Skip to content


Reply
Stone Emissary
angelanduriil
Posts: 7
Registered: ‎04-13-2012
Accepted Solution

Troj_zaccess.cql problem

A couple days ago I got this virus and haven't been able to remove it. TM keeps poping up every couple minutes saying it has removed a file always with a different name and from what I can tell they have all been .dll files. Occasionally it'll have to restart to remove the file. I have ran Malwarebytes and it detected a bunch stuff and "fixed" those too. Can someone help get rid of this?

Attached is a HJT log, my last scan log, and a MB log.

Thanks!

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,967
Registered: ‎08-08-2011

Re: Troj_zaccess.cql problem

Welcome aboard! Posted Image

 This is a new varient of sirefef infection which is tad nasty...

Download OTL  to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe

netbt.sys

atapi.sys

volsnap.sys

redbook.sys

lsi_sas.sys

lsi_scsi.sys

cdrom*

tcpip.sys
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
C:\Windows\assembly\tmp\U\*.* /s

C:\Program Files\Common Files\ComObjects\*.* /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • attach both logs

 NEXT

 

Download aswmbr.exe ( 1.8mb ) to your desktop. 

http://public.avast.com/~gmerek/aswMBR.htm
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan.

  • Click the [Scan] button to start scan

  • On completion of the scan click [Save log], save it to your desktop and post in your next reply.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
angelanduriil
Posts: 7
Registered: ‎04-13-2012

Re: Troj_zaccess.cql problem

Thanks for your help. Attached are the logs you asked for.

 

Please use plain text.
Stone Emissary
angelanduriil
Posts: 7
Registered: ‎04-13-2012

Re: Troj_zaccess.cql problem

I don't think I checked the scan all users box when I did the OTL scan. Here is a new log.

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,967
Registered: ‎08-08-2011

Re: Troj_zaccess.cql problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems 

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot 


If u have malwarebytes 1.5 or later disable it for the duration of this run


Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
:OTL
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (alav5qyz)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (ai912fr1)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)


ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

 

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Please attach the log generated after the fix completion.

 

NEXT

 

Download ComboFix from the any of the locations given in this website:

    • IMPORTANT !!! You need to Save ComboFix.exe to your Desktop
      • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here
      • Double click on ComboFix.exe & follow the prompts.
      • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
      • If you already have the Recovery Console preinstalled, it will not ask for the following. If it does prompt, allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Posted Image

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      Posted Image

      Click Yes, to continue scanning for malware. Please be patient and don't use the PC whilst it is scanning.

      When finished, it shall produce a log for you. Please copy & paste the contents of this log (also found at C:\ComboFix.txt) in your next reply at your topic.


—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
angelanduriil
Posts: 7
Registered: ‎04-13-2012

Re: Troj_zaccess.cql problem

Ok, whenever I go to do the OTL scan with the custom fixes from your last reply the icons and start bar go away and then my pc locks up and doesn't do anything. I let it sit for a few hours and nothing changes. I've tried it twice but have had to manually power down the pc. Any thoughts on what could be wrong?

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,967
Registered: ‎08-08-2011

Re: Troj_zaccess.cql problem

[ Edited ]

the start menu and desktop disappearing is normal...just move directly to combofix step for now.Skip OTL for now and do the below before moving on to combofix step:

 

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.
  • Click Exit on the Main menu to close the program.
—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
angelanduriil
Posts: 7
Registered: ‎04-13-2012

Re: Troj_zaccess.cql problem

Ok, I click on the link you sent me and Trend Micro pops up in my browser saying it's a dangerous page.

"Trend Micro has confirmed that this website can transmit malicious software or has been involved in an online scan or fraud."

Even if I try to go to the www.atribune.org main page it says that. Should I ignore it and go on?

Please use plain text.
Legendary Noble
malwarekiller
Posts: 3,967
Registered: ‎08-08-2011

Re: Troj_zaccess.cql problem

Ignore it its safe as hell!

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Emissary
angelanduriil
Posts: 7
Registered: ‎04-13-2012

Re: Troj_zaccess.cql problem

Ok here is my combofix log. I did have problems with combo fix too. It removed my desktop like you said it would, but then it just sat there. For a long time...like a couple of hours. I know it said not to manually restart but I did anyway. It did seem to finish the job once it restarted, but I'm not sure if I messed anything up by doing that. I did delete the temp files before hand with the program you gave me and I did make sure to shut down TM and MB before hand.

Thanks a lot for your help with all this!

Please use plain text.