Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan.Zeroacces.B


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
No sign of ZeroAccess. We can see if OTL can remove the file or folder.


Copy the text in the code box by highlighting and Ctrl + c



:files
C:/windows/system32/consrv.dll


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top. Save the log and post it.
  • 0

Advertisements


#17
carusoconan

carusoconan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the OTL log:



========== FILES ==========
Invalid Switch: consrv.dll

OTL by OldTimer - Version 3.2.31.0 log created on 01172012_220130
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Not sure what happened there.

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:


dir  /a  consrv.dll  >  \junk.txt

notepad  \junk.txt

Copy and paste the text from notepad.
  • 0

#19
carusoconan

carusoconan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the notepad text:



Volume in drive C has no label.
Volume Serial Number is EEEF-0282

Directory of C:\Windows\system32

07/13/2009 06:39 PM 53,248 consrv.dll
1 File(s) 53,248 bytes
0 Dir(s) 895,433,625,600 bytes free
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Can you delete it?

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:
del  consrv.dll

mkdir  consrv.dll

  • 0

#21
carusoconan

carusoconan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
That appears to have done it (I'm attaching a screen shot of the command prompt screen). consrv.dll is no longer listed as a file in the system32 folder, and a quick scan of that folder shows no threats. I am going to have Norton run a full scan on the c drive which will take a couple of hours. I am also going to test the various programs on the computer and see if they are all running normally. I will let you know the results of all that later today. Thanks very much for the help!

Attached Thumbnails

  • Command Prompt.png

  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
OK. If you don't find any other problems then I guess it is clean up time:


We need to cleanup System Restore:

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

That will get the last of the malware off the system.



You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/
The free version only blocks 200 ads a day so another reason to use Firefox or Chrome.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.


If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#23
carusoconan

carusoconan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
The Norton full scan of the c drive found no threats. Only one program is a problem - Peachtree Complete Accounting 2012 indicates that it can't be started because Microsoft .Net Framework 3.5 SP1 is missing or damaged. After I do all the cleanup steps you mention I intend to create a system restore point and then download and install .Net Framework 3.5 SP1 from the Microsoft website. Does that seem like the right approach?

When I run the uninstall command you provided for ComboFix does it matter what directory I am in? I notice that when I enter the command prompt it comes up in C:\Windows\system 32.

In order to delete the TDSSKiller.exe, aswMBR.exe and VEW.exe tools, do I just simply delete those files (e.g., drag them to the recycle bin)?

Would you recommend keeping the Malwarebytes program, updating it regularly and running it on occasion (perhaps once a week) as a second line of defense along with Norton?

I have been using Acronis True Image Home 2012 to create daily system images of the c drive on an external hard drive. I create a full backup once a week and a differential backup for each of the succeeding six days and then repeat that process the following week. I shut down Acronis when this problem started. I presume I should delete those backup images on the chance that they may contain copies of the malware?

I use Adobe Acrobat 9.0 extensively and per your direction I have unchecked Enable Acrobat Javascript in the Javascript preferences page.

I have installed the AdBlock Plus Add-on you mentioned to Firefox, and have also downloaded the UpdateChecker.

I am not familiar with Limewire or utorrent but I have never used any P2P programs (and am only very vaguely aware of what they are - my impression is that they are used largely to distribute pirated items such as music and movies) so I shouldn't have a problem in that regard.

As relates to my wireless router, I change the password on that every month and encryption is enabled on it (I believe it is WPA2). I also changed the SSID on the router to a nondescript name.


Once again thank you for all of your assistance. You have been extraordinarily generous with your time and expertise and it is most greatly and sincerely appreciated.
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
.Net is a funny animal. If it doesn't work when you reinstall it you may have to uninstall it (and all of the other .Net versions) and start from scratch with .Net 1.1 and work your way up to the latest which I think is 4 something.

It shouldn't matter what directory you are in when you try to uninstall CF.

Yes just delete TDSSKiller, aswMBR, VEW and their logs.

MBAM is a good program to hang on to. The free version doesn't update automatically so if you run it once a week or so make sure you tell it to update first.

I suppose the backups could be contaminated so best to get rid of them.

Adobe Acrobat 9.0 is probably an older version so check and see if Adobe has any updates for it. Not sure what their policy is on purchased software as I have never bought anything from them.
  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Just got word there is a new variation of ZeroAccess that has a separate service. Probably a good idea to see if we missed something.

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after the line:

sc  delete  pcidump

(If the prompt returns without an error then this was the new version. IF it says it can't find the service then it was something else.)

One final check to make:

right click on the clock and select Task Manager then Services. We do not want to find "Safety Settings" service.

If you find Safety Settings then click on Services and it will take you to the Services window. See if you can find Safety Services then right click on it and select Properties. STOP the service then change the Startup Type: to Disabled. OK.
  • 0

Advertisements


#26
carusoconan

carusoconan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It appears we're OK assuming I executed your directions correctly. I'm attaching screen shots for the command prompt and services windows. Thanks very much - I appreciate your follow up.

Attached Thumbnails

  • Command Prompt.png
  • Services.png

  • 0

#27
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
OK. Thanks for checking.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP