You can try TDSSKiller, here:

http://support.kaspersky.com/faq/?qid=208280684

New variants of the rootkit come out all the time and it becomes increasingly difficult finding apps to safely remove it.  If TDSSKiller also can't find it, you will need to visit one of these free malware removal forums where they can use more advanced tools, track it down, and help you get rid of it.  Bleeping may have a longer wait time as they are very busy.

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

http://support.emsisoft.com/forum/6-help-my-pc-is-infected/

Hi kiwifrost4 ,

You can try the steps in link http://www.symantec.com/security_response/writeup.jsp?docid=2010-090608-3309-99 and I think the issue will get fixed

Regards,

Jithin 

Both FixTDSS (stand alone)  and TDSSkiller should be able to detect and cure the infected Driver or Boot Sector.  TDSSkiller has been updated this month.

Quads

That is the first step I tried, as that is what the pop-up box tells me to do. Unfortunately this does not seem to work in my case.

Also, since my PC came with Vista pre-installed, I do not have a CD-ROM if any re-installation / manual repair needed to occur.

Quads - thanks for the info. I ran TDSS rootkit removing tool (I believe this is the version #) 2.5.23.0. Is that the latest version? Downloaded from kaspersky.com. Scan (took only 24 seconds, is that right? Seems awfully quick) found no objects.

Could this possibly be a false positive? If so, how do you check? Let me know if you need to see a copy of the TDSS results, if that helps in any way.

It is very unlikely to be a false positive.  If the tools given are not working, then you will need to get assistance using more advanced tools at the forums, linked above.

NOTE: this is infomation, but please stay with the other forum(s) you have posted logs for as those forum(s) for malware removal are protected so that only people trained with those tools can reply to help a user remove malware and not every Tom, Dick and Harry.

It appears even though Norton is correctly doing it's job in Intrusion Prevention blocking access to the network for the C&C Server on the web, it it's just the detection name that seems wrong so instead of the popup saying  "Threat requiring manual removal detected: System Infected: Tidserv Activity 2".  it should read  "Threat requiring manual removal detected: System Infected: Zeroaccess Activity *".   as after doing some digging and some information on this thread it is somewhat likley that It's not Tidserv but Zeroaccess.

1. FixTDSS and TDSSKiller comeback clean, no detection

2. The Norton detection of  "80000032.@ (Trojan.Gen.2) detected by Auto-Protect,Blocked,Resolved - No Action Required" which is connect to a variant(s) of Zeroaccess the Trojan.Gen.2 is a usually a detection for a object that is newish and is not yet added to a group.

One test

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\@

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\bckfg.tmp

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\cfg.ini

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\Desktop.ini

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\keywords

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\kwrd.dll

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\L\[RANDOM CHARACTERS]

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\lsflt7.ver

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\U\00000001.@

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\U\00000002.@

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\U\80000000.@

C:\windows\$NtUninstallKB[NUMBERS]$\[NUMBERS]\U\80000032.@  (Detected as Trojan.Gen 2???)

The "@" is at the correct end 

There are 2 programs that can get this cured but I suggest using the programs under supervision on the other forums as it's a critical OS file that needs to be cured /disinfected and even the folder in the list above does not like to be deleted or can't be deleted easily in Windows and the folder actually shows in Explorer as being empty when it's not.

I have 3 more samples to try that I received this morning.

Quads

Here is a GMER log attached, it's not complete but still shows Zeroaccess. Not all areas are scanned if you do GMER hits the Tripware and closes then the user is not able to use it.

I did find a flaw in Zeroaccess, usually if the infection is in full flight programs like MBAM, GMER, SAS, Combofix etc. hits the tripware and close................................  I found that there is a time when Zeroaccess is not fully functioning (Tripwire not active??) so those program can now run.

Newer Zeroaccess variants to come may be different of course.

Quads