Norton "FixZeroAccess Tool" not working

Gazman · October 23, 2012, 1:44am

Hello,

I ran a full scan yesterday and Norton360 detected the trojan "Zeroaccess!inf4".

Norton said it needed manual removal and instucted me to download and run its "FixZeroAccess" tool.

I did then and when the tool had reset the computer and done a scan it said all was clear.

I then re-run the full system scan again and norton detetced the same Zeroaccess trojan Again!

Help, what to do?

Quads · October 23, 2012, 1:57am

FixZeroaccess as far as I know is not for that variant(s) stated.

What is your Operatings system including if 32 bit or 64 bit??

Quads

Gazman · October 23, 2012, 3:27am

Hi Quads,

I am running windows 7 home premium, 64 bit.

Quads · October 23, 2012, 3:53am

ANY other user other than the thread starter is not to use any instructions, scripts or proceedures, The work though in cleaning a system is individual and only for that system due to a number of factors.

Unfortunately, with the amount of threads means the waiting time is longer, Norton continually Blocking files won't hurt your system but is is just annoying, Please wait and be patient. I am trying to keep up, spending hours here to script and clean machines on a first come/first served basis. If you or someone adds to your thread It will be pushed back in line due to the new update. I use the boards in reverse to what is seen

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
If I ask a Question just answer it, don't run anything unless it states.
Major steps used:

1. Find

2. Break

3. Destroy

4. Cleanup (including system as a whole)

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Read Slowly and all of it.

Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ You need to download the 64 bit version.

Transfer it on to the Flash Drive.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. restart the system and load Windows Please attach the log in your reply back..

Quads

Gazman · October 23, 2012, 12:32pm

Thanks Quads,

See Below or attached for Results:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-10-2012 Ran by SYSTEM at 23-10-2012 23:09:12 Running from F:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x] HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [521272 2010-03-22] (Conexant Systems, Inc.) HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2009-11-19] () HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [x] HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [x] HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [x] HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [x] HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [x] HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [x] HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation) HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [x] HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [x] HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation) HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [x] HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [x] HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-12] (Microsoft Corporation) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2009-12-22] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated) HKLM-x32\...\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START [x] HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.) HKLM-x32\...\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation) HKLM-x32\...\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent [x] HKLM-x32\...\Run: [] [x] HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [395144 2011-05-16] (Ask) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-28] (Apple Inc.) HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252136 2011-05-03] (Sun Microsystems, Inc.) HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-17] (Hewlett-Packard) HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] () HKLM-x32\...\Run: [ROC_roc_ssl_v12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 [x] HKLM-x32\...\Run: [ROC_ROC_JULY_P1] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1 [x] HKU\Gareth\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [3872080 2010-04-16] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 211.29.152.116 198.142.0.51 211.29.132.12 Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.) Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

==================== Services (Whitelisted) ===================

2 N360; "C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\ccSvcHst.exe" /s "N360" /m "C:\Program Files (x86)\Norton 360\Engine\6.4.0.9\diMaster.dll" /prefetch:1 [309688 2012-04-12] (Symantec Corporation) 2 VMCService; "C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe" [14336 2008-07-03] (Vodafone) 3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20120928.001\BHDrvx64.sys [1385120 2012-09-04] (Symantec Corporation) 1 ccSet_N360; C:\Windows\system32\drivers\N360x64\0604000.009\ccSetx64.sys [167072 2012-06-06] (Symantec Corporation) 1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-09-11] (Symantec Corporation) 3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-09-11] (Symantec Corporation) 1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20121020.002\IDSvia64.sys [513184 2012-10-18] (Symantec Corporation) 3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20121022.032\ENG64.SYS [126112 2012-10-23] (Symantec Corporation) 3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20121022.032\EX64.SYS [2084000 2012-10-23] (Symantec Corporation) 3 SRTSP; C:\Windows\System32\Drivers\N360x64\0604000.009\SRTSP64.SYS [737952 2012-07-05] (Symantec Corporation) 1 SRTSPX; C:\Windows\system32\drivers\N360x64\0604000.009\SRTSPX64.SYS [37536 2012-07-05] (Symantec Corporation) 0 SymDS; C:\Windows\System32\drivers\N360x64\0604000.009\SYMDS64.SYS [451192 2011-08-15] (Symantec Corporation) 0 SymEFA; C:\Windows\System32\drivers\N360x64\0604000.009\SYMEFA64.SYS [1129120 2012-05-21] (Symantec Corporation) 3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [175736 2012-09-11] (Symantec Corporation) 1 SymIRON; C:\Windows\system32\drivers\N360x64\0604000.009\Ironx64.SYS [190072 2011-11-16] (Symantec Corporation) 1 SymNetS; C:\Windows\System32\Drivers\N360x64\0604000.009\SYMNETS.SYS [405624 2011-11-16] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-10-23 23:08 - 2012-10-23 23:08 - 00000000 ____D C:\FRST 2012-10-22 21:57 - 2012-10-22 21:57 - 01459119 ____A (Farbar) C:\Users\Gareth\Downloads\FRST64.exe 2012-10-22 19:32 - 2012-10-23 03:59 - 00065536 ____A C:\Users\Gareth\Desktop\DM Services (NSW) Pty Ltd.box 2012-10-22 19:02 - 2012-10-22 21:50 - 00000000 ____D C:\Users\Gareth\Desktop\Sniper 23.10.12 2012-10-22 19:02 - 2012-10-22 19:18 - 00000000 ____D C:\Users\Gareth\Desktop\Magnus BAS 23.10.2012 2012-10-22 18:05 - 2012-10-22 22:37 - 00015143 ____A C:\Users\Gareth\Downloads\2012 TAX SUMMARY.xlsx 2012-10-22 17:56 - 2012-09-10 05:12 - 02457600 ____A C:\Users\Gareth\Desktop\S&A Investments NSW v12.MYO 2012-10-22 17:55 - 2012-10-23 03:59 - 03964928 ____A C:\Users\Gareth\Desktop\DM Services (NSW) Pty Ltd.MYO 2012-10-22 17:16 - 2012-10-22 17:17 - 00000000 ____D C:\Users\Gareth\Desktop\Jul-Sept Csv Files 2012 2012-10-22 17:15 - 2012-10-22 17:15 - 00007897 ____A C:\Users\Gareth\Desktop\Jul-Sept Csv Files 2012.zip 2012-10-22 17:14 - 2012-10-22 17:14 - 00000000 ____D C:\Users\Gareth\Downloads\Derkatch entities 30.6.2012 2012-10-18 22:14 - 2012-10-18 22:52 - 00000000 ____D C:\Users\Gareth\AppData\Local\NPE 2012-10-18 20:46 - 2012-10-18 20:53 - 00015602 ____A C:\Users\Gareth\Desktop\trojan.Zeroaccess!inf4.txt 2012-10-18 16:46 - 2012-10-18 23:34 - 83023306 ___AT C:\Users\All Users\erolpxei.pad 2012-10-18 16:46 - 2012-10-18 16:49 - 83023306 ___AT C:\Users\All Users\dapeton.pad 2012-10-18 03:38 - 2012-10-18 03:39 - 00000000 ____D C:\Users\Gareth\Desktop\ASC BAS SEPT 12 2012-10-16 20:47 - 2012-10-16 20:47 - 00002080 ____A C:\Users\Gareth\Desktop\Pacifc Pyrolysis MYOB.RDP 2012-10-16 20:42 - 2012-10-18 23:41 - 18219008 ____A C:\Users\Gareth\Desktop\Copy 3 of Pacific Pyrolysis AR V19.5 Updated 14.12.10.MYO 2012-10-16 20:41 - 2012-10-21 16:04 - 00000000 ____D C:\Users\Gareth\Dropbox 2012-10-16 20:34 - 2012-10-18 23:34 - 00000000 ____D C:\Users\Gareth\AppData\Roaming\Dropbox 2012-10-16 16:21 - 2012-10-16 16:21 - 00026112 ____A C:\Users\Gareth\Downloads\Imperial Consulting Bank Transactions from 010812 to 030912.xls 2012-10-16 16:21 - 2012-10-16 16:21 - 00022528 ____A C:\Users\Gareth\Downloads\Imperial Consulting Bank Account Transactions 010912 to 051012.xls 2012-10-14 20:42 - 2012-10-14 20:42 - 00000000 ____A C:\Users\Gareth\Desktop\Online Skills testing IQ.txt 2012-10-04 23:21 - 2012-10-04 23:40 - 00000000 ____D C:\Users\Gareth\Desktop\Kailber 2012-10-04 05:20 - 2012-10-04 05:20 - 00000000 ____D C:\Users\Gareth\AppData\Local\LogMeIn 2012-10-04 05:19 - 2012-10-18 12:58 - 00000000 ____D C:\Users\All Users\LogMeIn 2012-10-04 05:19 - 2012-10-04 05:19 - 00001024 ____A C:\.rnd 2012-10-04 05:18 - 2012-10-21 16:05 - 00000000 ____D C:\Program Files (x86)\LogMeIn 2012-10-04 05:09 - 2012-10-04 05:10 - 00000000 ____D C:\Users\Gareth\AppData\Local\Deployment 2012-10-04 05:09 - 2012-10-04 05:09 - 00000000 ____D C:\Users\Gareth\AppData\Local\Apps\2.0

==================== 3 Months Modified Files ==================

2012-10-23 04:03 - 2011-06-23 21:51 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-10-23 04:03 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-10-23 04:03 - 2009-07-13 20:51 - 00081710 ____A C:\Windows\setupact.log 2012-10-23 04:02 - 2011-06-19 15:58 - 00330776 ____A C:\Windows\PFRO.log 2012-10-23 03:59 - 2012-10-22 19:32 - 00065536 ____A C:\Users\Gareth\Desktop\DM Services (NSW) Pty Ltd.box 2012-10-23 03:59 - 2012-10-22 17:55 - 03964928 ____A C:\Users\Gareth\Desktop\DM Services (NSW) Pty Ltd.MYO 2012-10-23 03:57 - 2009-07-13 21:13 - 00875632 ____A C:\Windows\System32\PerfStringBackup.INI 2012-10-23 03:56 - 2012-01-22 02:43 - 00002385 ____A C:\Users\Public\Desktop\Google Chrome.lnk 2012-10-23 03:56 - 2011-06-23 21:51 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-10-22 23:02 - 2011-07-28 20:11 - 00002016 ___AH C:\Users\Gareth\Documents\Default.rdp 2012-10-22 22:37 - 2012-10-22 18:05 - 00015143 ____A C:\Users\Gareth\Downloads\2012 TAX SUMMARY.xlsx 2012-10-22 21:57 - 2012-10-22 21:57 - 01459119 ____A (Farbar) C:\Users\Gareth\Downloads\FRST64.exe 2012-10-22 21:38 - 2011-06-20 03:19 - 00000732 ____A C:\Windows\MYOBP.INI 2012-10-22 21:38 - 2011-06-20 03:19 - 00000039 ____A C:\Windows\MYOB.INI 2012-10-22 19:33 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-10-22 19:33 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-10-22 17:15 - 2012-10-22 17:15 - 00007897 ____A C:\Users\Gareth\Desktop\Jul-Sept Csv Files 2012.zip 2012-10-21 18:45 - 2012-09-12 05:55 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys 2012-10-21 17:10 - 2012-09-11 04:34 - 00002310 ____A C:\Users\Public\Desktop\Norton 360.lnk 2012-10-18 23:41 - 2012-10-16 20:42 - 18219008 ____A C:\Users\Gareth\Desktop\Copy 3 of Pacific Pyrolysis AR V19.5 Updated 14.12.10.MYO 2012-10-18 23:34 - 2012-10-18 16:46 - 83023306 ___AT C:\Users\All Users\erolpxei.pad 2012-10-18 20:53 - 2012-10-18 20:46 - 00015602 ____A C:\Users\Gareth\Desktop\trojan.Zeroaccess!inf4.txt 2012-10-18 16:49 - 2012-10-18 16:46 - 83023306 ___AT C:\Users\All Users\dapeton.pad 2012-10-16 20:47 - 2012-10-16 20:47 - 00002080 ____A C:\Users\Gareth\Desktop\Pacifc Pyrolysis MYOB.RDP 2012-10-16 16:21 - 2012-10-16 16:21 - 00026112 ____A C:\Users\Gareth\Downloads\Imperial Consulting Bank Transactions from 010812 to 030912.xls 2012-10-16 16:21 - 2012-10-16 16:21 - 00022528 ____A C:\Users\Gareth\Downloads\Imperial Consulting Bank Account Transactions 010912 to 051012.xls 2012-10-14 20:42 - 2012-10-14 20:42 - 00000000 ____A C:\Users\Gareth\Desktop\Online Skills testing IQ.txt 2012-10-04 05:19 - 2012-10-04 05:19 - 00001024 ____A C:\.rnd 2012-09-30 04:44 - 2011-06-19 15:08 - 01906772 ____A C:\Windows\WindowsUpdate.log 2012-09-16 22:23 - 2009-07-13 21:08 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT 2012-09-11 20:49 - 2012-09-11 20:49 - 01805736 ____A (Symantec Corporation) C:\Users\Gareth\Downloads\FixZeroAccess.exe 2012-09-11 20:49 - 2012-09-11 20:49 - 00011587 ____A C:\Users\Gareth\Downloads\chktrust.zip 2012-09-11 05:13 - 2012-09-11 05:10 - 378344434 ____A C:\Users\Gareth\Downloads\AccountRight_Premier_v19_7.zip 2012-09-11 04:35 - 2012-09-11 04:35 - 00175736 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS 2012-09-11 04:35 - 2012-09-11 04:35 - 00007488 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT 2012-09-10 05:12 - 2012-10-22 17:56 - 02457600 ____A C:\Users\Gareth\Desktop\S&A Investments NSW v12.MYO 2012-09-04 20:28 - 2012-09-04 20:28 - 02138624 ____A C:\Users\Gareth\Downloads\Yougrowingup.pps 2012-08-17 17:40 - 2012-08-17 17:03 - 00009596 ____A C:\Users\Gareth\Documents\Business Contacts.xlsx 2012-08-14 20:53 - 2012-08-14 20:53 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Gareth\Downloads\SpyHunter-Installer.exe 2012-08-14 20:35 - 2012-08-14 20:35 - 02189836 ____A C:\Users\Gareth\Downloads\tdsskiller (1).zip 2012-08-13 17:11 - 2012-08-13 17:07 - 153728656 ____A (Emsisoft GmbH ) C:\Users\Gareth\Downloads\EmsisoftAntiMalwareSetup.exe 2012-08-13 06:25 - 2012-08-13 06:25 - 02117108 ____A C:\Users\Gareth\Downloads\tdsskiller.zip 2012-08-13 05:22 - 2012-08-13 05:22 - 00000000 ____A C:\Windows\NDSTray.INI 2012-08-12 21:58 - 2012-08-12 21:58 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\Gareth\Downloads\FixExec.exe 2012-08-08 03:16 - 2012-08-06 23:15 - 00012625 ____A C:\Users\Gareth\Desktop\Java Notes.xlsx 2012-08-07 17:44 - 2012-08-07 17:45 - 00619396 ____A C:\Users\Gareth\Documents\HDD Order from ccpu.com.au 2012-08-05 22:50 - 2012-08-05 22:48 - 191757226 ____A C:\Users\Gareth\Downloads\eclipse-SDK-4.2-win32.zip 2012-08-02 06:24 - 2012-01-15 19:37 - 00001343 ____A C:\Users\All Users\hpzinstall.log 2012-08-02 05:53 - 2012-08-02 05:53 - 00009323 ____A C:\Users\Gareth\AppData\Roaming\Comma Separated Values (Windows).EML

ZeroAccess: C:\Windows\Installer\{5a5bbd73-583c-7496-e0c0-8729c4f65502} C:\Windows\Installer\{5a5bbd73-583c-7496-e0c0-8729c4f65502}\@ C:\Windows\Installer\{5a5bbd73-583c-7496-e0c0-8729c4f65502}\L C:\Windows\Installer\{5a5bbd73-583c-7496-e0c0-8729c4f65502}\U

ZeroAccess: C:\Users\Gareth\AppData\Local\{5a5bbd73-583c-7496-e0c0-8729c4f65502} C:\Users\Gareth\AppData\Local\{5a5bbd73-583c-7496-e0c0-8729c4f65502}\@ C:\Users\Gareth\AppData\Local\{5a5bbd73-583c-7496-e0c0-8729c4f65502}\L C:\Users\Gareth\AppData\Local\{5a5bbd73-583c-7496-e0c0-8729c4f65502}\U

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-11 00:57:14 Restore point made on: 2012-09-11 04:17:44 Restore point made on: 2012-09-11 04:25:51 Restore point made on: 2012-10-03 06:57:28 Restore point made on: 2012-10-04 05:14:52

==================== Memory info ===========================

Percentage of memory in use: 11% Total physical RAM: 5941.86 MB Available physical RAM: 5286.18 MB Total Pagefile: 5940.01 MB Available Pagefile: 5282.04 MB Total Virtual: 8192 MB Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (S3A8573D009) (Fixed) (Total:583.02 GB) (Free:492.15 GB) NTFS ==>[System with boot components (obtained from reading drive)] 2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)] 4 Drive f: (FAM VIDS 2) (Removable) (Total:7.45 GB) (Free:4.81 GB) FAT32 5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 596 GB 0 B Disk 1 Online 7633 MB 0 B

Partitions of Disk 0: ===============

Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 1500 MB 1024 KB Partition 2 Primary 583 GB 1501 MB Partition 3 Primary 11 GB 584 GB

==================================================================================

Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: Yes

Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0 Partition 2 Type : 07 Hidden: No Active: No

Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 C S3A8573D009 NTFS Partition 583 GB Healthy

=========================================================

Disk: 0 Partition 3 Type : 17 (Suspicious Type) Hidden: Yes Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1: ===============

Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 1 Partition 1 Type : 0B Hidden: No Active: No

Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 F FAM VIDS 2 FAT32 Removable 7633 MB Healthy

=========================================================

Last Boot: 2012-10-07 17:49

==================== End Of Log =============================

Quads · October 24, 2012, 12:31am

Don't copy and paste logs, just attach, as they get rather big at times.

You have PUP's also to look at, your working services.exe is OK, so there must be one somewhere else, to find later.

Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again. Like previously

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe or frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply (attach).

Quads

Norton "FixZeroAccess Tool" not working

Announcements