I am new in the Community. my pc was infected by the "FBI" virus and had Mcafee virus removal team clean it (paid service) on July 22, 2013. By the way, I have Mcafee Total Protection on my XP. However, McAfee detected desktop.ini recently and could not delete one of them. I reviewed my Mcafee security log and realized that zeroAccess trojans have been quarantined since Feb 2013.
I tried to kill the desktop.ini with Stinger and did not succeed. Tried rootkit remover and would not work in safe mode saying it should be run as Administrator!! which I was. Ran in normal mode and it said "no issues found'! Then I ran Malwarebytes and it found a truckload of issues and rectified them except one of the desktop.ini
I ran McAfee several times and some times it said no issues and some times said desktop.ini could not be repaired!! By this time, McAfee realtime scan got disabled and I was not able to turn it on. Went on to the McAfee downlod site and signed-in but the site said my IE is outdated!! I have reinstalled IE and as before, it is v8. Still McAfee site said i had an older version!!! Windows update is not working either.
This was up to this morning. This afternoon, I checked again, and the real time scan is on!! I have the McAfee icon in the tray and when you hover over, it has no response. The same is true with both right and left clicks. I know the trojan is still there as it rearranges my recycle Bin every time I restart the machine. It sometimes doesnot let either stinger or malwarebytes to finish scanning!!!
Please help. I do not trust the statuses/ scan results that McAfee total protection displays as (maybe, for lack of knowlwdge) i believe ZeroAccess let some virus to manipulate Mcafee settings and then to change it back.
Okay, details first.
You've got XP. SP3 with all the latest Microsoft updates, right?
Your McAfee is "Total Protection". Can you find which version number and build number you've got for the following (double-click the McAfee icon on the desktop to open Security Center, then click on About) -
- Security Center
- DAT version
How many ZeroAccess detections have you got and when was the latest one detected? More than one either means you're being re-infected, or the removal isn't working correctly.
If you've got XP you can't go higher than Internet Explorer 8. If the download site thinks you've got an earlier version you may have old files left over from IE6 or IE7. What was the URL of the download site, I'll check this on my XP machine.
When you say the recycle bin is re-arranged when you start up the PC, what exactly do you mean? Is it the desktop icon, or the contents of the recycle bin? I know some malware hides itself in there, so it could be significant.
Thanks for the quick response.
Security center - version 12.8 Build 12.8.310
Virus scan: v 16.8 Build 16.8.158 engine version 1613.0
Firewall: v 13.8 Build 13.8.151
Where do i find the DAT version info?
McAfee only detected 4 0r 5 zeroaccess in a certain scan but when checked quarantined files in total protection/navigation/quarantine it displays 28 items on Aug 6th! But I know Malware detected other trojans as well. Agent, Qhost, Downloader etc and deleted them.McAfee usually finds only 2 desktop.ini and cannot delete one of them.
I have Xp SP3 upadated by windows auto update but do not when the latest update was. not letting me find out the current status as service and support service is not running and i cannot restart it as it is not listed in services.
mCaFEE aCCOUNT url: https://home.mcafee.com/secure/Myaccount/ I tried this today on the infected pc, and IE is freezing up. so hard to select the tabs on that page. when I try I can see on the status bar so many other pages are being loaded but only getsavin comes up with a McAfee promo on another tab. if I Close McAfee page it closes after some hesistence. any other web sites works so smoothly!
I forgot to mention that I had been using firefox until July 22, 2013 and switched back to IE. Mainly because the tech guy when he fixed the FBI virus, changed the default browser to IE, and i thought perhaps Firefox was more vulnerable. Just an FYi.
The "other pages" on the status bar may be content from other sites, but it's always best to check for additions to a browser so in IE8 select 'Manage Add-ons' from the Tools menu and look for toolbars and extra programs in 'Toolbars and Extensions'. These can slow down a browser, and if you don't need them you can at least disable them even if you can't easily remove them. Also look in 'Search Providers' and disable any that you don't use.
When I used IE8 to go to the MyAccount site I only saw two or three entries in the status bar, so your browser is making more connections than mine. Let's try to find out why.
Last question tonight : can you connect to the Microsoft site from Internet Explorer? Use Tools-->Windows Update. If you can't connect for updates then you probably have got some malware on your system.
No, I cannot connect to the MS site from internet explorer.
Obviously, everytime I browse the internet malwares get reinstalled. I ran virus scan last night and Mcafee found and removed RDN/Generic BackDoors!sl so i believe desktop.ini still present despite the fact that McAfee is not detecting it any more. I have disconnected the network cable so my pc is not connected to the internet. Awaiting your response before I do anything. I am on my laptop right now.
Desktop.ini files contain some information about where your icons are located and details about explorer's display.
The fact that you are still getting random viruses detected and removed means you still have another hidden/undetected threat on your computer.
You cannot delete desktop.ini if it is protected by a rootkit or damaged in the file system (or had its NTFS ACL Permissions changed to Deny).
Did MalwareBytes detect desktop.ini as anything? It is unlikely for the file to survive the kernel driver on next boot if it was detected.
Your best bet is to do an "Offline" scan of your computer. Since McAfee is not detecting this threat, I would suggest using a different scanner. This involves downloading and CD ISO Image file and burning the image to a CD/DVD-R/RW. You would then start the computer using the CD/DVD and scan and clean the computer when the virus is not loaded and able to protect itself.
Here is a link to Kaspersky's Linux-based Rescue disk which will update and scan and clean your computer of known threats.
Kaspersky Rescue Disk Information: http://support.kaspersky.com/4131
Direct Download of the ISO: http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
I also made a Boot CD years ago which contained a self updating scanner from ESET NOD32 AntiVirus. You can give that a try too.
Information/Download Link: https://community.mcafee.com/thread/6923
// Edit: Tech Note: Scanners may miss files with NTFS ACL Permissions set to Deny or Special Access. These folders and files that cannot be read by the boot cd scanners should be examined for file/folder ownership and permissions to make sure no viruses are hiding there.
Yes, Malwarebytes detected desktop.ini ( two ZeroAccess) but was only able to delete one of them.
i am not a techie so I can ask this question: Can I download the CD ISO image to a flash drive? My burner is not working properly and my laptop does not have a burner.
How do I search for files with NTFS ACL Permissions set to Deny or Special Access?