Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
44054 Views 33 Replies Latest reply: Jan 3, 2013 7:18 AM by cabmaster RSS Branched to a new discussion. 1 2 3 4 Previous Next
darkjhon Newcomer 2 posts since
Jun 22, 2012
Currently Being Moderated

Jun 22, 2012 1:50 PM

Zeroaccess Rootkit virus, unremovable

I've just recently had a virus attach itself to two desktop.ini files: located in c:\windows\assembly\gac_32\desktop.ini and c:\windows\assembly\gac_64\desktop.ini.  I've tried various methods to resolve this problem; downloading a program called malwarebytes and scanning; other forums on this website recommend downloading a certain rootkit killer to solve the problem; booting into safemode and scanning (however when I scan in safemode it doesn't detect the virus); I've even tried to uninstall mcafee and reinstall but to no avail.  Unfortunately, nothing I tried worked and at the moment I'm downloading kaspersky because I've read that it can detect and delete the virus.  However I'm expecting this won't work either, so I'm at a lose and am considering reformatting and reinstalling windows.  Of course I do not want to do this so I am looking for other alternatives.  I'm using windows 7 and mcafee total protection.  Thanks.

  • Hayton Volunteer Moderator 4,600 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. Jun 22, 2012 7:11 PM (in response to darkjhon)
    Re: Zeroaccess Rootkit virus, unremovable

    Moved to Security Awareness, Home User Assistance.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • sol Apprentice 127 posts since
    Feb 22, 2012
    Currently Being Moderated
    2. Jun 25, 2012 2:51 PM (in response to darkjhon)
    Re: Zeroaccess Rootkit virus, unremovable

    I have been dealing with numerous ZeroAccess rootkit lately on our work PCs. Most often this is accompanied by several opther viruses.

     

    What I have done to fix these...

     

    cleaned all cache folders... ALL TEMP folders, Internet temp folder, and cookies you can do this manually

         or use CCleaner. Within CCleaner, only check the cache files to be cleaned.

     

    Free download :

    http://www.piriform.com/ccleaner (Home user edition)

    http://www.piriform.com/business  (standalone and networked versions)

     

    Original link removed and replaced by link to Piriform (vendor site) - Hayton

     

    I ran a full McAfee scan with up to date DAT

    I ran the latest version of Stinger

    I ran the latest MalwareBytes

     

    Look for any suspicious "randomfilename.exe" files under the All Users/ application data (XP) or AppData/Local or AppData/ Roaming and remove them. I recommend doing a search on all suspicious filenames to make sure it is not a needed file for the system.

     

    This has taken care of our systems so far.

     

     

    Addition:  After just cleaning one of these systems what i remember with most of the ones I have cleaned is this...

     

    Under the documents and settings\user\local settings\application data path you might see a folder like this

    {ca293b11-cbe5-0879-da36-3348859344848ad66} (varies in name)   You will also find this same folder under the Windows/installer folder along with many other. There is a difference though, the infected/fake one has a much smaller font size and is very distinguishable among the others. I remove both of these folders and that seems to aide greatly in the cleaning process.

     

    I find this to be true with a combination of ZeroAccess and PWS-Zbot.gen.xs viruses. You will also find 1 - 3 strange .exe files under the users/applicaiton data folder.

     

    Message was edited by: sol on 6/25/12 9:59:29 AM CDT

     

    Message was edited by: Hayton - Link to CCleaner removed and replaced by link to Piriform (CCleaner vendor site) on 25/06/12 20:51:31 IST
  • Hayton Volunteer Moderator 4,600 posts since
    Sep 27, 2010
    Currently Being Moderated
    3. Jun 25, 2012 2:53 PM (in response to darkjhon)
    Re: Zeroaccess Rootkit virus, unremovable

    ZeroAccess is a difficult piece of malware to remove. Once installed, it may need attacking with a number of specialist removal tools. Even reformatting a disk might not succeed in getting rid of it, or so I've been informed.

     

    sol's advice (above) is useful but will not completely remove the infection.

     

    Malwarebytes is unlikely to remove this rootkit; Kasperky's TDSSKiller might do it. However, there are several versions of ZeroAccess now at large, and some of them may have refinements to counter or evade the earlier removal methods.

     

    See the advice I gave in another thread -

    https://community.mcafee.com/message/244848#244848

     

    Message was edited by: Hayton on 25/06/12 20:53:23 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
  • djfil Newcomer 11 posts since
    Mar 5, 2012
    Currently Being Moderated
    5. Jun 30, 2012 6:34 PM (in response to darkjhon)
    Re: Zeroaccess Rootkit virus, unremovable

    For me and my customers Hitman Pro has been doing the best job with removal of this infection.  But I do see McAfee starting to get more updates out there for complete removal of the infection.

  • Hayton Volunteer Moderator 4,600 posts since
    Sep 27, 2010
    Currently Being Moderated
    6. Jul 3, 2012 9:24 PM (in response to djfil)
    Re: Zeroaccess Rootkit virus, unremovable

    Whether ZeroAccess can be completely removed depends on which variant you've been infected with. Microsoft (which knows this as Win32/Sirefef) has this to say :

     

    "Particular variants ofWin32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

     

    Due to the severe consequences associated with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup if your computer is infected with any of the following Sirefef variants:

    - Trojan:Win32/Sirefef.AA

    - Trojan:Win32/Sirefef.AC

    - Trojan:Win32/Sirefef.AH"

     

    Trying to match an infection name that uses Microsoft's naming system (reasonably straightforward) to one of McAfee's classifications (sometimes wilfully obscure) gives me a headache. I have no idea which of the 660+ ZeroAccess variants known to McAfee those three might be. I do know that there is a new batch of variants that are even more difficult than the earlier ones to detect and remove. Microsoft's warning should be borne in mind if you get a McAfee alert about ZeroAccess.

     

    I'm working through reports from other AV vendors about these new variants, looking for the significant differences. The new ones seem to inject code into 'services.exe', and attempts at removal lead to a subsequent error message I've noted in other posts about 'the service could not be found'. Kill the rootkit and you cripple the system : that's an effective defence against AV.

     

    I'll have to see how well Hitman Pro is said to cope with these variants. I doubt it'll be perfect, none of the AV solutions are.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,600 posts since
    Sep 27, 2010
    Currently Being Moderated
    7. Jul 4, 2012 8:33 AM (in response to Hayton)
    Re: Zeroaccess Rootkit virus, unremovable

    Regarding my scepticism about Hitman Pro, I have to say that it seems to deal with ZeroAccess pretty efficiently. There's a blog about this on their site at

    http://hitmanpro.wordpress.com/2012/06/25/zeroaccess-from-rootkit-to-nasty-infec tion/

     

    The blog highlights some of the recent modifications to the code which were intended to make ZeroAccess harder to detect, and notes that the particular variant being examined makes changes to services.exe, which might explain some of the problems encountered by McAfee users recently after running Stinger.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • intenz Newcomer 13 posts since
    Oct 19, 2009
    Currently Being Moderated
    8. Jul 12, 2012 5:44 AM (in response to darkjhon)
    Re: Zeroaccess Rootkit virus, unremovable

    Hitman Pro seems to be able to detect and replace the file. It will only replace the file in case you have a licensed version. In case you don't have a Hitman Pro license you can use the following to replace the services.exe file with a fresh copy.

     

    "sfc /verifyfile=c:\windows\system32\services.exe"

     

    or

     

    "sfc /scannow" to do a full scan of your system to check if any Windows Protected Executables have been changed.

     

    Do check the logs to see what was detected and replaced and to make sure the replacement of the file was successful.

     

    Regards,

     

    Jorge M Moreira Vilhena

  • bigpapasmurf Newcomer 6 posts since
    Jul 22, 2012
    Currently Being Moderated
    9. Jul 22, 2012 12:44 PM (in response to intenz)
    Re: Zeroaccess Rootkit virus, unremovable

    How would i run that? My computer was first affected by Live Security Platinum, now 2 zeroaccess trojans refuse to leave. One is in system32\services.exe and Hitman Pro says that WFP protects it. All attempts to replace it have failed. The other is within assembly\GAC_32\desktop.ini and Hitman Pro keeps saying that it will be deleted when i reboot the desktop, but every time i tried, nothing happens and it pops right back up again on Hitman Pro's scan. Help?

1 2 3 4 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points