I'm posting my recent experiences with a trojan which I eventually magaged to remove (at least, that's my hope).
I am using McAfee Internet Security 11.6. A few days ago I mindless ran a suspicious program downloaded from the Internet which contained a trojan.
When I ran the program McAfee reported it as infected but evidently did NOT prevent the trojan to run and install itself (disappointing).
Since then the McAfee firewall started turning itself off every 10 minutes or so. I performed a full system scan with McAfee but the system was found clean.
Even when explicitly scanning (right-click on the file name, Scan) the original infected executable McAfee said it was clean.
I uploaded the executable to www.virustotal.com and here are the results:
AntiVir BDS/ZAccess.yrh.1
Avast Win32:ZAccess-JH
BitDefender Trojan.Agent.AWXR
Comodo TrojWare.Win32.Trojan.Agent.Gen
DrWeb Trojan.DownLoader6.62544
ESET-NOD32 Win32/Sirefef.EV
F-Secure Trojan.Agent.AWXR
Fortinet W32/ZAccess.YRH!tr.bdr
GData Trojan.Agent.AWXR
K7AntiVirus Backdoor
Kaspersky Backdoor.Win32.ZAccess.yrh
Kingsoft Win32.Troj.Agent.cg.(kcloud)
McAfee ZeroAccess.hg
Microsoft Trojan:Win32/Sirefef.P
Norman W32/ZAccess.PDF
nProtect Trojan.Agent.AWXR
Panda Trj/CI.A
Sophos Mal/EncPk-ACO
Symantec WS.Reputation.1
VIPRE Trojan.Win32.Generic!BT
ViRobot Backdoor.Win32.A.ZAccess.165888.X
I then downloaded and scanned my system (all files for each scan, it's taken ages!) with these programs (the latest versions available):
McAfee RootKit remover
McAfee Stinger
Sophos Virus Removal Tool
Kasperky TDSSKiller
SpyBot search and destroy
SpyHunter
Malwarebytes Anti-Malware
NONE of these programs found any infected file on my system, so this sucker of a trojan was hiding very well indeed!
I also tried scanning after rebooting windows in Safe mode (with or without network) but nothing changed.
As a last resort I physically took out the hard disk from my laptop and then used an external USB hard disk bay to access it from another computer and then scanned it using F-Prot security. This scan too didn't find anything; however I realised that several directories (including the directory where the original infected executable was) were not accessible from Explorer due to Window's privacy controls, so this scan probably doesn't really count.
Eventually I found threads on the McAfee forums reporting similar problems; in one of the messages there is a link to this guide http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootkit-Removal-Guide "How to completely remove ZeroAccess/Sirefef rootkit". I followed the instruction to the letter and (I think!) I managed to get rid of the flipping trojan.
Essentially I downloaded and executed EZ_SireFix.exe, ServicesRepair.exe and ComboFix.exe (following the instructions) and having done that the problem with the McAfee firewall turning off stopped.
I downloaded and ran HitmanPro, and ESET online scanner and neither of them found any problem on my system (for what it's worth).
Over the following week I didn't notice any suspicious behaviours in my computer so I assume it is clean.
That's interesting. When McAfee first detected the problem did it indicate action taken or that a reboot was required? I'm wondering if you had then rebooted into Safe Mode and run a scan if that would have cleaned it out. (Safe Mode scans are different - you can only right-click the taskbar icon and select 'Run a Scan' and the SecurityCenter wont open).
The fact that none of those additional programs found anything would indicate that it had removed whatever it was, although now of course we can't be certain. But usually when it detects something it quarantines it immediately. Was or is there anything in the Quarantine folders?
Unfortunately I don't remember exactly what McAfee said when it encountered the Trojan. For sure it didn't give me any option to reboot & delete, or I'd certainly have selected that. I seem to remember it said that the thret had been removed, or something to this extent.
McAfee and all the other security program failed to detect the Trojan if if the original infected executable (the one I sent to virustotal.com) was present in the system.
Open SecurityCenter
Click Navigation
Scroll down to Quarantined and Trusted Items
Click on those 'drawers' and see if anything is in there.
It is rather curious I must admit.
Thread moved into Top Threats
Hi, sorry for the late reply. I have checked in the quarantined items and I have 4 items relative to ZeroAccess and with the date/time I first came across the virus (1 October). The first (oldest) of these lines looks like this:
@ ZeroAccess!cfg 01/10/2012 17:21
Clicking on the "+" sign I see a path to C:\$Recycle.Bin\(string of numbers)
The second line is looks like this:
N ZeroAccess 01/10/2012 17:21
The path is the same as the previous line
There are two more of such lines, one labelled with @ and one with N, but pointing to a different file (folder?) in the recycle bin.
What do you think this means?
Time to clean the recycle bin maybe. Also Delete them from quarantine area.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA