1 2 3 4 5 6 Previous Next 78 Replies Latest reply: Oct 24, 2011 6:01 PM by beagle123 Go to original post Branched to a new discussion. RSS
      • 30. Re: Help... Artemis!56C9EF26F88B
        Vinod R

        Sorry to hear that your issue could not be resolved in a timely fashion by us. for the firewall issue- Is that the McAfee firewall that is non functional or is that the windows firewall?

         

        if its mcafee firewall - please login to mvt.mcafee.com and run the tool reboot and update us on the thread on the issue

         

        regarding the 64 bit OS not supported on the new tool the same has been escalated to the engineering team as Sam had indicated. Either Same ,Vinoo  or me would update you as and when we get details on the same.

         

        64 Bit OS was supposed to be near impenetrable however this infection has proved otherwise- probably the reason why the tool did not have option to work on 64 bit OS .

        • 31. Re: Help... Artemis!56C9EF26F88B
          rags

          Sorry to hear that your issue could not be resolved in a timely fashion by us. for the firewall issue- Is that the McAfee firewall that is non functional or is that the windows firewall? if its mcafee firewall - please login to mvt.mcafee.com and run the tool reboot and update us on the thread on the issue regarding the 64 bit OS not supported on the new tool the same has been escalated to the engineering team as Sam had indicated. Either Same ,Vinoo  or me would update you as and when we get details on the same. 64 Bit OS was supposed to be near impenetrable however this infection has proved otherwise- probably the reason why the tool did not have option to work on 64 bit OS .

           

          It's both. Windows Error 1068. "The dependency service or group failed to start". Under control panel....Windows firewall "use recommended setting button"  error is: "Windows can't change some of your settings." error code: 0x8007042c.

           

          Oh yeah, I'm 64bit  too. Waiting.....

           

          Message was edited by: rags on 10/4/11 5:56:34 PM CDT

           

          Message was edited by: rags on 10/4/11 6:28:36 PM CDT
          • 32. Re: Help... Artemis!56C9EF26F88B
            moukie

            Apologies to the issue being resolved in a timely manner - has no merit.  I am not the first to complain about this issue.  McAfee knewof this problems MONTHS ago (there are discussions back in July about thisissue).  Just admit that McAfee has failed in their attempt to resolvethis for their consumers.

            I ran the McAfee Virtual Technician, reboot as instructed and it could notfix the problem.  The Windows Firewall isdown also. 

             

            The report stated:    Some problemscould not be fixed.
                                                PersonalFirewall – McAfee Security Center 12.0.344
                                                Problem;Service not running.
                                                SessionID: 35454122

            • 33. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
              dmeier

              There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware.

              From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV.

               

              It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess.

               

              We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.

               

              There are several steps we have to progress through, to get your systems cleaned up. It's not easy, and it will take time, but for those that persevere, it will avoid a re-image of your system.

              Informative tidbits:

              • The detection Artemis!56C9EF26F88B is now called "DNSChanger!fa", in DAT 6489. There are a few hash specific VILs, like this one in the Threat Intelligence site.
              • The detection Artemis!8E57E8B69F2, seems to be a character short, so I'm not able to pull any info about it.
              • Information about ZeroAccess, can be found HERE. The instructions should work for 32bit as well as 64bit.
              • Seeing these Artemis detections, tells us that these are VERY new variants of known malware families. This means there could very well be completely undetected variants as well. As hard as we work to collect samples, no AV vendor, including McAfee, is able to detect 100%. With that said, we need your help submitting undetected malware, so we can prevent reinfections not only for you, but other users as well.

               

              For the below steps, it's helpful to have a USB drive, with these tools on it:

              • GMER, available HERE
              • GetSusp, available HERE
              • Latest BETA dats, available HERE
              • Latest build of Stinger, available HERE for FakeAV version, and HERE for normal weekly version.
              • Copy of Sigcheck, available HERE.
              • A clean installer of your currently installed McAfee product.

              Also, it's a good idea to have a copy of CleanBoot burned to CD, in case our efforts in SafeMode are not successful. Available HERE.

               

              First, we must remove any companion malware, to allow the RootkitRemover to work. (malware that could be dropping the ZeroAccess rootkit, and also terminating scanning tools)

               

              Booting to a CD is the best way, to ensure that malware is not loaded into memory, and making detection most challenging. However, let's see if we can tackle it strictly from SafeMode, as it's far more user friendly.

               

              1. Reboot into SafeMode.

              2. Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then uncheck the box "Load Startup Items"

              3. Reboot into normal mode.

              4. Run RootkitRemover, and ensure it detects and cleans.

                              a. If you are on a 64bit system, skip down "64bit O.S.".

              5. If it detects ZeroAccess, then reboot and run a full scan of the system first using the Stinger(s), and then your local McAfee product. Often, the permissions on the McAfee folder is modified by the malware, and requires manually correcting it: 

              • Right-click the parent folder of the affected files and choose Properties.
              • In the window that opens, chose the Security Tab.
              • Click in Advanced.
              • There will be two checkboxes below the list of permissions. If the checkbox for Inherit Parents Permissions is checked, uncheck it.
              • Check the Inherit box again to inherit permissions from the parent folder.
              • Check the box to copy permissions to children objects. This will replace the permissions that were removed by the malware.

              6. You should now repair/reinstall your AV product, update your dats, and run a full system scan.

              7. If further detections are made, you should now be able to revert the steps we make in #2, by doing the following:

              • Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then check the box "Load Startup Items"
              • Reboot.

               

              8. If no further detections are found, but you still have malicious behavior, then there could still be malware on the system, and it will require additional work to identify. Using Getsusp is a good first step in identifying undetected malware. Using the Virus Removal Service, might be a reasonable next step, but feel free to post back here first.

               

               

              64bit O.S.: - For 64bit systems, we need to manually repair the infected .sys file. (Steps taken from the VIL available for ZeroAccess.a)

               

              Manual Remediation steps:

              The malicious code is loaded by the patched system driver. In order to clean the system manually, it is necessary to identify the malicious .SYS file and replace it with a good copy from installation media.

              In order to identify which system driver was replaced, the user is going to need the following tool:

               

              GMER: http://www.gmer.net/

               

              1.First of all, the machine must be disconnected from the internet to avoid reinfection in case any other malware is downloading and installing ZeroAccess or other pieces of malware.

               

              2.Execute GMER, and uncheck these four options "Modules, Processes, Threads, Files"

               

               

              http://vil.nai.com/images/562354_1.png

              3.Then right click in the main window, and select "Options", then enable "IRP Hooks"

               

              4.Start the rootkit scan and wait for it to finish.

               

              5.If the system is infected, GMER will show the name of the patched .SYS file as shown in the YELLOW circle above. Take note of this name.

               

              6.Look at the following folder and search for a file with same name as noted above: %SYSTEMROOT%\ServicePackFiles\i386

               

              7.If there is a copy of the file in the folder above, copy it to the root of drive C:. It will be needed later.

               

              8.If the file is not present in the folder above, it will be necessary to copy the file from an installation media, or another machine with the same Windows version and language.

               

              9.Boot the infected machine with a clean boot media like McAfee CleanBoot, BartPE or Hiren's Boot CD.

               

              10.From the clean boot, copy the file stored in the root folder that was copied above, to the location of the patched system driver.

              ex: copy c:\mrxsmb.sys c:\windows\system32\drivers\mrxsmb.sys

               

              11.Reboot the system in safe mode and log in as the Administrator user.

               

              12.Execute the CSSCAN command line tool using the Beta DATs to remove any Trojan or infected file from the system:

              a. VSE 8.7: "C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe" -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\

               

              b. VSE 8.8:  C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\

               

              c. Other McAfee product users: Please use the following standalone tool Stinger

              In order to use the Stinger tool, please make sure the targets "Processes" and "Registry" are disabled and the interface "List of all files scanned" is enabled in the stinger before scanning the infected machine.

              http://vil.nai.com/images/562354_4.png

              13.Reboot the system normally.

              14.Run GMER again to confirm that no malicious threads of patched files exist anymore.

               

               

              I'll evolve this post with your constructive feedback, and work to make it as effective as possible.  As with many malware infections, they can be unpredictable, and in some cases require the direct intervention of a malware expert. In such cases, we recommend you reach out to support to ensure your system is cleaned properly.

               

              David Meier

              Lead Field Engineer - McAfee Labs

               

              on 10/4/11 6:50:20 PM CDT
              • 34. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
                rags

                Re: Help... Artemis!56C9EF26F88B - ZeroAccess There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware. From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV. It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess. We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.

                 

                You have GOT to be kidding!!!!!!! You want me to do ALL this and take another 5 hours out of my life? I DON'T THINK SO...I'll wait for your automatic fix until this weekend and then , if you don't have a "click to fix" or do it "interally with an Update", I'll crapcan McAfee altogether and move on.......UGH!!!!!!!!!!!!!!!!!!!!!!!!!

                • 35. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
                  beagle123

                  There are links to many tools, but I don't see one for the Rootkit Remover.  Where do we get that?

                  • 36. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
                    jdl

                    so... after trying the manual multi-step clean up, I'm now adding

                     

                    DNSChanger!fa

                     

                    to the list of trojans being found.  I've downloaded tools, gone through manual sweeps, and it's worse????

                    • 37. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
                      lozah
                      • The detection Artemis!8E57E8B69F2, seems to be a character short, so I'm not able to pull any info about it.

                      The file is Artemis!8EA57E8B69F2

                      It was found on my computer at C:\windows\assembly\tmp\kwrd.dll

                       

                      As I said previously when I tried to click on the 'submit to mcafee' for the files in quarantine it tells me there is an error.

                       

                      Yesterday GMER wouldn't work for me... unless it has changed in the last 24 hours I doubt it will work properly now ( go back and read my posts about it). However when I have a few spare hours available tomorrow I will try to go through all the steps you've listed above...

                      • 38. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
                        dmeier

                        @lozah - we have a copy of that file, and I'll make sure it get's classified today. It will take a couple days to reflect in the full dats. In the meantime, the Artemis detections will prevent it from doing any damage. The problem is, what is dropping that file. That's what is still infected. You might need to boot from a boot CD, and run a full scan.   Let me know if you need help with that.

                         

                        @jdl - The artemis detection you were first getting, has simply been renamed (classified) to the DNSChanger!fa, so you're as bad off as you were, no worse

                         

                        @Beagle123 - I had linked to the site where it was linked.  That's no help, so here's the proper direct link to RootkitRemover http://vil.nai.com/images/562354_2.zip

                         

                        @rags - Please PM me, I'd like to speak to someone such as yourself.

                         

                        @Carolyn Hannibal - Please PM me.

                        • 39. Re: Help... Artemis!56C9EF26F88B - ZeroAccess
                          havasulover75

                          Amazing how I can't even get help from Mcafee online!!! I tried to get a boot disc and I couldn't even get that from them. They escalated my call and said I would get a call from them tomorrow! I would just like to have my computer back to normal. If you see my previous posts you will see what I have encountered in this open cloud security virus. I hace tried to rootkit remover but I need 64 bit. I have also tried GMER but it would not allow me to check the top boxes (see previous post). I feel as if I should change to another company for virus protection. I am extremely frustrated in this. I just spent over an hour in a chat box, then went back online with the infected computer all for them to tell me that they can't help....now 2 hours later....no help....no boot disc! Who's helping at Mcafee????!!!!

                          1 2 3 4 5 6 Previous Next