Read the recent history cause i was bored…in NIS 2009…
There was something called IP address has disappeared from adapter teredo tunneling pesudo-interface and is no longer being protecting (IP address: _______________________)
And ALSO … i keep getting bloodhound.MBR detected by auto protect
Hello again folks:
I was reviewing my logs and noticed the following entry and was wondering what it meant (I know, a little knowledge can be dangerous....):
"IP Address has disappeared from adapter RealTek PCIe family controller and is no longer being protected"
It also shows the IP address. I think this happens at startup. I'm assuming it's normal, but thought I'd check.
Thanks, BC
Win 7 Pro - fully updated, NIS 2011, Windows Defender and Firewall disabled.
Thanks for the reply,
I scanned with 'Include Rootkit scan' with NPE.exe [ Norton power eraser ] and nothing turned up :(
I am still being Re-directed and my Malwarebytes often pops up saying Chrome.exe is acting suspicious.
I will follow as you mentioned and go into safe mode, I will finish this scan now then do it in Safe mode.
I also have to add, every 5 - 10 minutes a file with Trojan.Gen.2 executes and Norton blocks it.
The directory is: Full Path: c:\windows\assembly\tmp\u\800000cf.@
I tried accessing the file and it apparently does not exist.
"ZeroAccess Rootkit Activity 2" Sound like the Intrusion Protection detecting and blocking Network activity for the infected system having ZeroAccess (Zeloacres), and is also able to protect itself.
The Latest versions of this Rootkit still infects a critical Windows file like TDL (TDSS). I don't think NPE has the ability to cure this rootkit, and I have not come across a Norton tool for this family.
Quads
This was resolved. It was Trojan.Vundo.B
I know how to get rid of this now. So I will keep it in backup incase I want to do anything with it... :)
Can you let us know how this was resolved ?
Was if using the scan in safe mode ?
Zeroaccess tries to contact C&C servers (web addresses) like Tidserv (TDL, TDSS) 3, 3+ and that is where the intrusion prevention warning appears.
Quads
WARNING!! Do Not user NPE (Norton Power Eraser) if your system is infected with Zeroaccess, Zeloaces or anything detected with those names.
I have tried it and and a couple of things happened, one being after NPE restarted the computer I ended up in a BSOD (Blue Screen of Death boot loop.
Possibly to to with Zeroaccess's self protecting methods (tripwire)
Quads
Hi,
I recent ran into the same problem and I am not sure how get rid of it. every few days I preform a full scan and pick up
8000cf.@ (trojan.gen.2) detected by Virus scanner.
Infected file: C:\windows\assembly\tmp\u\800000cf.@
No fix attempted
Infected file: C:\windows\assembly\tmp\u\800000cf.@
Removed
Norton quarantine this virus, but it reoccurs again and again. I am not sure if this a problem with norton or there is really virus.
I have been also getting hit everyday when I boot up my computer with:
IPS Alert Name - System Infected: ZeroAccess Rootkit Activity 2
Default Action - No Action Required
Action Taken - No Action Required
Attacking Computer - 174.138.164.36, 80
Attacker URL - ttwaqvin.cn/keyword_multi.php?w76
I have also notice my browser acting funny, auto open random pages.
HELP!!! How can I get rid of this virus if Norton can't remove it.
You could try visiting one of the malware removal forums like bleeping computer.
Also, you could try TDSSKiller from Kaspersky Labs. Its very effective against known and unknown rootkits.It supports both x32 and x64 systems.
http://support.kaspersky.com/viruses/solutions?qid=208283363
TDSSkiller does not deal with Zeroaccess they are 2 different rootkits, TDSSkiller is for the TDSS (Tidserv, TDL) group.
I have not had TDSSkiller deal with Zeroaccess, has someone else been successful.
There are ways around Zeroaccess and the Tripwire (self protect ) mechanism, but TDSSkiller is not it.
I just really can't understand suggestions given that is for a different malware family and not the family in question. like asking a user to use Malwarebytes to remove Virut, or TDSSkiller to remove Zeroaccess.
Quads
Quads wrote:TDSSkiller does not deal with Zeroaccess they are 2 different rootkits, TDSSkiller is for the TDSS (Tidserv, TDL) group.
...
Quads
Kaspersky Support states that TDSSKiller is able to eliminate not only TDSS and its group but also any other undetected rootkits/bootkits as well.
Could you try to use the latest 2.6.2 version of TDSSKiller in ZeroAccess malware removal process?
Nerimash, I have downloaded TDSSKiller and ran it, but it does not work.
Quads, you say there are ways around and that is?
Appreciate your help.
Kaspersky Support states that TDSSKiller is able to eliminate not only TDSS and its group but also any other undetected rootkits/bootkits as wel
When Quads says something won't work, it will not work. The OP is lucky he did not end up in a blue screen boot loop.
I would suggest that the OP save all important documents and photos as Zeroaccess can be difficult to remove safely because of the tripwire. A visit to one of these free malware removal forums to sign in and get one on one trained assistance would be the most beneficial.
www.bleepingcomputer.com
http://www.geekstogo.com/forum/
http://www.cybertechhelp.com/forums/
http://forums.whatthetech.com/
HowDidGetThis wrote:Nerimash, I have downloaded TDSSKiller and ran it, but it does not work.
Quads, you say there are ways around and that is?
Appreciate your help.
Can you provide more information about faulty behavior of TDSSKiller?
1. TDSSKiller was not able to run?
2. TDSSKiller was run successfully but it didn't find rootkit?
3. Any other behavior.
Can you provide GSI report link in this thread (http://www.getsysteminfo.com/) ( Also, examination tool can be downloaded from that site )
delphinium wrote:
When Quads says something won't work, it will not work. The OP is lucky he did not end up in a blue screen boot loop.
I'm not sure.
It is still a good deal easier to get an infection out of a machine that will still boot up into Windows. 
delphinium wrote:It is still a good deal easier to get an infection out of a machine that will still boot up into Windows.
TDSSKiller is able to detect and remove ZeroAccess rootkit without any boot problems on user side. That's why I requested some additional information from user.
Maybe it's not rootkit, only just nasty trojan which is trying to connect to some C&C server in a way ZeroAccess does.