I was recently attacked by zeroaccess which disabled McAfee realtime scanning. I managed to do a cleanup using malwarebytes and did a system restore to a point well before the attack, which obviously made me very happy. During this I reinstalled McAfee. The computer is symptom free at the moment and in fact the only way that I know it was zeroaccess is because I have just yesterday found that McAfee has quarantined 5 zeroaccess files. However, it will not delete them using the panel you access from the navigation panel. Is there a trick to this, or can zeroaccess not be deleted in this way?
The other interesting point here is that the files were quarantined after I had fixed the problem, in fact it seems to coincide with a scan I did with Avast! in safe mode during which McAfee started to get the same symptoms as before (it resumed normal operations when I rebooted into normal mode). During this scan Avast! found 7 files that started with $.recycle.bin, two of which a sophos scan eradicated (identified as zeroaccess parts). I have scanned with various recommended programs to try and make sure any virus or rootkits I did have are gone and they all come up negative. Is it possible that the Avast! scan in safe mode accessed an old McAfee quarantine file and allowed the virus out briefly? I do not think it is a coincidence that Avast! now sees 5 threats, and McAfee has 5 quarantined files.
So, is there any way to get rid of what appears to be the last lingering parts of this attack? If it helps I am using 64 bit windows 7.
Thanks a lot.
It probably wont delete because the System Restore may have corrupted the files, as strictly speaking, they would no longer exist. You can delete the contents of the Quarantine folder in another way:
First double-click the taskbar icon to open SecurityCenter
Click Navigation (top right)
Click General Settings & Alerts (left)
Click Access Protection to expand that section
Uncheck Access Protection and click Apply
Leave SecurityCenter open on your desktop because you should re-enable Access Protection after the following steps.
Open any internal page such as Computer, Control Panel or Documents and go to Tools on the top Menu Bar, then go to Folder Options and click the View tab
Look for the 'Hidden Files and Folders' item, and check the item 'View Hidden Files and Folders' if not already checked and click Apply and OK
Go to C:\ProgramData\McAfee\VirusScan\Quarantine and click Edit/Select All
Click Shift and Delete simultaneously and the folder should empty.
Take care to delete only the contents of that folder, not the folder itself.
Re-enable Access Protection as mentioned above and click Apply and then exit SecurityCenter.
Those instructions are for Vista/Windows 7.
For XP the folder is found at: C:\Documents & Settings\All Users\Application Data\McAfee\Virusscan
Thanks, that explaination makes me happy as it means my computer is probably as clean as it feels. I will give that a go tonight and let you know how it goes.
On a slightly different note; the system restore point I used was well over a month before the infection showed symptoms. Do you know if that is long enough? I know some viruses can wait a little while before they get going. It seemed to start with a fake adobe update when I opened a pdf (I fell for it, but only on the second attempt - it really seemed genuine) but I am a little bit worried that it was resident before that point from reading some other posts on zeroaccess. I also read something about not being totally safe until I do something to system restore to eradicate the point I restored from, but I do not know when that applies (of if it was just wrong).
Thanks again for the reply. I really appreciate it. I think I have been stressing out trying to clean a non-infected machine, but that's better than the other way around.
I think the effects of zeroaccess are pretty much immediate so I would imagine you are OK. If you want to you could post a Hijackthis log as instructed lower down the last link in my signature. There are specialist forums mentioned there who will tell you if anything continues to be a threat.
Don't forget to update Windows, all parts of it including Internet explorer and any add-ons, even if you use another browser. Also make sure your drivers, softwazre including McAfee etc. are up to date.
Thanks for the advice. Updating was the first thing I did after restoring and making sure McAfee was OK, I knew it was important but I will admit I had not appreciate how important until I really started reading up on this stuff. I will double check that everything is updated, but on that computer everything is usually left as automatic. Adobe may be a little bit out of date because I am quite scared of clicking 'yes' for its updates now (I got fooled by a fake adobe installer in order to contract this virus). I will just have to suck it up and do it from inside the suite itself.
I forgot one last thing. If you are definitely OK then I would temporarily disable System Restore so that the infected restore points gets deleted.
Thanks for that, I had forgotten about the system restore question. I like having system restore on (it saved my bacon here after all!), so do I turn it off then turn it on again, or do I need to restart the computer between?
Thanks, I just did the manual delete of the quarantined files and they are properly gone. Avast is still picking up 5 rootkits when I run it in safe mode though. They all start with $.recycle.bin, for example:
Is it possible that this is the nasty buried in the infected system recovery file? If not is there something McAfee can do, or is it time to go to one of the other forums you mentioned above? If so do you have any advice as to which one would be best for me? Thanks again for helping me with the quarantined files.