Yesterday started receiving pop ups from Norton 360 5.0, first I think was a Trojan.Gen.2 and in exploring the details indicated it was 00000002.@ which was supposedly located at C:\windows\assembly\Temp\u\00000002.@
Then shortly after started getting pop ups about threat requiring manual removal: System Infected: Tideserv Activity 2
I have thrown every Norton thing I can find at my PC at least 3 times now. The FixTDSS.exe, Norton Power Eraser, Norton 360 5.0, Norton Utilities 15.0, have also tried Microsoft Windows Malicious software Removal Tool a couple of time, (all full scans), then read somewhere Malwarebytes would take care of it, purchased that, installed and tried everything that had to offer.
Nothing is ever found but I keep getting pop ups about the Trojan.Gen.2, the Tidserv Activity and now another that I have High CPU usage by: TCP/IP Ping Command - C:\windows\sysWOW64\PING.exe and now Malwarebytes is blocking lots of "potentially malicious sites" from both PING.exe and svchost.exe.
I am afraid I will probably end up wiping the drive and starting from scratch. Pulling out my hair thinking about it. Any suggestions before I have nothing let to pull out and will thus have to wipe, format and rebuild.
From your description it sounds like a Zeroaccess rootkit that it becoming more prevalent. I suggest that you visit one of these free malware removal forums and have the infection properly identified and removed. They are all very competent. Do not click on any of the advertising, but sign in on an account and they will help you.
2. Make sure you have your product key written down, you should find it in Start >> My Documents >> Symantec
3. Follow the instructions on the website and create a bootable disk and restart the computer with it.
4. Once the main screen comes up select Advanced Scan
5. Choose Scan Now and wait for the scan to complete it should pick up any kind of infection on the computer and fix it
NB: If you have a MBR based tidserv infection the likely chances of OS to reboot is 50%
Hence before you proceed with the steps make sure you have your Operating system disk handy to run few commands just in case the Operating System Doesnt boot back
Let us know what happens with the scan and we will let you what to do.
Using Norton Recovery Tool right now as suggested - it has scanned a half million files and has found 1 Trojan.Gen.2 - have no details yet as scan is still going. Does anybody from Norton want a copy of the dirty bugger once I identify it or just delete it? Anything else Norton would like? Think this will resolve the issue but will let you know when done. Thanx for the advise from all.
(Running Windows 7 on Intel Quad-core w/ 8 GB RAM)
The scan completed - it only found the one Trojan.Gen.2 which was located in file C:\windows\system32\conserv.dll - it deleted it when the recovery tool completed but then I could not boot - kept crashing. Went in and did the undo on the recovery tool - system booted but just as I was going to make a copy of the file Norton 360 5.0 then detected & deleted. Now I cannot reboot again - keeps crashing after the Windows 7 logo loads - can't repair at the moment either - system started as a Windows Vista which came as a free upgrade to Windows 7 when released - I have recover disks but they are Vista and I cannot seem to get the needed file off the other upgrade disks yet. To top it all off I just had a power surge in my area and pretty much wrecked my work on 2 PC's for the day. It must be my lucky week! All the lottos in my area have just gone out but not to me otherwise I'd be buying tickets. Think I just need a new copy of this conserv.dll but not sure how I am going to get it or get it in my file system. ?????
Unfortunately, this is the signature of the zeroaccess rootkit that delphinium warned you about. It contains a tripwire that kills your system if security software finds it. Up to that point, this could have been fixed at one of the forums mentioned, but I'm pretty sure now you are going to have to wipe the drive and start over.
Note: some of these nasties have been known to survive a reformat and rewrite of the Master Boot Record...so I would suggest that you head to one of the forums delphinium mentioned, rather than try to straighten this out on your own.
And for future reference...any time the name "Quads" is invoked with regard to a malware issue, you're wise to pay attention. He's our resident ace, and even the Symantec folks on the boards will generally defer to him! You had no way to know that, of course
I think you are probably correct and I have already started doing the back-up of my files and will wipe and rebuild the drive. Now that I am sure what I am dealing with I would much rather do that 10 times then pay the fools who wrote this thing a penny, Good luck in your ventures.
If we spent 10% of the time we do trying to bring down the other guys and put ourselves as "king of the mountain" and tried to build a better place for all of us to exist - we could have had a pretty decent utopia by now - but alas greed, power, corruption and fame are all that exist in some fools hearts.
Don't hold this against Norton (or rharesh, who looks to be new--but quite promising--and just didn't know Quads or delphinium yet). And please note that the forums to which delphinium referred you are (1) specialized malware removal forums, and not run by Norton or any other "line of defense" security provider, and (2) free, and very good.
As for Norton (or any other security suite), the metaphor you invoke is quite apt: computer security is an arms race, against a cunning and adaptive adversary who has concluded that the fact that most of us have accepted the "social contract" --i.e., to live within the rules so that we can enjoy life and not have to worry about keeping ourselves armed to fight them off--simply makes us easier pickings for them. New variants of these nasties are invented every day by people determined to steal your cash or your identity, or turn your computer into a "zombie" conducting Distributed Denial-of-Service (DDoS) attacks to blackmail corporate websites into paying them "protection" money. Norton is the best protection against these things that there is (according to the routine verdicts of the independent testing labs...and according to my own quarter-century as an IT leader)...but every now and then, something is going to get through--often because we chose to overrule our security software because we were so eager to use a program or visit a website we "knew" was safe...but sometimes just because the next exploit finds us before Norton finds it.
For this reason, the best defense is a layered defense--with our own safe computing practices the first, most critical layer. Norton gives us a second layer, to catch anything we might let slip through. A good, on-demand third-party scanner like the free versions of malwarebytes or superantispyware makes a good third layer. And then those recommended forums are the fourth layer--for when it just takes the power of a distributed, adaptive network of good guys to overwhelm the distributed, adaptive network of bad guys who will only get richer at our expense if we let down our guard.
Then we can get back to making a better world for tomorrow's child.
Very well put indeed & I agree. I hope you were not thinking I was holding this against Norton or anyone on the forums. It is my own shere stuoidy that the bug invaded my space but had it not been for the greed, power, corruption & want of the people who wrote it & put it there I would never had encountered it. I thank all for the help. Life is getting frustrating & those without the fortitude & knowledge will just give up - I have found several perfectly good PC's & laptops in the garbage that just needed some good Norton & were able to work erfectly fine. The previous owners either found new toys or gave up on them completely which I think the latter will win out in the end.
Take care & thanx again. My files will take hours to back up & if the bugger comes back I got about a dozen more drives I can try.
I'm sorry this happened rickyqt. It could have happened at the forums as well, but because scans are used to identify the infection, and only specialists are allowed to handle the removal, there would have been more chance of a successful removal.
Hopefully you get sorted out quickly and back on track. In case of future Fake AV's, never click on a fake scan to close it. Either use the back button to get off the website or use Alt F4 to close it. Malware writers spend as much time reverse engineering security products as others do tightening up security.
I would have waited for help but the Norton recovery just fixed the file when the scan was complete - it offered me no options - I tried to run the power eraser afterward too and got an error message way toward the end about it not being able to connect to the server - but it had when the scan first started to check for updates - so the bugger was probably still in there then. When I exited the recovered & rebotted from hard drive it would not - kept crashing. I did an undo of the Norton recovery - then booted, which it did - but I went quickly to the folder and discovered the named file but just as I was about to click on it to copy it the Norton flag jumped up that it had discovered Trojan.Gen.2 and the file disappeared. The flag indicated the problem was resolved. I went to reboot and it went back to crashing again.
I have not lost anything but time and that is pretty much all I have. I am a self taught 53 yo aging hippy with nothing to do but learn & complain. I like to learn & I love to complain. I don't know much & I know less every day - hope it stays that way. My files are all recoverable & it just takes the time to reload the OS & programs - this gets rid of all the junk I don't need which probably slows up my system.
So thanx again for the help, the words of wisdon and the advice - I will be more patient next time & leave the expert learning stuff to you guys - me I'm just tinkering for fun.
It might be worth tinkering some more if you can get it running in safe mode. If you can add the file to Norton exclusions without crashing you might still be able to go to the forums and get help removing it. It is very interesting watching them work, and chances are they can still deal with the problem. That might perhaps stop Norton from taking the file and allowing the machine to run. If not they can deal with it in safe mode to begin with.
