topic Re: Another Zeroaccess!inf infection in Norton Internet Security / Norton AntiVirus

Another Zeroaccess!inf infection

BudBullets — Sat, 05 May 2012 00:28:52 GMT

I am using Windows XP professional with Service Pack 3 on an Compaq V6000 (x86). Norton picked up the Zeroaccess infection and recommends manual removal. It looks like I have 2 infected files:

C:\windows\system32\tshwmdtcp.dll

C:\windows\system32\parport.dll

Any help would be appreciated.

Re: Another Zeroaccess!inf infection

Quads — Sat, 05 May 2012 00:47:08 GMT

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back, Don't have the program fix anything.

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Sat, 05 May 2012 12:46:31 GMT

Attached is the log file.

I did not run any Tools, but Norton AutoProtect was on. The AutoProtect did pop up a message regarding backdoor.tidserv while scanning. Do I need to disable or Uninstall Norton and rescan? I also have SpyBot and Malwarebytes (and an outdated ESET package) installed.

Thanks for the help.

Re: Another Zeroaccess!inf infection

Quads — Sun, 06 May 2012 05:27:54 GMT

Uninstall Spybot S&D

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Sun, 06 May 2012 16:21:47 GMT

I have uninstalled Spybot and rebooted.

Re: Another Zeroaccess!inf infection

Quads — Mon, 07 May 2012 00:08:21 GMT

Ok, and I know the Windows driver involved, just in case.

Please read carefully and follow these steps.

Download TDSSKiller from http://support.kaspersky.com/faq/?qid=208280684 click on the TDSSkiller.exe green link.

Double click on TDSSKiller.exe to run the application,

Open the Change Parameters option and select the detect TDLsystem

Then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back.

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Mon, 07 May 2012 00:40:19 GMT

I did the scan and it found two "threats" . The default action is delete. Should I delete?

Re: Another Zeroaccess!inf infection

Quads — Mon, 07 May 2012 00:42:13 GMT

What are they as you have not given a log.

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Mon, 07 May 2012 00:51:08 GMT

Sorry, I wasn't sure if "cure" was the same as "delete" as a default option.

Backdoor.Multi.ZAccess.gen

Service:lvsrvlauncher

Backdoor. Multi.Zaccess.gen

Service: venturi2

Both with default action set to Delete.

Re: Another Zeroaccess!inf infection

Quads — Mon, 07 May 2012 00:56:03 GMT

Yes you can have TDSSkiller delete the 2 services, It's similar to the Oak Technology version.

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Mon, 07 May 2012 01:12:17 GMT

Ok. Deleted and rebooted. Log is attached.

Norton Autoprotect came on while it was deleting and gave a message about proteting from 2 threats. Not sure if its relevant.

Re: Another Zeroaccess!inf infection

Quads — Mon, 07 May 2012 01:21:28 GMT

Norton may have deleted the files after the infection was broken.

20:37:00.0292 2484 lvsrvlauncher (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\parport.dll
20:37:00.0417 2484 Suspicious file (NoAccess): C:\WINDOWS\system32\parport.dll. md5: 11028c6a84a967070cb1286550f2058f
20:37:00.0417 2484 lvsrvlauncher ( Backdoor.Multi.ZAccess.gen ) - infected
20:37:00.0417 2484 lvsrvlauncher - detected Backdoor.Multi.ZAccess.gen (0)

20:37:12.0527 2484 venturi2 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\TSHWMDTCP.dll
20:37:12.0589 2484 Suspicious file (NoAccess): C:\WINDOWS\system32\TSHWMDTCP.dll. md5: 11028c6a84a967070cb1286550f2058f
20:37:12.0589 2484 venturi2 ( Backdoor.Multi.ZAccess.gen ) - infected
20:37:12.0589 2484 venturi2 - detected Backdoor.Multi.ZAccess.gen (0)

Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix,
Close any open browsers and any other programs you might have running

Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it.

Now drag the CFScript.txt into the ComboFix.exe

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Mon, 07 May 2012 03:04:27 GMT

Ran Combofix. Attached is the log. Browser seems to working much better (faster).

Re: Another Zeroaccess!inf infection

Quads — Mon, 07 May 2012 03:12:03 GMT

Read the instructions again you did not run the script properly, you had the script as "CFscript.txt 1 KB.URL" you should have it as "CFscript.txt"

Quads

Re: Another Zeroaccess!inf infection

Quads — Mon, 07 May 2012 19:46:47 GMT

After the proper script name run, we still need to carry on cleaning the system.

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Mon, 07 May 2012 22:46:49 GMT

Re-scanned with the correct file.

Re: Another Zeroaccess!inf infection

Quads — Tue, 08 May 2012 00:50:07 GMT

That has taken care of the main Rootkit

Now time to scan the hole system to find anything else before using another program to do the final script cleanup

Please read carefully

Please scan with ESET next Using Internet Explorer

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Under scan settings, check and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
Attach the resulting log in your next reply

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Tue, 08 May 2012 10:23:06 GMT

Attached is the ESET log.

Re: Another Zeroaccess!inf infection

Quads — Tue, 08 May 2012 20:10:17 GMT

1) Go into the Add / Remove Programs and select to shows Windows updates, so they are now also listed.

Find the update KB2536276-v2 and uninstall it, we will install a fresh copy later.

2) Go here http://community.norton.com/t5/Norton-Internet-Security-Norton/GOOGLE-REDIRECTS-TO-http-abnow-com/m-p/686159/highlight/true#M199243

Download to your desktop the XP_netsvcs.reg.txt Right click the attachment link nd select "Save Link as" then the dialog box appears and you can take the .txt part off. Then run the file and have the data added to the registry.

3) Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.

Click the Scan All Users checkbox.

Change file age to 60 days

under Copy and paste what is below between the lines

drivers32

netsvcs
"%WinDir%\$NtUninstallKB*$." /30
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
mrxsmb.sys

/md5stop

Press the

Quads

Re: Another Zeroaccess!inf infection

BudBullets — Tue, 08 May 2012 22:25:56 GMT

Completed. It generated two log files.

First log below: