cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 71 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

So, are there updates to this for the 64 bit?

Highlighted
Level 7
Report Inappropriate Content
Message 72 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

I think I'm done reading how the Engineers want you to go from a to z and back again knowing good well those efforts aren't working.  Novice, Intermediate, and expert users are continuing to ask " You want me to do what?"   I have a question for the Lab Engineers -  I used two programs to get rid of my virus - why aren't you suggesting the same programs I used to your consumers?  Is it because they are not McAfee approved or something?  Just curious.

I have gotten rid of the virus - but the issue of the firewall remains.  This is still baffling and no one is addressing that issue.  No, I do not want anyone remoting in looking to see if I am rid of the virus.  I am already sure of that.  If was easy to remove without all the different avenues that you guys are suggesting.  I just want the firewall fixed and I will be out of your hair. 

I am not the only one that has a problem with the firewall.  There were several people - REMINDING you not to forget about that.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 73 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Good morning Carolyn!  So that you get the help that you need, you'll probably want to post your Firewall issue to one of the product related discussions. As this is a malware discussion, there probably aren't any product experts here to help you.  ( I really hope that your firewall issues don't stem from the mostly undetected new rootkit that I've found in another poster to this thread's system.)

BTW, what two tools did you end up using?  (boy, it sure would be great if everyone had the exact same problems/variants, it would certainly make everyone's job a great deal easier   )

Message was edited by: dmeier on 10/7/11 9:30:27 AM CDT
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 74 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

(Replying to DMeier's post #51 only)

Since Carolyn Hannibal seems no longer to be taking an interest I went back and reviewed her posts. Carolyn says RKill and Malwarebytes did the job for her and cleaned her system but left her with firewall problems. Well, I do hope her system is clean but if what she had was Zero Access and not Open Cloud Security (they seem to be linked, and some posters mention both) then I doubt very much that Malwarebytes has solved her problems completely. If she merely had a run-of-the-mill Fake AV infection though, Malwarebytes might have cleared it. We may get confirmation, one way or the other.

To avoid confusion I shall be branching any future posts from this thread that reference Open Cloud Security or any of the other variants from the same malware family.

Highlighted
Level 7
Report Inappropriate Content
Message 75 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Sorry I didn't get back to you earlier.  I used Rkill and Malwarebytes.  The issue of the firewall stems from the virus.  It took it down and I reported to Microsoft about the issue also.

Message was edited by: moukie on 10/9/11 10:35:09 PM CDT
Highlighted
Level 7
Report Inappropriate Content
Message 76 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

DNSChanger!fa(Trojan) has been detected some 600 times since the 15th. Do you think you can trap it and get it off my computer? Also the firewall still says it's running but it isn't under "settings"! ???? What gives??

Message was edited by: rags on 10/22/11 5:52:20 PM CDT
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 77 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

I am assuming that this "DNSChanger!fa" and Zero Access are one and the same.

(Edit : It is. See "Aliases" in the first document referred to below).

Rootkits can be extremely difficult to remove. The authors of Zero Access will be pushing out modifications to keep their malware effective, so the counter-measures McAfee have put in place may not be working properly. In any case, a standard AV scan probably wouldn't be enough to kill this thing. The new variants are said to be using Alternate Data Streams to hide the rootkit tripwire (you want to know about ADS? See this, from Microsoft).

There are two important documents you need to read, which contain instructions for removal.

The first is "McAfee Labs Threat Advisory - ZeroAccess Rootkit (September 19, 2011)"

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23412/en_US/...

which may be intended for corporate customers ("FoundstoneServices" is on the Corporate side).

The second (and more recent) is "ZeroAccess.a" at http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=562354 especially the Removal section. The Description was modified on September 29 but I can't see any note of more recent updates.

The two documents have closely similar but not identical removal instructions. They both require the use of GMER; the second provides a link (HERE) to a special removal program specifically for Zero Access : described as "minimally tested" and "For Limited Distribution Only".

Message was edited by: Hayton on 23/10/11 03:05:35 IST
Highlighted
Level 12
Report Inappropriate Content
Message 78 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Hi,

The sample which was detected as Artemis!56C9EF26F88B & then DNSChanger!fa, is reclassified as DNSChanger.d with some enhanced cleaning.  Please use Beta DATs for scanning.

Regards,

Nitin Kumar

McAfee SME

Highlighted
Level 7
Report Inappropriate Content
Message 79 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Oh yeah, I should re-mention I'm Windows 7 64 bit!

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 80 of 80

Re: Help... Artemis!56C9EF26F88B - ZeroAccess

Jump to solution

Oh, right. I forgot that makes a difference. Have they got it working for 64-bit yet?

Edit - Interesting. "Dnschanger.d" is an old detection. There are threads about that one up to 2009 and then it all went quiet. Could be this is a new variant of an old and known piece of malware, but all the entries I see in the database so far are for 32-bit.


Message was edited by: Hayton - typo in malware name - on 23/10/11 18:00:37 IST

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community