cancel
Showing results for 
Search instead for 
Did you mean: 

ZeroAccess Trojans! Help! desktop.ini

I've got 5 zeroaccess trojans in my computer and I can't remove them! They're all located in the destination: C:\Windows\Assembly\GAC_32\Desktop.ini

So far I have run:

-6x Full scans - McAfee Security Center (Detected them, couldn't remove)

-3x Scan - FixZeroAccess - Symantec (Didn't detect anything)

-3x Scan - Rootkit remover - McAfee (Didn't detect anything)

-1x Full scan - MalwareBytes (In Progress)

-1x Full scan - Stinger (4 Detected, 1 removed)

-1x Full scan - HitmanPro (In progress [21%] 81 Tracking cookies found, 2 Malware files in C:\Users\Brad\AppData\Local\Temp)

I don't think that Malware/HitmanPro will find/remove all of the trojans so I need help, what do any of you suggest?

11 Replies
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 2 of 12

Re: ZeroAccess Trojans! Help! desktop.ini

So these all different variants? hitman pro should pick the last 1 up.

I would if it does not rerun Stinger after a new download and see if the daily update fixed the last 1. Also maybe ask on a hijack this forum such as mentioned here

McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

Also read this thread

https://community.mcafee.com/message/244908#244908

Message was edited by: Peacekeeper on 29/09/12 7:01:34 PM

Re: ZeroAccess Trojans! Help! desktop.ini

I'm in a similar situation.

Unable to restore my computer to a previous date, even in safe mode.

ZeroAccess Rootkit finds nothing.

Stinger (most recent version available , build date 9/28/12) finds nothing.

Mcafee Security Center pops up a very similar message twice about 5 minutes after booting up; same location in message.

Willowdzn, let me know if you have resolved this.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 4 of 12

Re: ZeroAccess Trojans! Help! desktop.ini

ZeroAccess isn't easy to get to grips with, partly because it keeps morphing. It's also taken to hiding files inside C:\Recycler as hidden system files. I'm studying a load of reports from Sophos, McAfee, Trend Micro and ESET and trying to summarise what the latest variants are doing. In another thread sol, who's had to tackle this one, came up with some good recommendations but they're not enough. To complicate matters the ZeroAccess code has recently had a major upgrade which changes the way it operates.

Stinger is supposed to handle the latest versions of ZeroAccess but perhaps you've got yet another modified version.

The only consolation I can offer is that at the moment the botnet operators (ZeroAccess enrols you in a mega-botnet) are just using their slave machines for a bit of click-fraud and Bitcoin mining. If they had a mind to pillage data from machines they'd be sitting on terabytes of the stuff. And if they wanted to bring down a major government's internet-facing servers with a DDoS attack they could do it easily. But, so far, they're content simply to rake in a nice steady income from the botnet.

When I've got the details of what files you have to get rid of and what else needs to be done I'll post something either in the documents section or as a blog, probably in Top Threats (where I think all the ZeroAccess posts should now go). There's a McAfee document HERE which I managed to persuade them to update back in July but which already may be somewhat out of date.

Message was edited by: Hayton on 30/09/12 06:11:36 IST

Re: ZeroAccess Trojans! Help! desktop.ini

Last night I ran a full scan with Malwarebytes Anti-Malware; log is below:

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.07.13

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Audrey :: AUDREYOFFICE [administrator]

9/30/2012 12:42:41 AM

mbam-log-2012-09-30 (00-42-41).txt

Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 322577

Time elapsed: 34 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 3

HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-1292428093-1757981266-725345543-1003\$9723779f978d8a25afee7c54eaf8737a\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Documents and Settings\Audrey\My Documents\Downloads\expertpdf7_d165419.exe (PUP.BundleOffers.IIQ) -> No action taken.

C:\Documents and Settings\Audrey\My Documents\Downloads\openfreely.exe (PUP.BundleOffers.IIQ) -> No action taken.

C:\RECYCLER\S-1-5-21-1292428093-1757981266-725345543-1003\$9723779f978d8a25afee7c54eaf8737a\n (Trojan.0Access) -> Delete on reboot.

(end)

McAfee Security Center no longer detects any malicious items, however my computer is still infected. Teltale signs right now are that desktop icons realign themselves to the left side of the screen on reboot. Also, Google links randomly go to a sales oriented website on the first click. Detailed example:

1. Entered "malwarebytes quarantined files" in Google search engine.

2. Goggle search page, first item "

restart after quarantined files deleted - Malwarebytes Forum

3. Clicked hyperlink above; taken to https://fix-kit.com/Malwarebytes/repair/7s-malwarebytes/?als=00014

4. Clicked browser (Firefox) back button.

5. Clicked on hyper link again and taken to correct website https://forums.malwarebytes.org/index.php?showtopics=114163

I don't know how else my computer is being affected, but distrust things right now. Given the age of my computer, it does not make sense to reinstall the OS (plus I no longer have the office suite software disks), so I've got my hands tied right now.

Message was edited by: audrey_m on 9/30/12 12:14:41 PM CDT
Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 6 of 12

Re: ZeroAccess Trojans! Help! desktop.ini

Rerun Malwarebytes after the reboot it may remove more since it required a reboot.Seems you have the new zersion with recycler files present as Hayton mentioned.

I would retry stinger in a day or so and hitmanpro

Re: ZeroAccess Trojans! Help! desktop.ini

Update:

I reran Malware and it did pick up a few more files, but I still had problems with a browser hijacker in both Firefox and IE.

Stinger detected nothing. The event log reads "Process **\STINGER.EXE pid (5180) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver."

Ran SpyHunter.  Trojan.Dallarrevenue detected, along with many other malware files, all in IE cookies. Completely cleared browser caches of cookies & temporary internet files. System appears to be working properly now.

Thought that cookies had been previously deleted, but did it another way.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 8 of 12

Re: ZeroAccess Trojans! Help! desktop.ini

The Event log entry can be ignored for now. The "unsigned code" thing is in the process of being corrected but after the disaster of the last Big-Bang approach it's being done piecemeal.

The presence of malware in cookies is interesting, it may be a novel approach (or I may have overlooked it in previous infections). I'll bear that in mind for the future.

When you have a persistent piece of malware like ZeroAccess you often need several attempts with different programs to get rid of all the traces. Your system may be clean now - but at least it's working properly, as you say.

Next time you run Malwarebytes turn on P2P checking - it's turned off according to the output. I think 'Off' is the default but you might miss something if it's not enabled.

Re: ZeroAccess Trojans! Help! desktop.ini

Try using Rootkit remover from McAfee. It will remove ZeroAccess Rootkit from your machine. Make sure you run it in Safe Mode.

Link : http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

Let me know if you have already tried this tool.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 10 of 12

Re: ZeroAccess Trojans! Help! desktop.ini

Duplicate post removed and thread moved into Top Threats

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community