Possible ZeroAccess Rootkit Virus

[brmeau]

Everytime I try to download a file I get a message that the file "contained a virus and was deleted".  Also, I can not access Windows Defender or Firewall.  I am running in Safe Mode now.  Can you help with this?  Thank you.

[Pondus]

attach the requested logs  (not copy and paste)   http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done removal experts will be notified and check the logs fore infections....

and tools can be run from safe mode if you need to

[essexboy]

Monitoring

[brmeau]

Ran in safe mode. Had to transfer programs from another computer since infected system will not let me download anything.

[brmeau]

Last of files.

[essexboy]

On completion of the OTL run you should be able to download files

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:Files
fsutil reparsepoint delete "C:\Program Files\Windows Defender\en-US" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpAsDesc.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpClient.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCmdRun.exe" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSoftEx.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpEvMsg.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpOAV.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRtMon.dll " /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSvc.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MSASCui.exe" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpCom.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows DefenderMsMpLics.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpRes.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRtPlug.dll" /c
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSigDwn.dll" /c

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[brmeau]

Logs attached.  I was able to download Combofix on the infected system.  My Windows Defender icon is now "showing" again but error message when I tried to click on it.  Says program failed to initialize.

[brmeau]

Sorry, also, I can now access Windows Firewall.  Thank you.

[essexboy]

How is the computer now, any problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:Reg
[-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

:Files
C:\$RECYCLE.BIN\S-1-5-18\$4cf4b66411809b83677488561b2659d8

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[brmeau]

OTL Log Attached.  I tried to access Windows Defender again but it still will not open.  Still says that it "failed to initialize".

[essexboy]

You will need to re-install windows defender than as it has been damaged

Download link http://www.microsoft.com/en-gb/download/windows-defender-details.aspx

Let me know how that goes, then when you are happy I will tidy up

[brmeau]

Ok, I got Windows Defender working and did a scan.  I rebooted and it would not work again.  Through Security Center I was able to turn it back on again and it worked.  Rebooted..and it would not access again.  For some reason it is not staying enabled and I seem to have to turn it on manually through Security Center each time system is booted up.  Not sure why this is.

Besides that system seems to be working.

Also, through MSCONFIG, what is the preferred setting for startup?  At a previous date this was altered when working through a different system problem.  Just curious.  Thank you.

[essexboy]

Ensure that defender is enabled in MSconfig startup

Then lets have a quick shufti at the services

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[brmeau]

Msconfig services tab has Windows Defender "checked" but status is "Stopped".

Farbar log attached.

[essexboy]

OK the malware deleted a reg key I will need to find out what was contained within that key to replace it

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}