1 2 Previous Next 11 Replies Latest reply on Oct 15, 2012 9:08 PM by Hayton

    ZeroAccess Trojans! Help! desktop.ini

    willowdzn

      I've got 5 zeroaccess trojans in my computer and I can't remove them! They're all located in the destination: C:\Windows\Assembly\GAC_32\Desktop.ini

      So far I have run:

      -6x Full scans - McAfee Security Center (Detected them, couldn't remove)

      -3x Scan - FixZeroAccess - Symantec (Didn't detect anything)

      -3x Scan - Rootkit remover - McAfee (Didn't detect anything)

      -1x Full scan - MalwareBytes (In Progress)

      -1x Full scan - Stinger (4 Detected, 1 removed)

      -1x Full scan - HitmanPro (In progress [21%] 81 Tracking cookies found, 2 Malware files in C:\Users\Brad\AppData\Local\Temp)

       

      I don't think that Malware/HitmanPro will find/remove all of the trojans so I need help, what do any of you suggest?

        • 1. Re: ZeroAccess Trojans! Help! desktop.ini
          Peacekeeper

          So these all different variants? hitman pro should pick the last 1 up.

           

          I would if it does not rerun Stinger after a new download and see if the daily update fixed the last 1. Also maybe ask on a hijack this forum such as mentioned here

          McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

           

          Also read this thread

          https://community.mcafee.com/message/244908#244908

           

          Message was edited by: Peacekeeper on 29/09/12 7:01:34 PM
          • 2. Re: ZeroAccess Trojans! Help! desktop.ini

            I'm in a similar situation.

             

            Unable to restore my computer to a previous date, even in safe mode.

             

            ZeroAccess Rootkit finds nothing.

             

            Stinger (most recent version available , build date 9/28/12) finds nothing.

             

            Mcafee Security Center pops up a very similar message twice about 5 minutes after booting up; same location in message.

             

            Willowdzn, let me know if you have resolved this.

            • 3. Re: ZeroAccess Trojans! Help! desktop.ini
              Hayton

              ZeroAccess isn't easy to get to grips with, partly because it keeps morphing. It's also taken to hiding files inside C:\Recycler as hidden system files. I'm studying a load of reports from Sophos, McAfee, Trend Micro and ESET and trying to summarise what the latest variants are doing. In another thread sol, who's had to tackle this one, came up with some good recommendations but they're not enough. To complicate matters the ZeroAccess code has recently had a major upgrade which changes the way it operates.

               

              Stinger is supposed to handle the latest versions of ZeroAccess but perhaps you've got yet another modified version.

               

              The only consolation I can offer is that at the moment the botnet operators (ZeroAccess enrols you in a mega-botnet) are just using their slave machines for a bit of click-fraud and Bitcoin mining. If they had a mind to pillage data from machines they'd be sitting on terabytes of the stuff. And if they wanted to bring down a major government's internet-facing servers with a DDoS attack they could do it easily. But, so far, they're content simply to rake in a nice steady income from the botnet.

               

              When I've got the details of what files you have to get rid of and what else needs to be done I'll post something either in the documents section or as a blog, probably in Top Threats (where I think all the ZeroAccess posts should now go). There's a McAfee document HERE which I managed to persuade them to update back in July but which already may be somewhat out of date.

               

              Message was edited by: Hayton on 30/09/12 06:11:36 IST
              • 4. Re: ZeroAccess Trojans! Help! desktop.ini

                Last night I ran a full scan with Malwarebytes Anti-Malware; log is below:

                Malwarebytes Anti-Malware 1.65.0.1400

                www.malwarebytes.org

                 

                Database version: v2012.09.07.13

                 

                Windows XP Service Pack 3 x86 NTFS

                Internet Explorer 8.0.6001.18702

                Audrey :: AUDREYOFFICE [administrator]

                 

                9/30/2012 12:42:41 AM

                mbam-log-2012-09-30 (00-42-41).txt

                 

                Scan type: Full scan (C:\|)

                Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

                Scan options disabled: P2P

                Objects scanned: 322577

                Time elapsed: 34 minute(s), 24 second(s)

                 

                Memory Processes Detected: 0

                (No malicious items detected)

                 

                Memory Modules Detected: 0

                (No malicious items detected)

                 

                Registry Keys Detected: 0

                (No malicious items detected)

                 

                Registry Values Detected: 0

                (No malicious items detected)

                 

                Registry Data Items Detected: 3

                HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-1292428093-1757981266-725345543-1003\$9723779f978d8a25afe e7c54eaf8737a\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.

                HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

                HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

                 

                Folders Detected: 0

                (No malicious items detected)

                 

                Files Detected: 3

                C:\Documents and Settings\Audrey\My Documents\Downloads\expertpdf7_d165419.exe (PUP.BundleOffers.IIQ) -> No action taken.

                C:\Documents and Settings\Audrey\My Documents\Downloads\openfreely.exe (PUP.BundleOffers.IIQ) -> No action taken.

                C:\RECYCLER\S-1-5-21-1292428093-1757981266-725345543-1003\$9723779f978d8a25afee7 c54eaf8737a\n (Trojan.0Access) -> Delete on reboot.

                 

                (end)

                 

                McAfee Security Center no longer detects any malicious items, however my computer is still infected. Teltale signs right now are that desktop icons realign themselves to the left side of the screen on reboot. Also, Google links randomly go to a sales oriented website on the first click. Detailed example:

                 

                1. Entered "malwarebytes quarantined files" in Google search engine.

                2. Goggle search page, first item "

                restart after quarantined files deleted - Malwarebytes Forum

                3. Clicked hyperlink above; taken to https://fix-kit.com/Malwarebytes/repair/7s-malwarebytes/?als=00014

                4. Clicked browser (Firefox) back button.

                5. Clicked on hyper link again and taken to correct website https://forums.malwarebytes.org/index.php?showtopics=114163

                 

                I don't know how else my computer is being affected, but distrust things right now. Given the age of my computer, it does not make sense to reinstall the OS (plus I no longer have the office suite software disks), so I've got my hands tied right now.

                 

                Message was edited by: audrey_m on 9/30/12 12:14:41 PM CDT
                • 5. Re: ZeroAccess Trojans! Help! desktop.ini
                  Peacekeeper

                  Rerun Malwarebytes after the reboot it may remove more since it required a reboot.Seems you have the new zersion with recycler files present as Hayton mentioned.

                   

                  I would retry stinger in a day or so and hitmanpro

                  • 6. Re: ZeroAccess Trojans! Help! desktop.ini

                    Update:

                     

                    I reran Malware and it did pick up a few more files, but I still had problems with a browser hijacker in both Firefox and IE.

                     

                    Stinger detected nothing. The event log reads "Process **\STINGER.EXE pid (5180) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver."

                     

                    Ran SpyHunter.  Trojan.Dallarrevenue detected, along with many other malware files, all in IE cookies. Completely cleared browser caches of cookies & temporary internet files. System appears to be working properly now.

                     

                    Thought that cookies had been previously deleted, but did it another way.

                    • 7. Re: ZeroAccess Trojans! Help! desktop.ini
                      Hayton

                      The Event log entry can be ignored for now. The "unsigned code" thing is in the process of being corrected but after the disaster of the last Big-Bang approach it's being done piecemeal.

                       

                      The presence of malware in cookies is interesting, it may be a novel approach (or I may have overlooked it in previous infections). I'll bear that in mind for the future.

                       

                      When you have a persistent piece of malware like ZeroAccess you often need several attempts with different programs to get rid of all the traces. Your system may be clean now - but at least it's working properly, as you say.

                       

                      Next time you run Malwarebytes turn on P2P checking - it's turned off according to the output. I think 'Off' is the default but you might miss something if it's not enabled.

                      • 8. Re: ZeroAccess Trojans! Help! desktop.ini

                        Try using Rootkit remover from McAfee. It will remove ZeroAccess Rootkit from your machine. Make sure you run it in Safe Mode.

                         

                        Link : http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

                         

                        Let me know if you have already tried this tool.

                        • 9. Re: ZeroAccess Trojans! Help! desktop.ini
                          Hayton

                          Duplicate post removed and thread moved into Top Threats

                          1 2 Previous Next