Three times in as many weeks I have been hit by a ZeroAccess virus, identified by MalwareBytes as Rootkit.0Access, while surfing the web. In all cases I was visiting well-known legitimate sites that were flagged by McAfee SiteAdvisor as safe and I have used in the past without problem. I'm pretty sure the first two attacks both came from either Kryptonsite.com or KSitetv.com and the third I am almost certain was from Accuweather.com (it was either that or LinkedIn, which were the only two I visited in that instance). Or at least, they occurred while I was viewing those sites. I'm very security-concious and didn't think I could be any more careful with my surfing!
McAfee SecurityCenter didn't seem to detect the downloads, although it's firewall blocked the virus from connecting to the internet as an unknown program. What happened in all cases was:
While viewing a website, McAfee firewall popped up a message that an unknown program wanted internet access - "Fyoesbiso32" the first two times and "liquid7674137" the third time.
At the same time, a window claiming to be an Adobe update with a progress bar appeared, and Windows User Access Control asked me for permission to run it.
I didn't give permission for either and instead powered down the PC and rebooted. Following the reboot, a quick scan with MalwareBytes found and deleted the following files:
First two times:
In all cases, I took no chances and restored a complete Acronis disk image from before the virus hit, booting from the Acronis CD to do so. Subsequent full scans with McAfee, MalwareBytes, TDSSKiller, HitMan Pro and McAfee Rootkit Remover (updated to the latest definitions beforehand where appropriate) all came up clean. Then, a few days later, it happens again while innocently surfing the web.
I'm a bit concerned about the fact that this has happened to me three times recently - could my PC be compromised in some way that is causing this to happen? Why doesn't McAfee detect these files and prevent them from downloading and running?
Does anyone know where this ZeroAccess virus is coming from and why it is suddenly hitting me so frequently - could it be adverts hosted by these sites? Or is the Adobe update genuine but somehow infected?
Is there anything else I can do to prevent Rootkit.0Access / ZeroAccess from downloading and running in the first place?
Any advice on this nastly little piece of malware would be very much appreciated!
Windows 7 Ultimate SP1 64bit
McAfee SecurityCenter 11.0 Build 11.0.678 (real-time scanning of all files and auto update on)
McAfee VirusScan 15.0 Build 15.0.302
McAfee Personal Firewall 12.0 Build 12.0.355
McAfee SiteAdvisor 3.4 build 18.104.22.168 (with the browser plugin running in Internet Explorer 9)
Malwarebytes Anti-Malware 22.214.171.1240 (free version, non-resident, only used for "second opinion" scans)
The answer is only a guess, stop going to those websites.
But, and it's a big but - you also may not be truly rid of it. I suggest you do either one of two things that are listed on THIS document near the bottom.
Either a Hijackthis or DDS scan and post the log as instructed there on an appropriate forum for expert analysis.
As far as Adobe Update goes that's a puzzler as Adobe does have a legitimate updater which I see from time to time asking me if I want to update this and that.
You might want to go to Adobe.com and make sure that Flash, Shockwave and Reader or or whatever are all up to date anyway.
Indeed, I stopped going to those first websites once I suspected them as the source, only to get the same thing from another website a short time later! That's what made me wonder if maybe it wasn't just specific websites, but rather something more specific to me, such as hosted adverts or something already on my system.
I've just checked the Adobe website as you suggested. It seems the latest version is 11.3.300.257 and I have 126.96.36.199. I had assumed that the adobe window that was appearing was fake, but I'm now wondering if it's the Adobe updater that is doing this, as it's set to install updates automatically when available.
Edit: I've just uninstalled Flash Player and Flash Player Plugin. I'll leave them uninstalled until I absolutely can't do without them (I thought they were required for Youtube, but that seems to work fine without them). If the attack happens again, I'll know it's a fake Adobe update!Message was edited by: ajones2012 on 08/06/12 10:54:41 CDT
Flash and Shockwave players are still needed by some sites and you'll be prompted to install if they are. More and more websites in the meanwhile are adopting the html5 protocol as a good substitute but it'll be a while. In fact Adobe have their own experimental subsitute called Edge, although I haven't tried it.
Meanwhile I would post that log as I suggested to be sure and a good idea might be to augment SiteAdvisor browser safety with WoT (Web Of Trust)) - http://www.mywot.com/
Also clean out all your temporary files.
Go to Start/Run and type in temp and click Enter or OK then click Edit/Select All and then click Shift/Delete together and OK prompts. Some may refuse to go which is normal.
Repeat that exercise typing %temp% instead.
Is it safe to delete everything in C:\Windows\Temp?
The link to hijackthis in that document (https://sa-live.com/l?v=0&ui=0&p=000c00000000000000000000400000000000&spid=mcafee-forums&url=-+78787...) results in page not found. Where is the best place to get it from?
The DDS page wants to download a file called DDS.SCR. I'm probably being overly paranoid at the moment, but the .SCR extension makes it look like a screen saver - is this the correct download?
Yes it's safe to delete all temp files. Whatever your computer needs it will recreate.
I've amended the HJT link and it's now downloadable again.
Yes DDS has a .scr extension which is fine.
Your choice which one you choose. I've always HJT myself as it gives you a wider choice of places to post. But just pick one.
I followed Ex-Brit's advice and ran DDS. The good folks as MalwareBytes have been helping me check my system and it looks like I'm clean.
My subsequent research has turned up this interesting document which explains how the whole thing works:
Page 3, in particular, shows how it uses a genuine copy of the Adobe updater as a "disguise" to tempt you to allow it to run. The screenshots shown on that page are exactly what I saw. A combination of compromised web pages and a browser exploit would appear to be the cause of infection. Hopefully today's Windows security update to IE9 has helped!
The "update available now" trick usually works, as you found. The only safe way to get software updates without being tricked into downloading malware is to go to the vendor's website and get any updates from there.
I take it "DDS" was TDSSKiller. It worked?
DDS was DDS.scr as mentioned by Ex-Brit above. It provided logs of my system which enabled them to determine the virus was gone (after running a few more utilities including TDSSKiller to be sure).
In my case, I wasn't informed that there was a "new update available", it just started running an update without prompting or requiring any action from me. Luckily Windows User Access Control stopped it running and I denied it permission as I guessed it wasn't genuine. No serious infection therefore, just a few files downloaded which were removed by MalwareBytes. A subsequent restore of a disk image backup from before the infection reversed it's affects anyway.
I'm afraid I've ditched McAfee now as I don't trust it's web protection any more. Since my last post I've been hit by trojan.fakealert (that annoying fake antivirus popup one) which suddenly appeared while I was doing a google image search. Again, McAfee didn't notice it and allowed it to run and update my registry to run it on boot. Again it was MalwareBytes and Acronis True Image to the rescue.