• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

ZeroAccess Rootkit Activity 4 and Tidserv

I've downloaded tdssfix but it says no infections found yet norton is still having pop ups saying that I have tidserv. Also, there is no removal tool for ZeroAccess Rootkit for systems running on 64 bit. Please help?

Replies

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

I've downloaded tdssfix but it says no infections found yet norton is still having pop ups saying that I have tidserv. Also, there is no removal tool for ZeroAccess Rootkit for systems running on 64 bit. Please help?

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

What is your Operating System??

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

im running on 64 bit

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

What Operating system are you using??? I know it's 64 bit,   Lets get really basic here, are you using XP 64 bit, Vista 64bit or Windows 7 64 bit??

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

haha i apologize. i am a little slow; but its windows 7

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

Until you have a solution, may I suggest the following:

disconnect your pc from the internet

do not power down

do not reboot

Post exactly what N360 found. Did it identify ZeroAccess Rootlkit Acitivty 4 and Tidserv? or where there more details.

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv


cgoldman wrote:

Until you have a solution, may I suggest the following:

disconnect your pc from the internet

do not power down

do not reboot

Post exactly what N360 found. Did it identify ZeroAccess Rootlkit Acitivty 4 and Tidserv? or where there more details.


That won't fix anything, zeroaccess is cleaver and protective.

" ZeroAccess Rootlkit Acitivty 4 and Tidserv" is the I.P detections. 

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv


Quads wrote:

That won't fix anything, zeroaccess is cleaver and protective.

" ZeroAccess Rootlkit Acitivty 4 and Tidserv" is the I.P detections. 

Quads


Its not designed to fix anything. With respect look at what I wrote.

These infections will pull other malware in, so by disconnecting internet until needed will stop and limit such further infections.

The consequences of power off or rebooting with Norton present and before a solution is proposed and tried, can have dire consequences.

If on the other hand, you recommend that the user reboots before taking any action and leaves his internet connection enabled, then you are free to say so and the user can decide on the logic of the approach. However, I would be surprised indeed if you are of that view.


 

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

Jmsa

Download AswMBR  hxxp://public.avast.com/~gmerek/aswMBR.htm (change the hxxp to http) 

Run the scan, with definitions if it asks, But do not have it fix anything when it is finished Just  create a log and also attach.

I just want the logs for information of what I may need to remove,, or if a driver goes missing helps in knowing which one needs to be replaced.

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

"Threat requiring manual removal detected: System Infected: Tidserv Activity 2"

and it says the same for zeroacess rootkit

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

That's OK I have infected my system with these wider groups of kits I know what the detections mean or what I.P. should be saying to me.

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

Also, the file that's infected on my laptop is consrv.dll [but of course i can't remove it.]

should i just run that scan from the website you posted?

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

This can involve using the Command Prompt offline, logging, scripting etc.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive. hxxp://download.bleepingcomputer.com/farbar/FRST64.exe   (replace the hxxp with http)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Flash Drive.

attach the FRST.txt  back here.

I suspect you have 2 infections maybe and one involves the subsystems that has to be repaired I am wating a log created with Windows Not loaded to show everything offline. (Windows not running).

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

when i type in that website, it says http 404 not found?

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv


jmsa wrote:

Also, the file that's infected on my laptop is consrv.dll [but of course i can't remove it.]

should i just run that scan from the website you posted?



Please be advised as follows: (I hope it is not too late)

You do not say how you have established consrv.dll (that would be very interesting).

The existance of consrv.dll could point to trojan.zeroacess.b or variant thereof.

You might care to read this on http://www,bleepingcomputer.com/forums/topic445277.html

and http://www.kingsoftsecurity.com/blog/?p=698  note the modified registry entry for consrv.

and http://www.enigmasoftware.com/trojanzeroaccessb-removal/

In short you can check out your registry but what you should have under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

and the last key Windows is very close to

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

what you probably have is very close to

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=consrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

A user has reported that if the registry key is fixed first and then the file removed it would boot up fine afterwards.

If the registry key is not fixed first then you can have boot up issues afterwards.  I know this from my own experience and it is something I am trying to resolve with Norton.

I now see Quads is posting instructions so I probably will post no further on this matter.

Good luck


 

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

Read my instructions again,   change the hxxp................. part of the address to http ................

I know how the Subsystems works I don't need to be told,  I have on this forum and others been able to get Windows to startup over the net for people after windows won't startup  That Is why I ask for the operating system early on as there are differences etc.

I am going to create a new Thread as this one is getting ridiculous, confusing etc.    People don't need to teach me about these infections  I already knew it was zeroaccess, but is appears to be a blend of the other possible infection I am looking at.

I won't go into zeroaccess as people that are in the same field and need to know, know others don'tl.

New thread coming

ADDED  http://community.norton.com/t5/Norton-360/ZeroAccess-Rootkit-Activity-4-and-Tidserv/td-p/683631

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

Uhh i did change it to http and it says webpage not found.
Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv


jmsa wrote:
Uhh i did change it to http and it says webpage not found.

try here

http://public.avast.com/~gmerek/aswMBR.htm

I know it is the same but actually the address is correct and it works every time I tested it. It is possible that you cannot reach the web because of example of an infection or that your hosts file has been modified but if you have no other symptoms this seems unlikely.

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv


cgoldman wrote:

jmsa wrote:
Uhh i did change it to http and it says webpage not found.

try here

http://public.avast.com/~gmerek/aswMBR.htm

I know it is the same but actually the address is correct and it works every time I tested it. It is possible that you cannot reach the web because of example of an infection or that your hosts file has been modified but if you have no other symptoms this seems unlikely.


That is not the program I want!!!!!!!!!!!!!!!!!!!!!!

jmsa,  Go to the clean thread please.  http://community.norton.com/t5/Norton-360/ZeroAccess-Rootkit-Activity-4-and-Tidserv/td-p/683631

Quads

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

To jmsa

Sorry for my last post, but you did not say which website you got 404 against

I now see that the 404 arises against the original posting which wanted you to go to

so you are quite correct.

The reason you get 404 is because there is a hidden character you are not seeing. If you had retyped the address it would have worked.

If you still want to, if you click below it will work for you

[edit: Please do not link to .exe files per the Participation Guidelines and Terms of Service.]

Kudos0

Re: ZeroAccess Rootkit Activity 4 and Tidserv

Direct links are not allowed.  Bad

I have copied and pasted my original link  from my post    hxxp://download.bleepingcomputer.com/farbar/FRST64.exe  

Changing the xx to tt works and downloads 

Quads

Replies are locked for this thread.