

[essexboy]

Are you able to try this ?  http://www.microsoft.com/en-us/download/details.aspx?id=38435

[thefirehairman]

I tried it, the new windows logo appears (windows and it stops there. Tried it one time for like 4 hours, another one for 15 min. No results.

[essexboy]

Hmm lets try a programme running from CD

Please print these instruction out so that you know what you are doing
 
File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A
 

• Download OTLPENet.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads     
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.   
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[thefirehairman]

Thanks a lot for the advice. I'll have to try that later, the only other computer I have access to right now is a Mac so . . .

I hope it works though.

EDIT : I tried running it with a program called Crossover, but for whatever reason, it doesn't recognize the DVD drive. I'll try later on a PC . . .

[thefirehairman]

Here you go. Thanks for helping me out, really appreciated.

[essexboy]

Download the attached fix.txt to a USB
Start the Reatogo CD
Once on the desktop run  OTL
Press Run Fix
A dialogue will open asking for the location of the fix.txt
Locate and select fix.txt on the USB drive
Press Run Fix again
On completion reboot and try normal windows again

[thefirehairman]

COOL! It worked, thanks a lot.

Is there something else I need to do? Can I install Avast again?

[essexboy]

As you are now in normal windows could you reinstall Avast and then run an OTL scan please

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post  both logs

[thefirehairman]

Here you go. Thanks.

[essexboy]

How is the computer behaving now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKU\S-1-5-21-1651289782-3958338035-773077838-1001\..\SearchScopes\{1F096B29-E9DA-4D64-8D63-936BE7762CC5}: "URL" = http://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=1895c6ba000000000000002511671791&tlver=1.4.19.19&affID=17159
[2011/04/25 23:02:18 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\L-P\AppData\Roaming\Mozilla\Firefox\Profiles\0gruz2ij.default\extensions\ffxtlbr@babylon.com
[2011/04/27 17:58:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
[2011/07/05 23:38:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/04/25 23:02:18 | 000,002,423 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (CescrtHlpr Object) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-1651289782-3958338035-773077838-1001..\Run: [Prime95] C:\Users\L-P\AppData\Local\Temp\Rar$EX07.117\prime95.exe File not found
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
@Alternate Data Stream - 997 bytes -> C:\ProgramData\Microsoft:AtDiAK0MES6yY8WQKhDTEEvG
@Alternate Data Stream - 172 bytes -> C:\ProgramData\TEMP:FB1B13D8
@Alternate Data Stream - 1206 bytes -> C:\Program Files\Common Files\Microsoft Shared:opxIgUAapMJTwBL6Ipr4opXAih2
@Alternate Data Stream - 1187 bytes -> C:\Users\L-P\AppData\Local\rhpCHSDk0CaraEr:InLAVK9rQ4t6at0gP3JSJ
@Alternate Data Stream - 1159 bytes -> C:\Users\L-P\AppData\Local\Temp:IJNde4QuV8bU1uItt1wgWkF
@Alternate Data Stream - 1149 bytes -> C:\Users\L-P\AppData\Local\Temp:DQ642nqayFvZeQORlKbLEH91
@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:888AFB86
@Alternate Data Stream - 1058 bytes -> C:\ProgramData\Microsoft:sqeb6UN0Ez7jQxmmRdZabI
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:76650B61

:Files
C:\Users\L-P\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.4_0

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[thefirehairman]

Here you go.

And well, my computer is fine. Faster than usual I would say.

[essexboy]

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  
• In the Run box, type in ComboFix /Uninstall
   (Notice the space between the "x" and "/")
  then click OK
  
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button



: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?Keep safe  :wave: