Trojan Zero.Access infection

usha · ‎06-13-2012

Norton scan found two threats.

ntos (Trojan.Zeroaccess!kmem) which was removed and mrxsmb.sys_backup (Trojan.Zeroaccess!inf2) which could not be removed. It said to get the tool from the website and so I did. It did not remove anything andsaid "no threat was found" then it said to run the Norton Power Eraser and so I did. It couldn't remove it as well. On the website it said that if neither of those work, I should run the Norton Bootable Recovery tool and so I did. Again, it found but could not remove the threat. Looking through the Security History I see that I8042pr.dll (Trojan.Zeroaccess!inf) has been detected and blocked two months ago. Looking throught the forums, seems like there is no universal solution fto remove this threat, so I don't want to mess anything up here.

Quads · ‎07-21-2008

I will get to you in the cue, don't do anything.

Quads

Quads · ‎07-21-2008

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Major steps used:

1. Find

2. Break

3. Destroy

4. Cleanup (including system as a whole)

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

Please read carefully

1. Please download aswMBR hxxp://public.avast.com/~gmerek/aswMBR.exe to your desktop. (replace the hxxp with http)
Double click the aswMBR.exe icon to run it
it will ask to download extra definitions - ALLOW IT / Yes
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and Please attach the log in the post back, Don't have the program fix anything.

Quads

usha · ‎06-13-2012

Done. Log in attachment.

Quads · ‎07-21-2008

I had another user with this file also on XP

Download OTL hxxp://oldtimer.geekstogo.com/OTL.exe (change the hxxp to http) save it to your Desktop.

Double click on OTL.exe to run it. Right click OTL.exe and select run as administator for Vista and Win 7.

Disable Norton for say 30 minutes

Start OTL,

Click the Scan All Users checkbox.

Change file age to 60 days

under Copy and paste what is below between the lines

msconfig
activex
drivers32
netsvcs

"%WinDir%\$NtUninstallKB*$." /30
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe

mswsock.dll
wininit.exe
services.exe

svchost.exe
tdx.sys
afd.sys
cdrom.sys
i8042prt.sys
netbt.sys
redbook.sys

mrxsmb.sys

/md5stop

Press the

An OTL.txt will be created.

Quads

usha · ‎06-13-2012

done

Quads · ‎07-21-2008

You have used NPE and FixZeraccess, What did they find??

Quads

usha · ‎06-13-2012

When I ran FixZeraccess, restarted PC after the scan it said "no threat was found". Then I ran NPE and I dont remember exactly what it said but it either did not find it or could not fix it as well.