topic Re: Yet Another Zeroaccess!inf Infection in Norton Internet Security / Norton AntiVirus

Yet Another Zeroaccess!inf Infection

Retired_USAF — Wed, 09 May 2012 20:49:07 GMT

Long time user of Norton Anti-Virus Corporate Edition. Recently downloaded a 15 day trial of Norton Ant-virus at the site and installed. It has identified Zeroaccess!inf. Coincidence that the Corporate edition could not find it but as soon as I download the trial version I get infected or is the new Norton Anti-Virus more sophisticated and found it where the Corporate Edition could not? Anyway, Norton Eraser cannot remove so I need help getting rid of it. MalWare Bytes does not find it nor does Sybot S&D. I am also running Zone Alarm Firewall. Computer is Windows XP Home Edition, Dell Dimension 4600. I am an experienced computer user. Any experts available to help?

Re: Yet Another Zeroaccess!inf Infection

dkane — Wed, 09 May 2012 21:16:05 GMT

Did you try the standalone fix tool?

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99

Re: Yet Another Zeroaccess!inf Infection

Quads — Wed, 09 May 2012 23:52:59 GMT

Do not use the standalone tool on it until you know the variant or if you have the likes of MaxSS, Pihar or other Malware also.

How many times do the likes of myself and Malware Removal forums have to say???????

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Thu, 10 May 2012 03:27:09 GMT

Too late.........tried the tool first thing as that is what the Norton Anti-Virus recommends. Where do I go from here?

Re: Yet Another Zeroaccess!inf Infection

Quads — Thu, 10 May 2012 03:31:33 GMT

Do you Competely remove SEP (corp version) before installing Norton??

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Thu, 10 May 2012 14:15:57 GMT

Yes

Re: Yet Another Zeroaccess!inf Infection

Quads — Thu, 10 May 2012 18:42:31 GMT

What is the name and location of the file(s) detected??

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 01:58:52 GMT

From Norton Insight. Two instances.

Full Path: c:\system volume information\_restore{77b878ba-823e-498a-9a54-a1d02ce86a42}\rp906\a0115953.dll

Threat: Trojan.Zeroaccess!inf

Full Path: c:\system volume information\_restore{77b878ba-823e-498a-9a54-a1d02ce86a42}\rp902\a0113427.dll

Threat: Trojan.Zeroaccess!inf

Re: Yet Another Zeroaccess!inf Infection

Quads — Fri, 11 May 2012 02:06:43 GMT

Hmmmmm, interesting for a reason.

Did you have no other detection from Norton or SEP, or other program for zeroaccess in the system32 folder in the past??

maybe that is still hiding. We may fully check the system like I do for the other threads to make sure everything is cleaned of leftovers etc.

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 02:12:43 GMT

Not that I recall. Believe the first I saw of it was with the downloaded Norton. Looking at the path, I see "restore". Does that mean it got loaded into an XP restore point at some time? Both have a filed modified date of 4/13/2008 (if that means anything)

Re: Yet Another Zeroaccess!inf Infection

Quads — Fri, 11 May 2012 02:20:12 GMT

The location really is not the real important piece here as the copies would have been backed up from system files originally and that is what we have to track down, where have they gone.

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes :smileylol:)
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!

Please read carefully

a) Uninstall Spybot S&D, also if Malwarebytes has it's realtime componant running, Uninstall Malwarebytes also.

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 02:29:00 GMT

Just noticed auto protect added another instance at 21:09

Full Path: c:\system volume information\_restore{77b878ba-823e-498a-9a54-a1d02ce86a42}\rp906\a0115956.dll

Threat: Trojan.Zeroaccess!inf

Re: Yet Another Zeroaccess!inf Infection

Quads — Fri, 11 May 2012 02:30:25 GMT

That's OK, Just do my first instruction above.

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 02:47:38 GMT

Both have been unistalled. S&D required a reboot, so took awhile.

Re: Yet Another Zeroaccess!inf Infection

Quads — Fri, 11 May 2012 02:52:14 GMT

I may ask for both scans first to try and figure out what is going on for those files to be created.

Here is the first

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back, Don't have the program fix anything.

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 03:21:18 GMT

Well, it said scan finished successfully so I guess it was done. Log attached.

Re: Yet Another Zeroaccess!inf Infection

Quads — Fri, 11 May 2012 03:34:31 GMT

Found at least some more of it, hmmm have to be careful as a driver with this variantion can go missing, I am thinking.

In the meantime, and the scan can take some time

Please read carefully and Slowly

Please scan with ESET next Using Internet Explorer

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Under scan settings, check and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
Attach the resulting log in your next reply

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 12:18:51 GMT

That sure was a long scan. It said ZoneAlarm and Norton Anti-virus may interfer with the scan so I turned those off during the scan.

Re: Yet Another Zeroaccess!inf Infection

Quads — Fri, 11 May 2012 19:55:56 GMT

Please read carefully and follow these steps.

Download TDSSKiller from http://support.kaspersky.com/faq/?qid=208280684 click on the TDSSkiller.exe green link.

Double click on TDSSKiller.exe to run the application,

Open the Change Parameters options and select the Detect TDLFS File System

Then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the log in the post back.

Quads

Re: Yet Another Zeroaccess!inf Infection

Retired_USAF — Fri, 11 May 2012 23:35:35 GMT

Didn't seem to find anything. Log attached.