cancel
Showing results for 
Search instead for 
Did you mean: 

Re: ZeroAccess Trojans! Help! desktop.ini

After some research, I understood that I had a browser hijacker on my computer.

Last week, after an automatic update, Microsoft Security Essentials detected trojan medfos.b on my system and quarantined it. This was not detected by McAfee Security Center.

I still had the Google hijacker on my system, so I ran the following in safe mode:

  • Rootkit remover
  • McAfee Security Center
  • Malwarebytes

Did some research and found an article on Microsoft's website re: medfos.b. Determined that Mozilla Safe Browsing 2.0.14 extension was responsible for the Google redirect. Disabled the extension. Located the file(s)

"chromeupdate.crx" in the %LOCALAPPDATA% folder and deleted it. Also deleted %LOCALAPPDATA%\(random CLSID)\chrome\content\browser.xul.

Deleted information from personal history in Firefox and unistalled the program. Manually removed files that are left behind in unistall. Installed clean version of Firefox.

My web searches are no longer being redirected. Desktop icons still rearrange themselves upon reboot. Also note that web pages often take considerable time to load, so I am suspicious that the computer is infected.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 12 of 12

Re: ZeroAccess Trojans! Help! desktop.ini

I saw the blog about this in Microsoft's Malware Protection Center ('Medfos, hijacking your daily search') but understood that Mozilla had already taken measures to block the extension being added to Firefox. I was wrong, I think : they're still grappling with some of the details.

Blocked Add-ons -- Add-ons for Firefox.png

It doesn't only affect Firefox, there will be hooks into whatever other browsers you've got.

The best way to deal with it is probably to take the advice offered in the blog and run the Malicious Software Removal Tool

http://www.microsoft.com/security/pc-security/malware-removal.aspx

This has been known by McAfee since 25 August (if the identification is the same : Medfos.t but corresponds to Microsoft's Medfos.b) so I'm surprised that a normal scan doesn't remove it. Perhaps the malware has been modified in some way. See the 'Characteristics' section of http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1435835

Message was edited by: Hayton on 16/10/12 03:08:42 IST

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community