Sorry to hear that your issue could not be resolved in a timely fashion by us. for the firewall issue- Is that the McAfee firewall that is non functional or is that the windows firewall?
if its mcafee firewall - please login to mvt.mcafee.com and run the tool reboot and update us on the thread on the issue
regarding the 64 bit OS not supported on the new tool the same has been escalated to the engineering team as Sam had indicated. Either Same ,Vinoo or me would update you as and when we get details on the same.
64 Bit OS was supposed to be near impenetrable however this infection has proved otherwise- probably the reason why the tool did not have option to work on 64 bit OS .
Sorry to hear that your issue could not be resolved in a timely fashion by us. for the firewall issue- Is that the McAfee firewall that is non functional or is that the windows firewall? if its mcafee firewall - please login to mvt.mcafee.com and run the tool reboot and update us on the thread on the issue regarding the 64 bit OS not supported on the new tool the same has been escalated to the engineering team as Sam had indicated. Either Same ,Vinoo or me would update you as and when we get details on the same. 64 Bit OS was supposed to be near impenetrable however this infection has proved otherwise- probably the reason why the tool did not have option to work on 64 bit OS .
It's both. Windows Error 1068. "The dependency service or group failed to start". Under control panel....Windows firewall "use recommended setting button" error is: "Windows can't change some of your settings." error code: 0x8007042c.
Oh yeah, I'm 64bit too. Waiting.....
Message was edited by: rags on 10/4/11 5:56:34 PM CDT
Message was edited by: rags on 10/4/11 6:28:36 PM CDTApologies to the issue being resolved in a timely manner - has no merit. I am not the first to complain about this issue. McAfee knewof this problems MONTHS ago (there are discussions back in July about thisissue). Just admit that McAfee has failed in their attempt to resolvethis for their consumers.
I ran the McAfee Virtual Technician, reboot as instructed and it could notfix the problem. The Windows Firewall isdown also.
The report stated: Some problemscould not be fixed.
PersonalFirewall – McAfee Security Center 12.0.344
Problem;Service not running.
SessionID: 35454122
There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware.
From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV.
It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess.
We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.
There are several steps we have to progress through, to get your systems cleaned up. It's not easy, and it will take time, but for those that persevere, it will avoid a re-image of your system.
Informative tidbits:
For the below steps, it's helpful to have a USB drive, with these tools on it:
Also, it's a good idea to have a copy of CleanBoot burned to CD, in case our efforts in SafeMode are not successful. Available HERE.
First, we must remove any companion malware, to allow the RootkitRemover to work. (malware that could be dropping the ZeroAccess rootkit, and also terminating scanning tools)
Booting to a CD is the best way, to ensure that malware is not loaded into memory, and making detection most challenging. However, let's see if we can tackle it strictly from SafeMode, as it's far more user friendly.
1. Reboot into SafeMode.
2. Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then uncheck the box "Load Startup Items"
3. Reboot into normal mode.
4. Run RootkitRemover, and ensure it detects and cleans.
a. If you are on a 64bit system, skip down "64bit O.S.".
5. If it detects ZeroAccess, then reboot and run a full scan of the system first using the Stinger(s), and then your local McAfee product. Often, the permissions on the McAfee folder is modified by the malware, and requires manually correcting it:
6. You should now repair/reinstall your AV product, update your dats, and run a full system scan.
7. If further detections are made, you should now be able to revert the steps we make in #2, by doing the following:
8. If no further detections are found, but you still have malicious behavior, then there could still be malware on the system, and it will require additional work to identify. Using Getsusp is a good first step in identifying undetected malware. Using the Virus Removal Service, might be a reasonable next step, but feel free to post back here first.
64bit O.S.: - For 64bit systems, we need to manually repair the infected .sys file. (Steps taken from the VIL available for ZeroAccess.a)
Manual Remediation steps:
The malicious code is loaded by the patched system driver. In order to clean the system manually, it is necessary to identify the malicious .SYS file and replace it with a good copy from installation media.
In order to identify which system driver was replaced, the user is going to need the following tool:
GMER: http://www.gmer.net/
1.First of all, the machine must be disconnected from the internet to avoid reinfection in case any other malware is downloading and installing ZeroAccess or other pieces of malware.
2.Execute GMER, and uncheck these four options "Modules, Processes, Threads, Files"
http://vil.nai.com/images/562354_1.png
3.Then right click in the main window, and select "Options", then enable "IRP Hooks"
4.Start the rootkit scan and wait for it to finish.
5.If the system is infected, GMER will show the name of the patched .SYS file as shown in the YELLOW circle above. Take note of this name.
6.Look at the following folder and search for a file with same name as noted above: %SYSTEMROOT%\ServicePackFiles\i386
7.If there is a copy of the file in the folder above, copy it to the root of drive C:. It will be needed later.
8.If the file is not present in the folder above, it will be necessary to copy the file from an installation media, or another machine with the same Windows version and language.
9.Boot the infected machine with a clean boot media like McAfee CleanBoot, BartPE or Hiren's Boot CD.
10.From the clean boot, copy the file stored in the root folder that was copied above, to the location of the patched system driver.
ex: copy c:\mrxsmb.sys c:\windows\system32\drivers\mrxsmb.sys
11.Reboot the system in safe mode and log in as the Administrator user.
12.Execute the CSSCAN command line tool using the Beta DATs to remove any Trojan or infected file from the system:
a. VSE 8.7: "C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe" -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\
b. VSE 8.8: C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\
c. Other McAfee product users: Please use the following standalone tool Stinger
In order to use the Stinger tool, please make sure the targets "Processes" and "Registry" are disabled and the interface "List of all files scanned" is enabled in the stinger before scanning the infected machine.
http://vil.nai.com/images/562354_4.png
13.Reboot the system normally.
14.Run GMER again to confirm that no malicious threads of patched files exist anymore.
I'll evolve this post with your constructive feedback, and work to make it as effective as possible. As with many malware infections, they can be unpredictable, and in some cases require the direct intervention of a malware expert. In such cases, we recommend you reach out to support to ensure your system is cleaned properly.
David Meier
Lead Field Engineer - McAfee Labs
on 10/4/11 6:50:20 PM CDTRe: Help... Artemis!56C9EF26F88B - ZeroAccess There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware. From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV. It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess. We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.
You have GOT to be kidding!!!!!!! You want me to do ALL this and take another 5 hours out of my life? I DON'T THINK SO...I'll wait for your automatic fix until this weekend and then , if you don't have a "click to fix" or do it "interally with an Update", I'll crapcan McAfee altogether and move on.......UGH!!!!!!!!!!!!!!!!!!!!!!!!!
There are links to many tools, but I don't see one for the Rootkit Remover. Where do we get that?
so... after trying the manual multi-step clean up, I'm now adding
DNSChanger!fa
to the list of trojans being found. I've downloaded tools, gone through manual sweeps, and it's worse????
The file is Artemis!8EA57E8B69F2
It was found on my computer at C:\windows\assembly\tmp\kwrd.dll
As I said previously when I tried to click on the 'submit to mcafee' for the files in quarantine it tells me there is an error.
Yesterday GMER wouldn't work for me... unless it has changed in the last 24 hours I doubt it will work properly now ( go back and read my posts about it). However when I have a few spare hours available tomorrow I will try to go through all the steps you've listed above...
@lozah - we have a copy of that file, and I'll make sure it get's classified today. It will take a couple days to reflect in the full dats. In the meantime, the Artemis detections will prevent it from doing any damage. The problem is, what is dropping that file. That's what is still infected. You might need to boot from a boot CD, and run a full scan. Let me know if you need help with that.
@jdl - The artemis detection you were first getting, has simply been renamed (classified) to the DNSChanger!fa, so you're as bad off as you were, no worse
@Beagle123 - I had linked to the site where it was linked. That's no help, so here's the proper direct link to RootkitRemover http://vil.nai.com/images/562354_2.zip
@rags - Please PM me, I'd like to speak to someone such as yourself.
@Carolyn Hannibal - Please PM me.
Amazing how I can't even get help from Mcafee online!!! I tried to get a boot disc and I couldn't even get that from them. They escalated my call and said I would get a call from them tomorrow! I would just like to have my computer back to normal. If you see my previous posts you will see what I have encountered in this open cloud security virus. I hace tried to rootkit remover but I need 64 bit. I have also tried GMER but it would not allow me to check the top boxes (see previous post). I feel as if I should change to another company for virus protection. I am extremely frustrated in this. I just spent over an hour in a chat box, then went back online with the infected computer all for them to tell me that they can't help....now 2 hours later....no help....no boot disc! Who's helping at Mcafee????!!!!
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA