Not what you were looking for? Ask our experts!
Reply
Bot Obliterator
Quads
Posts: 16,451
Registered: ‎07-21-2008

Re: Trojan Zero.Access infection

running chkdsk will be OK, it looks like the System Restore driver has a problem, or corrupt.

 

Quads.

 

Contributor
usha
Posts: 29
Registered: ‎06-13-2012

Re: Trojan Zero.Access infection

Ok. I ran the chkdsk /f and chkdsk /r. both finished but nothing was fixed. Still get the same masage and the task bar is in the classic style. Still cannot access internet. Not sure where to head next.

Contributor
usha
Posts: 29
Registered: ‎06-13-2012

Re: Trojan Zero.Access infection

[ Edited ]

I clicked start - run - services.msc 

found the system recovery and it appears to be stopped. when I clicked start I got the error masage.

 

"Could not stop the Windows service name service on Local Computer.
Error 1053: The service did not respond to the start or control request in a timely fashion."

 

should I try fixing it with this?

 

hxxp://support.microsoft.com/kb/839174

 

 

P.S. and since the recovery has been stoped, I assume all restore points are gone?

Bot Obliterator
Quads
Posts: 16,451
Registered: ‎07-21-2008

Re: Trojan Zero.Access infection

[ Edited ]

What I find strange is that the problem started  after the simple cleanup not after the use of more advanced dangerous programs used.  the m........_backup file appears to be a file created by zeroaccess removal tools that get stuck or fail in giving it a go.   Other tools use swap names with end extensions like sys.com and sys.vir  which could mean at times the driver (x86) it tried to fix is corrupt)

 

I have tried a coupy of zeroaccess that hurts or interfers with System Restore and this is what I got  with Windows 7

 

ZASR.jpg

 

Even after you create a Restore point, if possible  After a Restart of the system,  the same screenshot appears, bugger

 

I am looking into what the newest variants do, with others in the Malware removal field.

 

Some things spotted.

 

a) It can damage netsvcs in the registry

b) It can hurt or damage the AV software so that for internet security software the problem also hurts the Firewall component, which causes the system to have no Internet Connect connection.

c) Files that are for Internet connectivity are damabged, or the Winsock is wrong.

 

Just haven't heard of the PC being stuck in classic view with it.

 

Quads

 

Bot Obliterator
Quads
Posts: 16,451
Registered: ‎07-21-2008

Re: Trojan Zero.Access infection

Some of the registry keys damaged appear to be

 

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.

 

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

 

Quads

Contributor
usha
Posts: 29
Registered: ‎06-13-2012

Re: Trojan Zero.Access infection

hm.. so are looking more into the problem and I should just wait or would you like me to do something?

Bot Obliterator
Quads
Posts: 16,451
Registered: ‎07-21-2008

Re: Trojan Zero.Access infection

Have you reset the I.P stack  http://support.microsoft.com/kb/299357  or used Winsockfix to see if that reset the protocol??

 

Quads

Contributor
usha
Posts: 29
Registered: ‎06-13-2012

Re: Trojan Zero.Access infection

no haven't done that. I'll do it now or first thing tomorow in the morining and will post the results right away.

Contributor
usha
Posts: 29
Registered: ‎06-13-2012

Re: Trojan Zero.Access infection

ok did that. The fix finished, PC rebooted, same problem, nothing fixed. I did it manualy throught the cmd as advised on the website and it said "could not obtain host information from machine [YOUR-4.....S] some command may not be available "

Bot Obliterator
Quads
Posts: 16,451
Registered: ‎07-21-2008

Re: Trojan Zero.Access infection

[ Edited ]

After infecting my system with one of the newest zeroaccess  installers / droppers

 

With running Combofix the first time around the problem(s) does not appear in the log, after I repaired 2 services I downloaded  a fresh copy of Combofix (today) and on Windows 7 loading it takes an age for the network centre to load on the systray.

 

On the new log, this appeared  OHHHHHHH netsvcs is damaged and that means services that require netsvcs is also stuffed.

 

NETSVCS REQUIRES REPAIRS - current entries shown

aelookupsvc
certpropsvc
scpolicysvc
lanmanserver
gpsvc
ikeext
audiosrv
fastuserswitchingcompatibility
ias
irmon
rasauto
rasman
remoteaccess
sens
sharedaccess
tapisrv
wmi
termservice
wuauserv
bits
shellhwdetection
iphlpsvc
seclogon
appinfo
msiscsi
mmcss
wercplsupport
eaphost
profsvc
schedule
hkmsvc
sessionenv
winmgmt
browser
themes
bdesvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

 

Here is an example of an XP damaged netsvcs key and all the services under that, below

 

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
HpqRemHid
wanatw
sgeclient
se2Bnd5
pml
savrt
streamloadservice
z525obex
qbreminderflash
scsk4
utscsi
VCIDRV
sonypvs1
addfiltr
nimxdfk
ELmou
navap
XBCD
LMIRfsClientNP
smcservice
{6080a529-897e-4629-a488-aba0c29b635e}
lkcitadelserver
igateway
atiavaiw
amdk8
mcshield
WmiAcpi
ood2000
netmnt
tphdexlgsvc
ZTEusbmdm6k
xfactorae1
aegisp
fcdabus
RMCAST
uclauncherservice
TuneUp.ProgramStatisticsSvc
starwindserviceae
bc_pat_f
U81xobex
rspndr
s7otranx
aslm75
MSMQTriggers
procexp100
regspy
houdiniserver
RTL8023xp
zunenetworksvc
{d31a0762-0ceb-444e-acff-b049a1f6fe91}
netwg311
inorpc
OEM02Afx
websenseuserservice
vzfw
npkcrypt
bridge
zebrceb
Packet
ssdiagn
de_serv
DivisCTP
nlsvc
FileDisk
netw4x32
netsvc
mcontrol
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes    (controls themes for the System, classic view or not)
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

 

Have to find a registry fix for that.

 

Quads

 


.