Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
27866 Views 78 Replies Latest reply: Oct 24, 2011 6:01 PM by beagle123 RSS Branched to a new discussion. Go to original post 1 2 3 4 5 6 ... 8 Previous Next
  • vinod_r2 McAfee Mentor 3,126 posts since
    Feb 15, 2008
    Currently Being Moderated
    30. Oct 4, 2011 5:32 PM (in response to moukie)
    Re: Help... Artemis!56C9EF26F88B

    Sorry to hear that your issue could not be resolved in a timely fashion by us. for the firewall issue- Is that the McAfee firewall that is non functional or is that the windows firewall?

     

    if its mcafee firewall - please login to mvt.mcafee.com and run the tool reboot and update us on the thread on the issue

     

    regarding the 64 bit OS not supported on the new tool the same has been escalated to the engineering team as Sam had indicated. Either Same ,Vinoo  or me would update you as and when we get details on the same.

     

    64 Bit OS was supposed to be near impenetrable however this infection has proved otherwise- probably the reason why the tool did not have option to work on 64 bit OS .


    Regards
    VR
  • rags Newcomer 6 posts since
    Oct 2, 2011
    Currently Being Moderated
    31. Oct 4, 2011 6:28 PM (in response to vinod_r2)
    Re: Help... Artemis!56C9EF26F88B

    Sorry to hear that your issue could not be resolved in a timely fashion by us. for the firewall issue- Is that the McAfee firewall that is non functional or is that the windows firewall? if its mcafee firewall - please login to mvt.mcafee.com and run the tool reboot and update us on the thread on the issue regarding the 64 bit OS not supported on the new tool the same has been escalated to the engineering team as Sam had indicated. Either Same ,Vinoo  or me would update you as and when we get details on the same. 64 Bit OS was supposed to be near impenetrable however this infection has proved otherwise- probably the reason why the tool did not have option to work on 64 bit OS .

     

    It's both. Windows Error 1068. "The dependency service or group failed to start". Under control panel....Windows firewall "use recommended setting button"  error is: "Windows can't change some of your settings." error code: 0x8007042c.

     

    Oh yeah, I'm 64bit  too. Waiting.....

     

    Message was edited by: rags on 10/4/11 5:56:34 PM CDT

     

    Message was edited by: rags on 10/4/11 6:28:36 PM CDT
  • moukie Newcomer 10 posts since
    Oct 3, 2011
    Currently Being Moderated
    32. Oct 4, 2011 6:21 PM (in response to vinod_r2)
    Re: Help... Artemis!56C9EF26F88B

    Apologies to the issue being resolved in a timely manner - has no merit.  I am not the first to complain about this issue.  McAfee knewof this problems MONTHS ago (there are discussions back in July about thisissue).  Just admit that McAfee has failed in their attempt to resolvethis for their consumers.

    I ran the McAfee Virtual Technician, reboot as instructed and it could notfix the problem.  The Windows Firewall isdown also. 

     

    The report stated:    Some problemscould not be fixed.
                                        PersonalFirewall – McAfee Security Center 12.0.344
                                        Problem;Service not running.
                                        SessionID: 35454122

  • dmeier McAfee SME 100 posts since
    Nov 3, 2009
    Currently Being Moderated
    33. Oct 4, 2011 6:50 PM (in response to lozah)
    Re: Help... Artemis!56C9EF26F88B - ZeroAccess

    There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware.

    From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV.

     

    It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess.

     

    We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.

     

    There are several steps we have to progress through, to get your systems cleaned up. It's not easy, and it will take time, but for those that persevere, it will avoid a re-image of your system.

    Informative tidbits:

    • The detection Artemis!56C9EF26F88B is now called "DNSChanger!fa", in DAT 6489. There are a few hash specific VILs, like this one in the Threat Intelligence site.
    • The detection Artemis!8E57E8B69F2, seems to be a character short, so I'm not able to pull any info about it.
    • Information about ZeroAccess, can be found HERE. The instructions should work for 32bit as well as 64bit.
    • Seeing these Artemis detections, tells us that these are VERY new variants of known malware families. This means there could very well be completely undetected variants as well. As hard as we work to collect samples, no AV vendor, including McAfee, is able to detect 100%. With that said, we need your help submitting undetected malware, so we can prevent reinfections not only for you, but other users as well.

     

    For the below steps, it's helpful to have a USB drive, with these tools on it:

    • GMER, available HERE
    • GetSusp, available HERE
    • Latest BETA dats, available HERE
    • Latest build of Stinger, available HERE for FakeAV version, and HERE for normal weekly version.
    • Copy of Sigcheck, available HERE.
    • A clean installer of your currently installed McAfee product.

    Also, it's a good idea to have a copy of CleanBoot burned to CD, in case our efforts in SafeMode are not successful. Available HERE.

     

    First, we must remove any companion malware, to allow the RootkitRemover to work. (malware that could be dropping the ZeroAccess rootkit, and also terminating scanning tools)

     

    Booting to a CD is the best way, to ensure that malware is not loaded into memory, and making detection most challenging. However, let's see if we can tackle it strictly from SafeMode, as it's far more user friendly.

     

    1. Reboot into SafeMode.

    2. Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then uncheck the box "Load Startup Items"

    3. Reboot into normal mode.

    4. Run RootkitRemover, and ensure it detects and cleans.

                    a. If you are on a 64bit system, skip down "64bit O.S.".

    5. If it detects ZeroAccess, then reboot and run a full scan of the system first using the Stinger(s), and then your local McAfee product. Often, the permissions on the McAfee folder is modified by the malware, and requires manually correcting it: 

    • Right-click the parent folder of the affected files and choose Properties.
    • In the window that opens, chose the Security Tab.
    • Click in Advanced.
    • There will be two checkboxes below the list of permissions. If the checkbox for Inherit Parents Permissions is checked, uncheck it.
    • Check the Inherit box again to inherit permissions from the parent folder.
    • Check the box to copy permissions to children objects. This will replace the permissions that were removed by the malware.

    6. You should now repair/reinstall your AV product, update your dats, and run a full system scan.

    7. If further detections are made, you should now be able to revert the steps we make in #2, by doing the following:

    • Run "MSCONFIG" (click Start>Run) On the General tab, select the third option "Selective Startup", then check the box "Load Startup Items"
    • Reboot.

     

    8. If no further detections are found, but you still have malicious behavior, then there could still be malware on the system, and it will require additional work to identify. Using Getsusp is a good first step in identifying undetected malware. Using the Virus Removal Service, might be a reasonable next step, but feel free to post back here first.

     

     

    64bit O.S.: - For 64bit systems, we need to manually repair the infected .sys file. (Steps taken from the VIL available for ZeroAccess.a)

     

    Manual Remediation steps:

    The malicious code is loaded by the patched system driver. In order to clean the system manually, it is necessary to identify the malicious .SYS file and replace it with a good copy from installation media.

    In order to identify which system driver was replaced, the user is going to need the following tool:

     

    GMER: http://www.gmer.net/

     

    1.First of all, the machine must be disconnected from the internet to avoid reinfection in case any other malware is downloading and installing ZeroAccess or other pieces of malware.

     

    2.Execute GMER, and uncheck these four options "Modules, Processes, Threads, Files"

     

     

    http://vil.nai.com/images/562354_1.png

    3.Then right click in the main window, and select "Options", then enable "IRP Hooks"

     

    4.Start the rootkit scan and wait for it to finish.

     

    5.If the system is infected, GMER will show the name of the patched .SYS file as shown in the YELLOW circle above. Take note of this name.

     

    6.Look at the following folder and search for a file with same name as noted above: %SYSTEMROOT%\ServicePackFiles\i386

     

    7.If there is a copy of the file in the folder above, copy it to the root of drive C:. It will be needed later.

     

    8.If the file is not present in the folder above, it will be necessary to copy the file from an installation media, or another machine with the same Windows version and language.

     

    9.Boot the infected machine with a clean boot media like McAfee CleanBoot, BartPE or Hiren's Boot CD.

     

    10.From the clean boot, copy the file stored in the root folder that was copied above, to the location of the patched system driver.

    ex: copy c:\mrxsmb.sys c:\windows\system32\drivers\mrxsmb.sys

     

    11.Reboot the system in safe mode and log in as the Administrator user.

     

    12.Execute the CSSCAN command line tool using the Beta DATs to remove any Trojan or infected file from the system:

    a. VSE 8.7: "C:\Program Files\McAfee\VirusScan Enterprise\csscan.exe" -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\

    b. VSE 8.8:  C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe -All -Unzip -Program -Analyze -Sub -Clean -Log c:\scan-rpt.txt C:\

    c. Other McAfee product users: Please use the following standalone tool Stinger

    In order to use the Stinger tool, please make sure the targets "Processes" and "Registry" are disabled and the interface "List of all files scanned" is enabled in the stinger before scanning the infected machine.

    http://vil.nai.com/images/562354_4.png

    13.Reboot the system normally.

    14.Run GMER again to confirm that no malicious threads of patched files exist anymore.

     

     

    I'll evolve this post with your constructive feedback, and work to make it as effective as possible.  As with many malware infections, they can be unpredictable, and in some cases require the direct intervention of a malware expert. In such cases, we recommend you reach out to support to ensure your system is cleaned properly.

     

    David Meier

    Lead Field Engineer - McAfee Labs

     

    on 10/4/11 6:50:20 PM CDT
  • rags Newcomer 6 posts since
    Oct 2, 2011
    Currently Being Moderated
    34. Oct 4, 2011 7:02 PM (in response to dmeier)
    Re: Help... Artemis!56C9EF26F88B - ZeroAccess

    Re: Help... Artemis!56C9EF26F88B - ZeroAccess There are a number of posts indicating issues cleaning FakeAV and ZeroAccess infections. Please understand these are not cause all by the same file, but rather variants of a particular family of malware. From some of the Artemis detections mentioned thus far, it's clear that we have some very new strains of FakeAV. It's important that we remove the FakeAV, DNSChanger infections, before we attempt to remove ZeroAccess. We've seen FakeAV bring in a number of other pieces of malware, including the most technically advanced rootkit known at this time, ZeroAccess (MAX++). Cleaning this is no trivial process, and as you all have outlined, our cleaner for ZeroAccess is limited to 32bit for now, but will be updated ASAP. However, we do not have to wait for this.

     

    You have GOT to be kidding!!!!!!! You want me to do ALL this and take another 5 hours out of my life? I DON'T THINK SO...I'll wait for your automatic fix until this weekend and then , if you don't have a "click to fix" or do it "interally with an Update", I'll crapcan McAfee altogether and move on.......UGH!!!!!!!!!!!!!!!!!!!!!!!!!

  • beagle123 Newcomer 10 posts since
    Oct 1, 2011
    Currently Being Moderated
    35. Oct 4, 2011 11:54 PM (in response to dmeier)
    Re: Help... Artemis!56C9EF26F88B - ZeroAccess

    There are links to many tools, but I don't see one for the Rootkit Remover.  Where do we get that?

  • jdl Newcomer 8 posts since
    Oct 1, 2011
    Currently Being Moderated
    36. Oct 5, 2011 1:08 AM (in response to dmeier)
    Re: Help... Artemis!56C9EF26F88B - ZeroAccess

    so... after trying the manual multi-step clean up, I'm now adding

     

    DNSChanger!fa

     

    to the list of trojans being found.  I've downloaded tools, gone through manual sweeps, and it's worse????

  • dmeier McAfee SME 100 posts since
    Nov 3, 2009
    Currently Being Moderated
    38. Oct 5, 2011 7:42 AM (in response to lozah)
    Re: Help... Artemis!56C9EF26F88B - ZeroAccess

    @lozah - we have a copy of that file, and I'll make sure it get's classified today. It will take a couple days to reflect in the full dats. In the meantime, the Artemis detections will prevent it from doing any damage. The problem is, what is dropping that file. That's what is still infected. You might need to boot from a boot CD, and run a full scan.   Let me know if you need help with that.

     

    @jdl - The artemis detection you were first getting, has simply been renamed (classified) to the DNSChanger!fa, so you're as bad off as you were, no worse

     

    @Beagle123 - I had linked to the site where it was linked.  That's no help, so here's the proper direct link to RootkitRemover http://vil.nai.com/images/562354_2.zip

     

    @rags - Please PM me, I'd like to speak to someone such as yourself.

     

    @Carolyn Hannibal - Please PM me.

  • havasulover75 Newcomer 5 posts since
    Oct 2, 2011
    Currently Being Moderated
    39. Oct 5, 2011 12:46 PM (in response to dmeier)
    Re: Help... Artemis!56C9EF26F88B - ZeroAccess

    Amazing how I can't even get help from Mcafee online!!! I tried to get a boot disc and I couldn't even get that from them. They escalated my call and said I would get a call from them tomorrow! I would just like to have my computer back to normal. If you see my previous posts you will see what I have encountered in this open cloud security virus. I hace tried to rootkit remover but I need 64 bit. I have also tried GMER but it would not allow me to check the top boxes (see previous post). I feel as if I should change to another company for virus protection. I am extremely frustrated in this. I just spent over an hour in a chat box, then went back online with the infected computer all for them to tell me that they can't help....now 2 hours later....no help....no boot disc! Who's helping at Mcafee????!!!!

1 2 3 4 5 6 ... 8 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points