6 Replies Latest reply on Oct 12, 2012 3:54 PM by Peacekeeper

    Managed to remove ZeroAccess.hg trojan

      I'm posting my recent experiences with a trojan which I eventually magaged to remove (at least, that's my hope).

      I am using McAfee Internet Security 11.6. A few days ago I mindless ran a suspicious program downloaded from the Internet which contained a trojan.

      When I ran the program McAfee reported it as infected but evidently did NOT prevent the  trojan to run and install itself (disappointing).

      Since then the McAfee firewall started turning itself off every 10 minutes or so. I performed a full system scan with McAfee but the system was found clean.

      Even when explicitly scanning (right-click on the file name, Scan) the original infected executable McAfee said it was clean.

      I uploaded the executable to www.virustotal.com and here are the results:

      AntiVir                              BDS/ZAccess.yrh.1

      Avast                              Win32:ZAccess-JH

      BitDefender                    Trojan.Agent.AWXR

      Comodo                              TrojWare.Win32.Trojan.Agent.Gen

      DrWeb                              Trojan.DownLoader6.62544

      ESET-NOD32                    Win32/Sirefef.EV

      F-Secure                    Trojan.Agent.AWXR

      Fortinet                    W32/ZAccess.YRH!tr.bdr

      GData                              Trojan.Agent.AWXR

      K7AntiVirus                    Backdoor

      Kaspersky                    Backdoor.Win32.ZAccess.yrh

      Kingsoft                    Win32.Troj.Agent.cg.(kcloud)

      McAfee                              ZeroAccess.hg

      Microsoft                    Trojan:Win32/Sirefef.P

      Norman                              W32/ZAccess.PDF

      nProtect                    Trojan.Agent.AWXR

      Panda                              Trj/CI.A

      Sophos                              Mal/EncPk-ACO

      Symantec                    WS.Reputation.1

      VIPRE                              Trojan.Win32.Generic!BT

      ViRobot                              Backdoor.Win32.A.ZAccess.165888.X

       

      I then downloaded and scanned my system (all files for each scan, it's taken ages!) with these programs (the latest versions available):

      McAfee RootKit remover

      McAfee Stinger

      Sophos Virus Removal Tool

      Kasperky TDSSKiller

      SpyBot search and destroy

      SpyHunter

      Malwarebytes Anti-Malware

       

      NONE of these programs found any infected file on my system, so this sucker of a trojan was hiding very well indeed!

      I also tried scanning after rebooting windows in Safe mode (with or without network) but nothing changed.

      As a last resort I  physically took out the hard disk from my laptop and then used an external USB hard disk bay to access it from another computer and then scanned it using F-Prot security. This scan too didn't find anything; however I realised that several directories (including the directory where the original infected executable was) were not accessible from Explorer due to Window's privacy controls, so this scan probably doesn't really count.

      Eventually I found threads on the McAfee forums reporting similar problems; in one of the messages there is a link to this guide http://malwaretips.com/Thread-How-to-completely-remove-ZeroAccess-Sirefef-rootki t-Removal-Guide "How to completely remove ZeroAccess/Sirefef rootkit". I followed the instruction to the letter and (I think!) I managed to get rid of the flipping trojan.

      Essentially I downloaded and executed EZ_SireFix.exe, ServicesRepair.exe and ComboFix.exe (following the instructions) and having done that the problem with the McAfee firewall turning off stopped.

      I downloaded and ran HitmanPro, and ESET online scanner and neither of them found any problem on my system (for what it's worth).

      Over the following week I didn't notice any suspicious behaviours in my computer so I assume it is clean.

        • 1. Re: Managed to remove ZeroAccess.hg trojan
          exbrit

          That's interesting.  When McAfee first detected the problem did it indicate action taken or that a reboot was required?    I'm wondering if you had then rebooted into Safe Mode and run a scan if that would have cleaned it out.  (Safe Mode scans are different - you can only right-click the taskbar icon and select 'Run a Scan' and the SecurityCenter wont open).

           

          The fact that none of those additional programs found anything would indicate that it had removed whatever it was, although now of course we can't be certain.    But usually when it detects something it quarantines it immediately.   Was or is there anything in the Quarantine folders?

          • 2. Re: Managed to remove ZeroAccess.hg trojan

            Unfortunately I don't remember exactly what McAfee said when it encountered the Trojan. For sure it didn't give me any option to reboot & delete, or I'd certainly have selected that. I seem to remember it said that the thret had been removed, or something to this extent.

            McAfee and all the other security program failed to detect the Trojan if if the original infected executable (the one I sent to virustotal.com) was present in the system.

            • 3. Re: Managed to remove ZeroAccess.hg trojan
              exbrit

              Open SecurityCenter

              Click Navigation

              Scroll down to Quarantined and Trusted Items

              Click on those 'drawers' and see if anything is in there.

               

              It is rather curious I must admit.

              • 4. Re: Managed to remove ZeroAccess.hg trojan
                Hayton

                Thread moved into Top Threats

                • 5. Re: Managed to remove ZeroAccess.hg trojan

                  Hi, sorry for the late reply. I have checked in the quarantined items and I have 4 items relative to ZeroAccess and with the date/time I first came across the virus (1 October). The first (oldest) of these lines looks like this:

                   

                  @     ZeroAccess!cfg     01/10/2012     17:21

                  Clicking on the "+" sign I see a path to C:\$Recycle.Bin\(string of numbers)

                   

                  The second line is looks like this:

                  N     ZeroAccess     01/10/2012     17:21

                  The path is the same as the previous line

                   

                  There are two more of such lines, one labelled with @ and one with N, but pointing to a different file (folder?) in the recycle bin.

                   

                  What do you think this means?

                  • 6. Re: Managed to remove ZeroAccess.hg trojan
                    Peacekeeper

                    Time to clean the recycle bin maybe. Also Delete them from quarantine area.