Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Zeroaccess!kmem


  • Please log in to reply
11 replies to this topic

#1 Derricksc1

Derricksc1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 29 January 2012 - 07:02 PM

I've been trying for about a week to find a solution to remove it, I also had an issue with Trojan.Zeroaccess!gen6 removed it as of today i think, ran Rkill with norton, also ran Nortons power eraser, it seems to have fixed Trojan.Zeroaccess!gen6, however Trojan.Zeroaccess!kmem is still an issue, i cant find any way to actually remove it,


c:\windows\system32\ntos

please help, i run norton about 4-5 times a day now, each time it finds many risks, from what i have read on it, it seems to be low harm but it pops up random windows and links when i change websites or click general google links or other links,


Thanks,

Derrick

*Edit: Moved topic from Windows 7 to the more appropriate forum~Queen-Evie*

Edited by Queen-Evie, 29 January 2012 - 07:27 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:14 PM

Posted 29 January 2012 - 09:40 PM

Hello and welcome..


Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Derricksc1

Derricksc1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 31 January 2012 - 06:59 AM

soooooo....................... downloaded the 3 programs, closed everything and while the computer was attempting to restart it blue screened, wont start anymore, posting from ps3, ran windows startup repair, i think it said it had a rootkit issue with my disk drive?? i dont know but i cant log on to the computer at all, doesnt even go to windows screen before blue screeneed

#4 Derricksc1

Derricksc1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 31 January 2012 - 06:49 PM

Okay, as a quick update, I was able to get back into system restore and went back to 1/17/2012, that is the oldest restore i have available, when I got back to the desktop norton was having issues and requested that I uninstall and Reinstall it, as well as not finding any virus', I tried to update windows though, and was unable too, I went through a couple items on the windows site that found another trojan that Norton hadnt found, and still Cant, Should I still be using the above three methods? I will run them tonight and get back to you If you want me to. So as an update, havent run any of the above programs due to not wanting the bluescreen chain again, I will if you feel that wasnt the cause however, windows wont update, and i uninstalled and reinstalled norton as it advised, norton seems to be running the same as it was previously, norton has fully updated itself and is running normal, aside from finding the trojans which i believe may still be there. Sorry for any inconvenience!


Thanks,

Derrick

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:14 PM

Posted 31 January 2012 - 07:29 PM

Hello. I had Jury Duty today.
found another trojan Do you still know that ones name?
Yes please run those.

Edited by boopme, 31 January 2012 - 07:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Derricksc1

Derricksc1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 31 January 2012 - 11:27 PM

okay, part one is done, said backdoor.tidserv was found on my computer running mbam now


EDIT: getting an error message when trying to update mbam
PROGRAM_ERROR_UPDATING 92,0,1/O errpr)

The system cannot find the file specified

Edited by Derricksc1, 31 January 2012 - 11:31 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:14 PM

Posted 31 January 2012 - 11:54 PM

Please ensure these items are excluded from your Antivirus AND your Firewall

Exclude Malwarebytes' Anti-Malware's Files and Folders From Other Active Security Programs:

For Windows XP:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\System32\drivers\mbamswissarmy.sys


For Windows Vista or Windows 7:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\System32\drivers\mbamswissarmy.sys


For 64 bit versions of Windows Vista or Windows 7:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\SysWoW64\drivers\mbamswissarmy.sys
Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude MBAM.EXE from it as well

The FAQ contains examples of setting file exclusions for some known AV products -
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Derricksc1

Derricksc1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 01 February 2012 - 06:31 AM

thats the thing, norton isnt currently working and windows defender cant update so it isnt turning on, and windows firewall was disabled, so in essence no defence, any other ideas what might be preventing it from updating??

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:14 PM

Posted 01 February 2012 - 03:47 PM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.



Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Derricksc1

Derricksc1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 01 February 2012 - 04:12 PM

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 15:08:55
-----------------------------
15:08:55.930 OS Version: Windows 6.0.6002 Service Pack 2
15:08:55.931 Number of processors: 2 586 0x170A
15:08:55.933 ComputerName: OWNER-PC UserName: Derrick
15:08:58.157 Initialize success
15:09:10.872 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:09:10.875 Disk 0 Vendor: FUJITSU_MHZ2320BH_G2 8909 Size: 305245MB BusType: 3
15:09:10.901 Disk 0 MBR read successfully
15:09:10.905 Disk 0 MBR scan
15:09:10.909 Disk 0 unknown MBR code
15:09:10.916 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 294097 MB offset 63
15:09:10.945 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11144 MB offset 602312704
15:09:10.952 Disk 0 scanning sectors +625135616
15:09:11.005 Disk 0 scanning C:\Windows\system32\drivers
15:09:18.570 Service scanning
15:09:20.515 Modules scanning
15:09:29.607 Disk 0 trace - called modules:
15:09:29.658 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
15:09:29.665 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8663bac8]
15:09:30.019 3 CLASSPNP.SYS[8b0108b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x864e6b98]
15:09:30.028 Scan finished successfully
15:09:53.201 Disk 0 MBR has been saved successfully to "C:\Users\Derrick.Owner-PC\Desktop\MBR.dat"
15:09:53.210 The log file has been saved successfully to "C:\Users\Derrick.Owner-PC\Desktop\aswMBR.txt"




--------------------------------------------------------------------------



Farbar Service Scanner Version: 01-02-2012 03
Ran by Derrick (administrator) on 01-02-2012 at 15:10:59
Microsoft Windows Vista Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-09-24 14:59] - [2009-04-11 00:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-09-24 14:58] - [2009-04-11 00:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****


Thanks

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:14 PM

Posted 01 February 2012 - 04:28 PM

I cannot find it. We need to start a new topic on ,,no firewall updtes etc...

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:14 PM

Posted 04 February 2012 - 02:36 AM

Hello Derricksc1,

Since you're having problems running GMER, please skip it. Be sure to post the DDS logs in your new topic which is here: http://www.bleepingcomputer.com/forums/topic441057.html If you were unable to create those logs, please post a reply there stating that.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users