I think I'm done reading how the Engineers want you to go from a to z and back again knowing good well those efforts aren't working. Novice, Intermediate, and expert users are continuing to ask " You want me to do what?" I have a question for the Lab Engineers - I used two programs to get rid of my virus - why aren't you suggesting the same programs I used to your consumers? Is it because they are not McAfee approved or something? Just curious.
I have gotten rid of the virus - but the issue of the firewall remains. This is still baffling and no one is addressing that issue. No, I do not want anyone remoting in looking to see if I am rid of the virus. I am already sure of that. If was easy to remove without all the different avenues that you guys are suggesting. I just want the firewall fixed and I will be out of your hair.
I am not the only one that has a problem with the firewall. There were several people - REMINDING you not to forget about that.
Good morning Carolyn! So that you get the help that you need, you'll probably want to post your Firewall issue to one of the product related discussions. As this is a malware discussion, there probably aren't any product experts here to help you. ( I really hope that your firewall issues don't stem from the mostly undetected new rootkit that I've found in another poster to this thread's system.)
BTW, what two tools did you end up using? (boy, it sure would be great if everyone had the exact same problems/variants, it would certainly make everyone's job a great deal easier )Message was edited by: dmeier on 10/7/11 9:30:27 AM CDT
(Replying to DMeier's post #51 only)
Since Carolyn Hannibal seems no longer to be taking an interest I went back and reviewed her posts. Carolyn says RKill and Malwarebytes did the job for her and cleaned her system but left her with firewall problems. Well, I do hope her system is clean but if what she had was Zero Access and not Open Cloud Security (they seem to be linked, and some posters mention both) then I doubt very much that Malwarebytes has solved her problems completely. If she merely had a run-of-the-mill Fake AV infection though, Malwarebytes might have cleared it. We may get confirmation, one way or the other.
To avoid confusion I shall be branching any future posts from this thread that reference Open Cloud Security or any of the other variants from the same malware family.
Sorry I didn't get back to you earlier. I used Rkill and Malwarebytes. The issue of the firewall stems from the virus. It took it down and I reported to Microsoft about the issue also.Message was edited by: moukie on 10/9/11 10:35:09 PM CDT
DNSChanger!fa(Trojan) has been detected some 600 times since the 15th. Do you think you can trap it and get it off my computer? Also the firewall still says it's running but it isn't under "settings"! ???? What gives??Message was edited by: rags on 10/22/11 5:52:20 PM CDT
I am assuming that this "DNSChanger!fa" and Zero Access are one and the same.
(Edit : It is. See "Aliases" in the first document referred to below).
Rootkits can be extremely difficult to remove. The authors of Zero Access will be pushing out modifications to keep their malware effective, so the counter-measures McAfee have put in place may not be working properly. In any case, a standard AV scan probably wouldn't be enough to kill this thing. The new variants are said to be using Alternate Data Streams to hide the rootkit tripwire (you want to know about ADS? See this, from Microsoft).
There are two important documents you need to read, which contain instructions for removal.
The first is "McAfee Labs Threat Advisory - ZeroAccess Rootkit (September 19, 2011)"
which may be intended for corporate customers ("FoundstoneServices" is on the Corporate side).
The second (and more recent) is "ZeroAccess.a" at http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=562354 especially the Removal section. The Description was modified on September 29 but I can't see any note of more recent updates.
The two documents have closely similar but not identical removal instructions. They both require the use of GMER; the second provides a link (HERE) to a special removal program specifically for Zero Access : described as "minimally tested" and "For Limited Distribution Only".Message was edited by: Hayton on 23/10/11 03:05:35 IST
The sample which was detected as Artemis!56C9EF26F88B & then DNSChanger!fa, is reclassified as DNSChanger.d with some enhanced cleaning. Please use Beta DATs for scanning.
Oh, right. I forgot that makes a difference. Have they got it working for 64-bit yet?
Edit - Interesting. "Dnschanger.d" is an old detection. There are threads about that one up to 2009 and then it all went quiet. Could be this is a new variant of an old and known piece of malware, but all the entries I see in the database so far are for 32-bit.
Message was edited by: Hayton - typo in malware name - on 23/10/11 18:00:37 IST