McAfee says I have a trojan called zeroaccess.ch Please Help

calder

Member
My security system started saying that it had detected a trojan and needed to close to get rid of it. I restarted but the same problem persists and it also keeps saying that it has removed a trojan.
I have tried the online tutorial to remove things but TDSSkiller won't load to my machine so i cant stsrt to solve the problem. In fact, this bug seemes to protect itself as many things won't download which might help like updated versions of antimailwear etc.

Please could someone suggest my next move? I'm going to be at this all night as i need to retrieve university files etc.

Thanks

Rogue killer says


V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : http://tigzyrk.blogspot.com/
Operating
System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User : Ned [Admin rights]
Mode : Scan -- Date : 09/09/2013 14:18:23
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet001\Services\. e () -> FOUND
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet003\Services\. e () -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost
::1 localhost

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: ST350063 0AS SCSI Disk Device +++++
--- User ---
[MBR] 08b8b275adc7d31e3dc5905e8f0eaf0d
[BSP] e223061d7b1f736c4877938e9af93bcf : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21100544 | Size: 466636 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1]_S_09092013_02d1418.txt >>
RKreport[1]_S_09092013_02d1418.txt

Service scanner says -

ce Scanner Version: 20-02-2013
Ran by Ned (administrator) on 09-09-2013 at 14:21:38
Running from "C:\Users\Ned\Desktop"
Windows Vista (TM) Home Premium Service Pack 1 (X86)
Boot Mode: Network
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: ATTENTION!=====> Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: ATTENTION!=====> Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: ATTENTION!=====> Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\Windows\system32\wuaueng.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-11-09 19:27] - [2011-04-21 14:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2011-11-09 19:19] - [2010-06-16 16:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9
C:\Windows\system32\dnsrslvr.dll
[2011-11-09 19:28] - [2011-03-02 15:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D
C:\Windows\system32\mpssvc.dll
[2009-11-16 10:26] - [2008-01-19 08:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B
C:\Windows\system32\bfe.dll
[2009-11-16 10:26] - [2008-01-19 08:33] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe
[2009-11-16 10:26] - [2008-01-19 08:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23
C:\Windows\system32\wscsvc.dll
[2009-11-16 10:26] - [2008-01-19 08:37] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C
C:\Windows\system32\wbem\WMIsvc.dll
[2009-11-16 10:26] - [2008-01-19 08:36] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-11-16 10:26] - [2008-01-19 08:36] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D
C:\Windows\system32\es.dll
[2009-11-10 09:40] - [2009-11-10 09:40] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465
C:\Windows\system32\cryptsvc.dll
[2009-11-16 10:25] - [2008-01-19 08:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678
C:\Program Files\Windows Defender\MpSvc.dll
[2009-11-16 10:26] - [2008-01-19 08:38] - 0272952 ____A () D41D8CD98F00B204E9800998ECF8427E
ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll IS INFECTED AND SHOULD BE REPLACED.
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll
[2010-04-14 23:15] - [2010-02-18 15:11] - 0190464 ____A (Microsoft Corporation) 6A35D233693EDC29A12742049BC5E37F
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2009-10-18 00:25] - [2009-10-18 00:25] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830
 
Last edited:

My Computer

The best way, if you can do it, is a system restore from a point before the virus
 

My Computer

System One

  • Manufacturer/Model
    Dell XPS420
    Memory
    6 gig
    Graphics Card(s)
    ATI Radeon HD3650 256 MB
    Sound Card
    Intergrated 7.1 Channel Audio
    Monitor(s) Displays
    Dell SP2009W 20 inch Flat Panel w Webcam
    Hard Drives
    640 gb
    Cooling
    Fan
    Keyboard
    Dell USB
    Mouse
    Dell USB 4 button optical
    Other Info
    DSL provided by ATT
...and update your system. Service Pack 1 is no longer supported - since 2011.

Here are some hints on installing SP2 (and note there are lots of updates after that): https://community.mcafee.com/thread/2019

Check it out and while you are at it check the last link in my signature at the bottom of that post at McAfee Forums for ideas regarding malware, expecially the instructions on how to use Hijackthis or DDS and where to post their logs.

The use of tools such as RogueKiller, TDSKiller etc. should always be done under supervision from dedicated specialist malware forums such as BleepingComputer or Malwarebytes (for example).

BTW McAfee does protect against many ZeroAccess trojans but almost every day new ones appear in the wild so it's a constant game of catch-up.
 
Last edited:

My Computer

System One

  • Operating System
    Win 10 Pro x64 x 2
    Manufacturer/Model
    Alienware ALX x58
    CPU
    Intel® Core™ i7-975 Extreme O/C to 4.02 GHz, 8MB Cache
    Motherboard
    Asus® P6T Deluxe V2 X58 LGA1366
    Memory
    24GB Corsair Vengeance DDR3 SDRAM at 1600MHz - 6 x 4096MB
    Graphics Card(s)
    1792 MB NVIDIA® GeForce® GTX 295 Dual Core
    Sound Card
    Onboard Soundmax® High-Definition 7.1 Performance Audio
    Monitor(s) Displays
    Samsung XL2370 HD LED backlit 23" W/S 2ms response time
    Screen Resolution
    1920 x 1080
    Hard Drives
    2 x 500gb SATA II
    1 x 1TB SATA II
    1 external eSATA LaCie 3TB
    (Non-RAID)
    PSU
    Alienware® 1200 Watt Multi-GPU
    Case
    Unique
    Cooling
    4 case fans @ CPU water cooling.
    Internet Speed
    1gb/s up and down
Back
Top