cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
l0rents
Level 7
Report Inappropriate Content
Message 1 of 7
‎10-07-2012 04:48 AM

Managed to remove ZeroAccess.hg trojan

I'm posting my recent experiences with a trojan which I eventually magaged to remove (at least, that's my hope).

I am using McAfee Internet Security 11.6. A few days ago I mindless ran a suspicious program downloaded from the Internet which contained a trojan.

When I ran the program McAfee reported it as infected but evidently did NOT prevent the  trojan to run and install itself (disappointing).

Since then the McAfee firewall started turning itself off every 10 minutes or so. I performed a full system scan with McAfee but the system was found clean.

Even when explicitly scanning (right-click on the file name, Scan) the original infected executable McAfee said it was clean.

I uploaded the executable to www.virustotal.com and here are the results:

AntiVir                              BDS/ZAccess.yrh.1

Avast                              Win32:ZAccess-JH

BitDefender                    Trojan.Agent.AWXR

Comodo                              TrojWare.Win32.Trojan.Agent.Gen

DrWeb                              Trojan.DownLoader6.62544

ESET-NOD32                    Win32/Sirefef.EV

F-Secure                    Trojan.Agent.AWXR

Fortinet                    W32/ZAccess.YRH!tr.bdr

GData                              Trojan.Agent.AWXR

K7AntiVirus                    Backdoor

Kaspersky                    Backdoor.Win32.ZAccess.yrh

Kingsoft                    Win32.Troj.Agent.cg.(kcloud)

McAfee                              ZeroAccess.hg

Microsoft                    Trojan:Win32/Sirefef.P

Norman                              W32/ZAccess.PDF

nProtect                    Trojan.Agent.AWXR

Panda                              Trj/CI.A

Sophos                              Mal/EncPk-ACO

Symantec                    WS.Reputation.1

VIPRE                              Trojan.Win32.Generic!BT

ViRobot                              Backdoor.Win32.A.ZAccess.165888.X

I then downloaded and scanned my system (all files for each scan, it's taken ages!) with these programs (the latest versions available):

McAfee RootKit remover

McAfee Stinger

Sophos Virus Removal Tool

Kasperky TDSSKiller

SpyBot search and destroy

SpyHunter

Malwarebytes Anti-Malware

NONE of these programs found any infected file on my system, so this sucker of a trojan was hiding very well indeed!

I also tried scanning after rebooting windows in Safe mode (with or without network) but nothing changed.

As a last resort I  physically took out the hard disk from my laptop and then used an external USB hard disk bay to access it from another computer and then scanned it using F-Prot security. This scan too didn't find anything; however I realised that several directories (including the directory where the original infected executable was) were not accessible from Explorer due to Window's privacy controls, so this scan probably doesn't really count.

Eventually I found threads on the McAfee forums reporting similar problems; in one of the messages there is a link to this guide http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootkit-Removal-Guide "How to completely remove ZeroAccess/Sirefef rootkit". I followed the instruction to the letter and (I think!) I managed to get rid of the flipping trojan.

Essentially I downloaded and executed EZ_SireFix.exe, ServicesRepair.exe and ComboFix.exe (following the instructions) and having done that the problem with the McAfee firewall turning off stopped.

I downloaded and ran HitmanPro, and ESET online scanner and neither of them found any problem on my system (for what it's worth).

Over the following week I didn't notice any suspicious behaviours in my computer so I assume it is clean.

0 Kudos
Reply
6 Replies
exbrit
MVP
Report Inappropriate Content
Message 2 of 7
‎10-07-2012 05:23 AM

Re: Managed to remove ZeroAccess.hg trojan

That's interesting.  When McAfee first detected the problem did it indicate action taken or that a reboot was required?    I'm wondering if you had then rebooted into Safe Mode and run a scan if that would have cleaned it out.  (Safe Mode scans are different - you can only right-click the taskbar icon and select 'Run a Scan' and the SecurityCenter wont open).

The fact that none of those additional programs found anything would indicate that it had removed whatever it was, although now of course we can't be certain.    But usually when it detects something it quarantines it immediately.   Was or is there anything in the Quarantine folders?

0 Kudos
Reply
l0rents
Level 7
Report Inappropriate Content
Message 3 of 7
‎10-07-2012 07:54 AM

Re: Managed to remove ZeroAccess.hg trojan

Unfortunately I don't remember exactly what McAfee said when it encountered the Trojan. For sure it didn't give me any option to reboot & delete, or I'd certainly have selected that. I seem to remember it said that the thret had been removed, or something to this extent.

McAfee and all the other security program failed to detect the Trojan if if the original infected executable (the one I sent to virustotal.com) was present in the system.

0 Kudos
Reply
exbrit
MVP
Report Inappropriate Content
Message 4 of 7
‎10-07-2012 08:40 AM

Re: Managed to remove ZeroAccess.hg trojan

Open SecurityCenter

Click Navigation

Scroll down to Quarantined and Trusted Items

Click on those 'drawers' and see if anything is in there.

It is rather curious I must admit.

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7
‎10-12-2012 06:02 AM

Re: Managed to remove ZeroAccess.hg trojan

Thread moved into Top Threats

0 Kudos
Reply
l0rents
Level 7
Report Inappropriate Content
Message 6 of 7
‎10-12-2012 06:41 AM

Re: Managed to remove ZeroAccess.hg trojan

Hi, sorry for the late reply. I have checked in the quarantined items and I have 4 items relative to ZeroAccess and with the date/time I first came across the virus (1 October). The first (oldest) of these lines looks like this:

@     ZeroAccess!cfg     01/10/2012     17:21

Clicking on the "+" sign I see a path to C:\$Recycle.Bin\(string of numbers)

The second line is looks like this:

N     ZeroAccess     01/10/2012     17:21

The path is the same as the previous line

There are two more of such lines, one labelled with @ and one with N, but pointing to a different file (folder?) in the recycle bin.

What do you think this means?

0 Kudos
Reply
Peacekeeper
MVP
Report Inappropriate Content
Message 7 of 7
‎10-12-2012 01:54 PM

Re: Managed to remove ZeroAccess.hg trojan

Time to clean the recycle bin maybe. Also Delete them from quarantine area.

0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC