1 2 3 4 Previous Next 33 Replies Latest reply: Jan 3, 2013 7:18 AM by cabmaster Branched to a new discussion. RSS

    Zeroaccess Rootkit virus, unremovable

    darkjhon

      I've just recently had a virus attach itself to two desktop.ini files: located in c:\windows\assembly\gac_32\desktop.ini and c:\windows\assembly\gac_64\desktop.ini.  I've tried various methods to resolve this problem; downloading a program called malwarebytes and scanning; other forums on this website recommend downloading a certain rootkit killer to solve the problem; booting into safemode and scanning (however when I scan in safemode it doesn't detect the virus); I've even tried to uninstall mcafee and reinstall but to no avail.  Unfortunately, nothing I tried worked and at the moment I'm downloading kaspersky because I've read that it can detect and delete the virus.  However I'm expecting this won't work either, so I'm at a lose and am considering reformatting and reinstalling windows.  Of course I do not want to do this so I am looking for other alternatives.  I'm using windows 7 and mcafee total protection.  Thanks.

        • 1. Re: Zeroaccess Rootkit virus, unremovable
          Hayton

          Moved to Security Awareness, Home User Assistance.

          • 2. Re: Zeroaccess Rootkit virus, unremovable
            sol

            I have been dealing with numerous ZeroAccess rootkit lately on our work PCs. Most often this is accompanied by several opther viruses.

             

            What I have done to fix these...

             

            cleaned all cache folders... ALL TEMP folders, Internet temp folder, and cookies you can do this manually

                 or use CCleaner. Within CCleaner, only check the cache files to be cleaned.

             

            Free download :

            http://www.piriform.com/ccleaner (Home user edition)

            http://www.piriform.com/business  (standalone and networked versions)

             

            Original link removed and replaced by link to Piriform (vendor site) - Hayton

             

            I ran a full McAfee scan with up to date DAT

            I ran the latest version of Stinger

            I ran the latest MalwareBytes

             

            Look for any suspicious "randomfilename.exe" files under the All Users/ application data (XP) or AppData/Local or AppData/ Roaming and remove them. I recommend doing a search on all suspicious filenames to make sure it is not a needed file for the system.

             

            This has taken care of our systems so far.

             

             

            Addition:  After just cleaning one of these systems what i remember with most of the ones I have cleaned is this...

             

            Under the documents and settings\user\local settings\application data path you might see a folder like this

            {ca293b11-cbe5-0879-da36-3348859344848ad66} (varies in name)   You will also find this same folder under the Windows/installer folder along with many other. There is a difference though, the infected/fake one has a much smaller font size and is very distinguishable among the others. I remove both of these folders and that seems to aide greatly in the cleaning process.

             

            I find this to be true with a combination of ZeroAccess and PWS-Zbot.gen.xs viruses. You will also find 1 - 3 strange .exe files under the users/applicaiton data folder.

             

            Message was edited by: sol on 6/25/12 9:59:29 AM CDT

             

            Message was edited by: Hayton - Link to CCleaner removed and replaced by link to Piriform (CCleaner vendor site) on 25/06/12 20:51:31 IST
            • 3. Re: Zeroaccess Rootkit virus, unremovable
              Hayton

              ZeroAccess is a difficult piece of malware to remove. Once installed, it may need attacking with a number of specialist removal tools. Even reformatting a disk might not succeed in getting rid of it, or so I've been informed.

               

              sol's advice (above) is useful but will not completely remove the infection.

               

              Malwarebytes is unlikely to remove this rootkit; Kasperky's TDSSKiller might do it. However, there are several versions of ZeroAccess now at large, and some of them may have refinements to counter or evade the earlier removal methods.

               

              See the advice I gave in another thread -

              https://community.mcafee.com/message/244848#244848

               

              Message was edited by: Hayton on 25/06/12 20:53:23 IST
              • 4. Re: Zeroaccess Rootkit virus, unremovable
                darkjhon

                Thanks for the information.  But I just decided to reinstall windows.  The first thing I did was install mcafee and perform a full scan and fortunately there were no viruses present.  Therefore, I'm hopeful that the rootkit was permenantly deleted and will not have this problem again.  However, I've also heard that the rootkit may not be deleted after a format and reinstall, but if it wasnt' I'm assuming that Mcafee would have detected it.  Correct me if I'm wrong, please!  Thanks again!

                • 5. Re: Zeroaccess Rootkit virus, unremovable
                  djfil

                  For me and my customers Hitman Pro has been doing the best job with removal of this infection.  But I do see McAfee starting to get more updates out there for complete removal of the infection.

                  • 6. Re: Zeroaccess Rootkit virus, unremovable
                    Hayton

                    Whether ZeroAccess can be completely removed depends on which variant you've been infected with. Microsoft (which knows this as Win32/Sirefef) has this to say :

                     

                    "Particular variants ofWin32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

                     

                    Due to the severe consequences associated with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup if your computer is infected with any of the following Sirefef variants:

                    - Trojan:Win32/Sirefef.AA

                    - Trojan:Win32/Sirefef.AC

                    - Trojan:Win32/Sirefef.AH"

                     

                    Trying to match an infection name that uses Microsoft's naming system (reasonably straightforward) to one of McAfee's classifications (sometimes wilfully obscure) gives me a headache. I have no idea which of the 660+ ZeroAccess variants known to McAfee those three might be. I do know that there is a new batch of variants that are even more difficult than the earlier ones to detect and remove. Microsoft's warning should be borne in mind if you get a McAfee alert about ZeroAccess.

                     

                    I'm working through reports from other AV vendors about these new variants, looking for the significant differences. The new ones seem to inject code into 'services.exe', and attempts at removal lead to a subsequent error message I've noted in other posts about 'the service could not be found'. Kill the rootkit and you cripple the system : that's an effective defence against AV.

                     

                    I'll have to see how well Hitman Pro is said to cope with these variants. I doubt it'll be perfect, none of the AV solutions are.

                    • 7. Re: Zeroaccess Rootkit virus, unremovable
                      Hayton

                      Regarding my scepticism about Hitman Pro, I have to say that it seems to deal with ZeroAccess pretty efficiently. There's a blog about this on their site at

                      http://hitmanpro.wordpress.com/2012/06/25/zeroaccess-from-rootkit-to-nasty-infec tion/

                       

                      The blog highlights some of the recent modifications to the code which were intended to make ZeroAccess harder to detect, and notes that the particular variant being examined makes changes to services.exe, which might explain some of the problems encountered by McAfee users recently after running Stinger.

                      • 8. Re: Zeroaccess Rootkit virus, unremovable
                        intenz

                        Hitman Pro seems to be able to detect and replace the file. It will only replace the file in case you have a licensed version. In case you don't have a Hitman Pro license you can use the following to replace the services.exe file with a fresh copy.

                         

                        "sfc /verifyfile=c:\windows\system32\services.exe"

                         

                        or

                         

                        "sfc /scannow" to do a full scan of your system to check if any Windows Protected Executables have been changed.

                         

                        Do check the logs to see what was detected and replaced and to make sure the replacement of the file was successful.

                         

                        Regards,

                         

                        Jorge M Moreira Vilhena

                        • 9. Re: Zeroaccess Rootkit virus, unremovable
                          bigpapasmurf

                          How would i run that? My computer was first affected by Live Security Platinum, now 2 zeroaccess trojans refuse to leave. One is in system32\services.exe and Hitman Pro says that WFP protects it. All attempts to replace it have failed. The other is within assembly\GAC_32\desktop.ini and Hitman Pro keeps saying that it will be deleted when i reboot the desktop, but every time i tried, nothing happens and it pops right back up again on Hitman Pro's scan. Help?

                          1 2 3 4 Previous Next