cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 11 of 16

Re: Removal of zeroaccess variant

It would also be helpful to collect the exact operating system versions you are using.  i'm happy to try to replicate this in a lab.

- David

Re: Removal of zeroaccess variant

The OS was windows 7 32 bits

I suspect that the removal of the rootkit is what caused the laptop to become unusable.  Just to clarify, the infection was detected and cleaned by Mcafee Enterprise not stinger.

This is the onaccess log starting with the first infection. Note that names have been changed to protect the innocents

5/28/2012    8:06:31 PM        Engine version                          =    5400.1158

5/28/2012    8:06:31 PM        AntiVirus   DAT version                 =    6725.0

5/28/2012    8:06:31 PM        Number of detection signatures in EXTRA.DAT =    None

5/28/2012    8:06:31 PM        Names of detection signatures in EXTRA.DAT  =    None

5/28/2012    8:09:45 PM    Deleted     SYSTEM        C:\Users\User.Name.COMPUTERNAME\AppData\Local\Taskbar\TaskbarControl.exe    PWS-Zbot.gen.uh (Trojan)

5/29/2012    2:06:04 PM        Engine version                          =    5400.1158

5/29/2012    2:06:04 PM        AntiVirus   DAT version                 =    6726.0

5/29/2012    2:06:04 PM        Number of detection signatures in EXTRA.DAT =    None

5/29/2012    2:06:04 PM        Names of detection signatures in EXTRA.DAT  =    None

5/29/2012    2:11:26 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

5/30/2012    4:11:59 PM        Engine version                          =    5400.1158

5/30/2012    4:11:59 PM        AntiVirus   DAT version                 =    6727.0

5/30/2012    4:11:59 PM        Number of detection signatures in EXTRA.DAT =    None

5/30/2012    4:11:59 PM        Names of detection signatures in EXTRA.DAT  =    None

5/31/2012    2:09:55 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

5/31/2012    2:50:53 PM        Engine version                          =    5400.1158

5/31/2012    2:50:53 PM        AntiVirus   DAT version                 =    6728.0

5/31/2012    2:50:53 PM        Number of detection signatures in EXTRA.DAT =    None

5/31/2012    2:50:53 PM        Names of detection signatures in EXTRA.DAT  =    None

6/1/2012    4:52:54 PM        Engine version                          =    5400.1158

6/1/2012    4:52:54 PM        AntiVirus   DAT version                 =    6729.0

6/1/2012    4:52:54 PM        Number of detection signatures in EXTRA.DAT =    None

6/1/2012    4:52:54 PM        Names of detection signatures in EXTRA.DAT  =    None

6/1/2012    4:55:51 PM    Not scanned  (scan timed out)     SYSTEM           

6/1/2012    4:55:52 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/2/2012    2:04:57 PM        Engine version                          =    5400.1158

6/2/2012    2:04:57 PM        AntiVirus   DAT version                 =    6730.0

6/2/2012    2:04:57 PM        Number of detection signatures in EXTRA.DAT =    None

6/2/2012    2:04:57 PM        Names of detection signatures in EXTRA.DAT  =    None

6/2/2012    2:07:53 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/2/2012    2:10:06 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

6/3/2012    2:54:52 PM        Engine version                          =    5400.1158

6/3/2012    2:54:52 PM        AntiVirus   DAT version                 =    6731.0

6/3/2012    2:54:52 PM        Number of detection signatures in EXTRA.DAT =    None

6/3/2012    2:54:52 PM        Names of detection signatures in EXTRA.DAT  =    None

6/3/2012    2:57:34 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/3/2012    3:45:32 PM    Not scanned  (scan timed out)     COMPUTERNAME\User.Name    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\InstallFlashPlayer.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\msimg32.dll   

6/3/2012    3:45:32 PM    Deleted (Clean failed)     COMPUTERNAME\User.Name    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\InstallFlashPlayer.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\msimg32.dll    Trojan-FAII!E6DA800198BD (Trojan)

6/3/2012    3:52:37 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Windows\system32\taskmgr.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/3/2012    3:52:45 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Windows\system32\taskmgr.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/3/2012    3:52:53 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Windows\system32\taskmgr.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/4/2012    6:12:19 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

6/4/2012    6:13:58 PM        Engine version                          =    5400.1158

6/4/2012    6:13:58 PM        AntiVirus   DAT version                 =    6732.0

6/4/2012    6:13:58 PM        Number of detection signatures in EXTRA.DAT =    None

6/4/2012    6:13:58 PM        Names of detection signatures in EXTRA.DAT  =    None

6/4/2012    6:17:04 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/4/2012    6:39:37 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\rundll32.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\Temp\nsrin.dll   

6/4/2012    6:39:37 PM    Deleted     NT AUTHORITY\SYSTEM    C:\Windows\system32\rundll32.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\Temp\nsrin.dll    Medfos.b (Trojan)

6/5/2012    3:54:55 PM        Engine version                          =    5400.1158

6/5/2012    3:54:55 PM        AntiVirus   DAT version                 =    6733.0

6/5/2012    3:54:55 PM        Number of detection signatures in EXTRA.DAT =    None

6/5/2012    3:54:55 PM        Names of detection signatures in EXTRA.DAT  =    None

6/5/2012    3:57:37 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/6/2012    2:10:11 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

6/6/2012    2:47:52 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Program Files\Internet Explorer\iexplore.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    Trojan-FAII!A26E9E034017 (Trojan)

6/6/2012    2:48:00 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Program Files\Internet Explorer\iexplore.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    Trojan-FAII!A26E9E034017 (Trojan)

6/6/2012    2:48:08 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Program Files\Internet Explorer\iexplore.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    Trojan-FAII!A26E9E034017 (Trojan)

6/6/2012    2:48:16 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Program Files\Internet Explorer\iexplore.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    Trojan-FAII!A26E9E034017 (Trojan)

6/6/2012    2:48:24 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    C:\Program Files\Internet Explorer\iexplore.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    Trojan-FAII!A26E9E034017 (Trojan)

6/6/2012    4:51:55 PM        Engine version                          =    5400.1158

6/6/2012    4:51:55 PM        AntiVirus   DAT version                 =    6734.0

6/6/2012    4:51:55 PM        Number of detection signatures in EXTRA.DAT =    None

6/6/2012    4:51:55 PM        Names of detection signatures in EXTRA.DAT  =    None

6/6/2012    4:54:25 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/7/2012    2:43:52 PM        Engine version                          =    5400.1158

6/7/2012    2:43:52 PM        AntiVirus   DAT version                 =    6735.0

6/7/2012    2:43:52 PM        Number of detection signatures in EXTRA.DAT =    None

6/7/2012    2:43:52 PM        Names of detection signatures in EXTRA.DAT  =    None

6/7/2012    2:46:21 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/8/2012    2:10:27 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

6/8/2012    3:53:53 PM        Engine version                          =    5400.1158

6/8/2012    3:53:53 PM        AntiVirus   DAT version                 =    6736.0

6/8/2012    3:53:53 PM        Number of detection signatures in EXTRA.DAT =    None

6/8/2012    3:53:53 PM        Names of detection signatures in EXTRA.DAT  =    None

6/8/2012    3:56:25 PM    No Action Taken (Clean failed)     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    Trojan-FAII!B1559323F717 (Trojan)

6/9/2012    3:31:53 PM        Engine version                          =    5400.1158

6/9/2012    3:31:53 PM        AntiVirus   DAT version                 =    6737.0

6/9/2012    3:31:53 PM        Number of detection signatures in EXTRA.DAT =    None

6/9/2012    3:31:53 PM        Names of detection signatures in EXTRA.DAT  =    None

6/9/2012    3:34:15 PM    Deleted     SYSTEM        C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\~!#AD0C.tmp    ZeroAccess.em (Trojan)

6/9/2012    3:35:31 PM    Deleted     COMPUTERNAME\User.Name    C:\Windows\Explorer.EXE    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\U\00000001.@    ZeroAccess (Trojan)

6/9/2012    3:35:31 PM    Deleted     COMPUTERNAME\User.Name    C:\Windows\Explorer.EXE    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\U\80000000.@    ZeroAccess.ee (Trojan)

6/9/2012    3:35:31 PM    Deleted     COMPUTERNAME\User.Name    C:\Windows\Explorer.EXE    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\U\800000cb.@    ZeroAccess.eh (Trojan)

6/10/2012    2:10:33 PM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Windows\system32\CCM\CcmExec.exe    C:\Users\User.Name.COMPUTERNAME\Documents\Blackberry\610_b038_multilanguage.exe   

6/10/2012    2:15:57 PM    Not scanned  (scan timed out)     COMPUTERNAME\User.Name    C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Roaming\Research In Motion\BlackBerry Desktop\Updates\33484803-750F-4154-A0A3-C0474F3BE1BE\Extractor.exe   

6/10/2012    2:16:11 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:16:18 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:16:25 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:16:32 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:16:39 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:16:46 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:16:53 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:00 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:07 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:14 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:21 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:28 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:35 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:42 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:49 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:17:56 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:03 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:10 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:17 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:24 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:31 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:38 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:45 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:52 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:18:59 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:06 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:13 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:20 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:27 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:34 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:50 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:19:58 PM    Will be deleted after the next reboot (Clean failed)     COMPUTERNAME\User.Name    c:\5a4bac3bc0295141f72367\install.exe    C:\Users\User.Name.COMPUTERNAME\AppData\Local\{49ae13c1-b5c5-1302-4cd0-2b469cb6d978}\n    ZeroAccess.em (Trojan)

6/10/2012    2:20:26 PM    Statistics:

6/10/2012    2:20:26 PM    Files scanned:     283769

6/10/2012    2:20:26 PM    Files detected:     55

6/10/2012    2:20:26 PM    Files cleaned:     0

6/10/2012    2:20:26 PM    Files deleted:     5

6/10/2012    2:22:51 PM        Engine version                          =    5400.1158

6/10/2012    2:22:51 PM        AntiVirus   DAT version                 =    6737.0

6/10/2012    2:22:51 PM        Number of detection signatures in EXTRA.DAT =    None

6/10/2012    2:22:51 PM        Names of detection signatures in EXTRA.DAT  =    None

6/10/2012    2:23:40 PM    Not scanned  (scan timed out)     COMPUTERNAME\User.Name    C:\Windows\System32\rundll32.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\wunaty.dll   

6/10/2012    2:23:41 PM    Deleted     COMPUTERNAME\User.Name    C:\Windows\System32\rundll32.exe    C:\Users\ANDYHA~1.AHA\AppData\Local\Temp\wunaty.dll    Medfos.d (Trojan)

6/10/2012    2:28:38 PM    Statistics:

6/10/2012    2:28:38 PM    Files scanned:     2037

6/10/2012    2:28:38 PM    Files detected:     1

6/10/2012    2:28:38 PM    Files cleaned:     0

6/10/2012    2:28:38 PM    Files deleted:     1

woodze
Level 7
Report Inappropriate Content
Message 13 of 16

Re: Removal of zeroaccess variant

Hey angelyne  I had this virus. Same result as yourself with McAfee removing the virus but still allowing to 450 odd registry settings to be changed; one of the causing the Microsoft "this copy of Windows is not genuine" to appear.  Basically the PC is fully locked down no USB access and when doing an ipconfig it reports the being no adaptor.  Since McAfee managed to remove the virus I thought a trying to use a restore point from a previous day which also failed to work.  The solution I found minutes before I threw in the towel and started to re-image the laptop was to boot into safe mode and try to go back to a previous restore point and hey presto it worked and all the settings had been reverted.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 14 of 16

Re: Removal of zeroaccess variant

It is great that the restore point worked we always suggest one tries that but a number of these types of malware disable restore points or somehow stop you restoring. Good idea to try a safe mode restore if it first does not work in windows.

Some of these zeroccess new versions leave you no option but rebuild the OS. At least I read that.

Message was edited by: Peacekeeper on 10/07/12 5:52:19 AM
Highlighted

Re: Removal of zeroaccess variant

We were also hit by this new variant of Zeroaccess, and with about 15 infected laptop only one was able to be recover after a week and a recent dat update for VSE was able to detect and remove the threat and found the Rootkit name but leaving the machine as not genuine in every case.

The only laptop we saved from reimaging was by doing a system repair which to my surprise work as there was no restore point available.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 16 of 16

Re: Removal of zeroaccess variant

Also if you get the restore point to work disable restore points to remove teh bad ones and create a new 1.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community