cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 24

ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

Operating system:

-----------------

MS Windows XP Professional

Version 2002

Service Pack 3

all Microsoft/Windows updates were up-to-date at the time of this incident.

Product Info:

-------------

McAfee SecurityCenter

Version: 11.6

Build: 11.6.511

AffId: 910

Language: en-us

Last update: 5/15/2013

McAfee Virus Scan

Version: 15.6

Build: 15.6.245

Last Update: 9/5/2013

DAT version: 7189

DAT creation date: 9/5/2013

Boot DAT Version: 7186.0000

Boot DAT Creation Date: 9/2/2013

Engine Version: 5500.1093

Malware Info:

-------------

Detected: ZeroAccess-FAT!D1A909DB8D6F (Trojan)

Quarantined From: C:\WINDOWS\assembly\GAC\Desktop.ini

SecurityCenter says that Windows Firewall is disabled.  Attempts to enable it fail.

Full McAfee virus scan detects nothing.  But McAfee pops up a window saying:

McAfee

Trojan Detected

McAfee detected an infected file on your PC. Restart your PC so we can fix it.

About This Trojan

Detected: ZeroAccess-FAT!D1A909DB8D6F (Trojan)

Quarantined from: C:\WINDOWS\assembly\GAC\Desktop.ini

We cannot remove a Trojan while the infected file is in use. Restarting your PC frees up

the infected file allowing McAfee to fix the issue. [Restart now] [Restart later]

Restarting fails to fix it.  Full Scan detects no issues, but the popup window I've just described reappears.

I have downloaded and run rootkitremover (v. 0.8.9.161).  It runs but detects nothing.  I still cannot enable firewall, and the "Trojan Detected" window reappears.

I unplugged the computer from the network quickly when this all started, and am using a second, networked, computer to try to fix this, using a USB drive to transfer downloaded files.

This version of McAfee was provided by my ISP (Time Warner) and has been kept up-to-date.  But now I see that TW apparently provides a newer version, McAfee 2013.  (Why my regular updates never acquired the current version, I don't know. TW doesn't have the greatest customer support!)  If I can install this latest version of McAfee AntiVirus, will it fix this variant of the ZeroAccess trojan?  A web search produces no info at all about ZeroAccess-FAT!...etc. although other variants are mentioned.

I've just read "Required Reading - Home User Assistance Malware Troubleshooting" at https://community.mcafee.com/docs/DOC-1294 .  Since my SecurityCenter is RED (Windows Firewall is OFF), I did not proceed to Step 2 of that document.

Thanks for reading this.  I'd really appreciate help to remove this nasty rootkit and get my computer back!

- Pat

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 24

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

Thank you so much, Hayton and Ex-Brit, for your responses!

Having learned that ZeroAccess is also known as Sirefef, I dug around the Microsoft support site last night and found their Safety Scanner:

http://www.microsoft.com/security/scanner/en-us/default.aspx

Ran Safety Scanner this morning as directed, and it worked!!!  It detected and fixed Sirefef variants .AB and .CA

I then ran McAfee's updater, then Windows updates.  These seemed to go well.  On restart, the computer seemed to get stuck on FlashPlayerUpdateService -- it wouldn't finish starting up but I couldn't shut it down nicely either, so pressed the RESET button, which got it to come back up normally.  Now everything seems to be running right.  {BIG SIGH OF RELIEF}

Based (only) on this experience, I can recommend MS Safety Scanner for this particular trojan.

By the way, I believe the trojan was acquired by clicking a link within an email message that appeared to be a LinkedIn.com invitation.  I KNOW better than to do stuff like that!!  I NEVER click on stuff like that!  Until... I did...  Hmm, guess I hadn't had enough coffee that morning and wasn't thinking straight.

Hope this helps the next victim.

View solution in original post

23 Replies

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

There are so many variants of ZeroAcess it's not surprising that some are difficult to remove.   McAfee does detect a large number but nothing is perfect.

Try running Stinger and Malwarebytes Free, see the last link in my signature below for hints and a link to them.   To keep Malwarebytes free oif charge do NOT accept the free trial offer.

If that doesn't help then I suggest running either Hijackthis or DDS as suggested lower down that last link and posting their log as suggested on a specialist forum for expert advice.

By the way your Windows Firewall will show as off  as the McAfee one is on.

Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 24

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

This is a new variant of ZeroAccess, hence the string of characters in the suffix. It needs to be analysed properly before it can be countered. I don't know whether the Labs have had access to an infected system yet to do the analysis.

Nevertheless, infecting desktop.ini in that location is what most ZeroAccess variants do. Stinger might have been updated by now to deal with it, so that's worth a try.

See these threads where earlier variants were involved

https://community.mcafee.com/message/252951#252951

https://community.mcafee.com/message/244593#244593

Windows system files may need replacing with their original versions (via 'sfc /scannow') and the integrity of the MBR should be checked. The posts in those threads should cover those points.

Bear in mind what Microsoft say about ZeroAccess (or Sirefef, the MS name for it)

"Particular variants ofWin32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

Due to the severe consequences associated with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup if your computer is infected with any of the following Sirefef variants:

- Trojan:Win32/Sirefef.AA

- Trojan:Win32/Sirefef.AC

- Trojan:Win32/Sirefef.AH"

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 24

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

Thank you so much, Hayton and Ex-Brit, for your responses!

Having learned that ZeroAccess is also known as Sirefef, I dug around the Microsoft support site last night and found their Safety Scanner:

http://www.microsoft.com/security/scanner/en-us/default.aspx

Ran Safety Scanner this morning as directed, and it worked!!!  It detected and fixed Sirefef variants .AB and .CA

I then ran McAfee's updater, then Windows updates.  These seemed to go well.  On restart, the computer seemed to get stuck on FlashPlayerUpdateService -- it wouldn't finish starting up but I couldn't shut it down nicely either, so pressed the RESET button, which got it to come back up normally.  Now everything seems to be running right.  {BIG SIGH OF RELIEF}

Based (only) on this experience, I can recommend MS Safety Scanner for this particular trojan.

By the way, I believe the trojan was acquired by clicking a link within an email message that appeared to be a LinkedIn.com invitation.  I KNOW better than to do stuff like that!!  I NEVER click on stuff like that!  Until... I did...  Hmm, guess I hadn't had enough coffee that morning and wasn't thinking straight.

Hope this helps the next victim.

View solution in original post

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

There are a lot of pseudo Linkedin invitation emails caught by my spam service so avoid such things at all costs.   Even genuine Linkedin messages apparently have been suspects in spreading infection.  Needless to say I ditched Linkedin altogether becuase it obviously isn't secure at all.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 24

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

Update:

Three days after successful removal, the following set of malware was detected by McAfee AntiVirus and successfully QUARANTINED and removed with no effort required from me.

ZeroAccess-FCF!00B49E4F691A

ZeroAccess-FAT!D1A909DB8D6F

ZeroAccess.a!cfg

Exploit-CVE2013-2465

Exploit-FLK!CVE2013-2465

Way to go, McAfee !!!   Your diligence in swatting down the nasties is appreciated!

(BTW, this time it wasn't me on the computer when the infection arrived, so I don't know the cause of it.)

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

ZeroAccess has new variants appearing constantly so the software will catch more as time goes along but I would be concerned as to where thos are coming from in the first place !?!

Former Member
Not applicable
Report Inappropriate Content
Message 8 of 24

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

Yep, I'm concerned too.  Since security issues are rare on our computer (we're smart, careful, and keep everything updated), my first thought with this latest batch was that the original ZeroAccess infection just hadn't been completely eliminated.  When I saw that McAfee had detected & quarantined these things, I scanned with a fresh copy of MS Safety Scanner and then a full McAfee AV scan, and both came back clean.  No sign of problems since then.

The new stuff was detected while Firefox was connected to youtube, watching videos demonstrating coffeemaker accessories (not an especially high-risk search topic).

As I'm typing this, Firefox has popped up its "software updates available" window "strongly recommending" the installation of 17 security hole fixes.  Eleven of those vulnerabilities permit compromise of a machine via normal browsing activity.    *sigh*...   I hates bad guys.  Hates 'em, hates 'em, I do.

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

I here you.  My Firefox updated just now and am now in the process of trying to update iOS on my iPad.

Former Member
Not applicable
Report Inappropriate Content
Message 10 of 24

Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

Jump to solution

Thank you pls!!!

I had a ZeroAccess trojan virus that was quarantined by McAfee. I couldn't use my PC because I couldn't get rid of the McAfee alert message.

I followed your advice and ran MS Safety Scanner and my PC is back to normal again.

It saved me support fees and lots of time!

Best regards to you!

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community