Files 00000001.@ and 80000000.@ with Symantec Endpoint Protection

Today my Symantec Endpoint Protection started giving me messages about both of these files. Prior to coming here I did run a full scan with Malwarebytes' Anti-Malware (turned up nothing) and a full scan on Symantec Endpoint Protection which turned up some kind of "unavaliable trackware" that it deleted and I hope that doesn't compromise anyone's ability to help me. I'm running Windows 7 64 bit and version 11.0.5002.333 of Symantec Endpoint Protection.

 

Thanks in advance to whoever may be able to help. Let me know if any other information is needed to proceed.

Yes I do.

 

 

Hello,

 

I have Windows 7 64bit installed with Symantec Endpoint Protection ver. 11.0.5002.333

 

I saw QUADS was helping people and he demanded no work (scans, etc.) be done and to start my own thread.

 

Well here it is.

 

The files brought to my attention by the Auto-Protect feature are:

 

00000001.@ labeled as a backdoor.trojan and 80000000.@ labeled as a trojan.zeroaccess

 

What can I do to help?

Read Slowly and all of it.

 

Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/   You need to download the 64bit version.


Transfer it on to the Flash Drive.

Enter System Recovery Options

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

 

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive.  restart the system and load Windows Please copy and paste it to your reply.

 

Quads

"The message cannot exceed 20,000 characters" is the error message I receive when copying and pasting

 

I have attached the file "FRST.txt"

 

I did try one symantec " fix zeroaccess" tool before finding these forums, but stopped immediately after seeing your postings.

 

Just wanted you to know.

We will deal with your patched services.exe later,  unless the system keeps restarting like every 1min after below, then we will have to do extra steps using FRST.

 

 

Download the script attached, needs to be the same file name as well, Copy across to flash drive

 

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again. Like previously

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe or frst64.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Quads

Attached is the "Fixlog.txt" file after performing "fix" command in FRST

 

 

Are you still posting here on the infected system,  meaning you are still loading Windows OK??

 

Quads

Yes I am using the infected computer.

 

No restarts.

 

No "notifications" from Symantec's auto-protect system regarding the files 0000000.1@ and 80000000.@

 

 

Step 3.   I hope this doesn't take more than 7 hours like one poor user

 

 

Please read carefully Read all of this message first

 

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix


  • Ensure that Combofix is saved directly to the Desktop <--- Very important

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
  • Close any open browsers and any other programs you might have running

 

Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"

 

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

According to my Symantec Endpoint Protection, the services are disabled.

 

I did this by right clicking the icon in the windows startbar and clicking "disable endpoint protection"

 

The window of symantec indicates that the "file system auto-protect" and the "proactive threat protection" are disabled.

 

 

HOWEVER, when running ComboFix, the software indicates that the "antivirus: Symantec" and "antispyware: Symantec" are real scanners that are still active.

 

 

I tried using the task manager to end the processes for symantec but it appear to restart itself.

 

What is the next step?

It could be the Windows security center reporting incorrectly.

 

Combofix should still be able to run and carry on though it's stages.

 

Quads

Here is the "ComboFix.txt" log file

Your services.exe has been cured and I noticed that it also took one of the files where I found the odd Winlogon registry key was and pointing to "C:\Users\NOL\AppData\Roaming\Microsoft\Windows\shell.exe" I took the registry key with FRST in Step 2.

 

On with step 4.

 

Please read carefully and Slowly

 

 Please scan with ESET next 


I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Attach the resulting log in your next reply


If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it. 

 

Quads

 

 

QUADS,

 

Thank you for the help so far.

 

The ESET scan is currently at 15% (started right after your post) and I need to get some sleep (as I'm sure you do too if you are in the USA).

 

I will post the ESET log in 7 hours from the time of this post.

 

Thanks again QUADS!

I am in New Zealand  (Earthquake City)  

 

As long as you do not try and move any items including files, leavie any files listed where they are as I will use the ESET log and another log  to script and clean things up.

 

Quads

Attached is the "log.txt" output log from the ESET online scan.

 

Looks like the scan took roughly 3 hours

Download OTL http://www.bleepingcomputer.com/download/otl/

 

Disable Norton for say 30 minutes

 

Start OTL,  

Click the Scan All Users checkbox.

Change file age to 60 days

 

Press the 

 

 

An OTL.txt  and extras.txt will be created.

 

Quads

Here are the output files from OTL.exe called "OTL.txt" and "Extras.txt"

 

 

You can uninstall 

 

"ESET Online Scanner" = ESET Online Scanner v3

 

Quads