1 2 Previous Next 16 Replies Latest reply on Jul 29, 2013 11:29 AM by sol Branched from an earlier discussion.

    ZeroAccess - re-image or not?


      I have McAfee Security Center and all it's features. Win 7 Home Premium. Version 6.1.7601 Service Pack 1 Build 7601. I may be missing something or it may be too obvious. I am really exhausted from fighting this rootkit.0access and it took me a while to determine I  have it. Have backdoor.agent.trj too. Can i use an old system system repair disk and recovery from an image? It's 3 over three months old but at least all my Apps are there. I could easily live with that but i have heard nobody even mention it. I know system restore is corrupt but how about an image? Thanks for any reply.


      Message was edited by: graham856 on 7/15/13 12:37:38 AM CDT
        • 1. Re: ZeroAccess - re-image or not?

          Formatting the disk then re-building from an image backup wouldn't by itself be enough if the MBR has been corrupted.


          Before you attempt that, have you tried running Stinger and Rootkit Remover and/or TDSSKiller?

          • 2. Re: ZeroAccess - re-image or not?

            Have tried doing a system restore back before the virus? One thing I have learned with ZeroAccess is that under the $Recycle.Bin folder there is usually a yellow folder that cannot be removed. Sometimes a reboot will allow you to remove it and other times you may need to remove it via DOS command.


            Make sure you clean all TEMP\cache folders including the ones under the C:\Windows directory. You may also try using Malwarebytes free version. We never had a ZeroAccess we could not clean.


            We have not had ZeroAccess for several months now but we use to have a problem with them in our large organization.

            • 3. Re: ZeroAccess - re-image or not?

              I did use Stinger, TDSSKiller and Malwarebytes. And it claims to have removed it. But when i do a scan again a day or two later, I will have several bad things detected. I have not tried "rootkit remover" and I have no idea how i missed that one. Thanks! So I know system restore is "no way out" of this mess. But before i use my system repair disk and the image backup, how can i know that my MBR is not corrupt? Also, I suppose I need to check the image backup. Is it possible to check those? Thanks so much. Without McAfee and these discussions, I would have set myself on fire by now.

              • 4. Re: ZeroAccess - re-image or not?

                Hmm. There's a difference between a corrupted MBR and one which has been modified by malware. If you get a BSOD at startup that's probably a bad sign. If not, you may be okay. Still, if you've got Windows 7 the following article might be useful.


                http://www.sevenforums.com/tutorials/20864-mbr-restore-windows-7-master-boot-rec ord.html

                • 5. Re: ZeroAccess - re-image or not?

                  Thanks so much for the help. This thread, many other threads in this community and the article you pointed to worked! I was able to restore the MBR and then recovery to what was a clean image backup that I had taken a few months ago. The PC is healthy again. In the future, I have scheduled nightly full scans and historical image back ups on multiple external drives. I cannot thank you and the McAfee community enough. Whoa. What an education I have gotten in the past couple of weeks. Bottom line: Trust nothing and backup everything. 

                  • 6. Re: ZeroAccess - re-image or not?

                    Sounds like everything's back to normal. That's good.


                    Now you can rest easy (or at least easier) there's a short-ish explanation here of ZeroAccess by a.n.other company - what it does, what it's for (click fraud and hijacking a PC to send spam, mostly). Only 10 pages, but quite instructive. There's a link to a full in-depth analysis if you want to get technical, but this tells you most of what you need to know.

                    • 7. Re: ZeroAccess - re-image or not?

                      OMG! As if I were not worried enough. Now that I have read that explanation, I am absolutely TERRIFIED. That is not a joke. For years, I have been unconcerned with malware since I have full McAfee installed and I follow the age old precautions. My livelyhood (job) depends on this PC. It has several expensive software packages installed on it. When it is not functioning properly, I cannot do my job. Like a plumber without his tools,I cannot make my living.  After all the pain I went through, I came to the conclusion that there was no real protection against malare except panacea of image backups. That article has convinced me otherwise. What can I possibly do? I am unsure now that the image I restored to is clean. My network connection drops at exactly a certain time daily. Normally when i would be at lunch. Most of those connections come right back. Only one App is not restored. Who knows how long that was going on. It is nothing but a small hiccupbut now that I amhyper aware, this could be . .. . . . .anything. Most likely some spyware which is NOT detected my full scans with McAfee and MalwareBytes. Other forums claim that McAfee will disallow (or not work well)  with other spyware removal tools.


                      Okay. Sorry i babbled on.

                      • 8. Re: ZeroAccess - re-image or not?

                        I apologize for the long winded post. Guess I should go see a shrink to address my new fears.


                        So, first thanks so much for pointing me to that explanation.

                        (2) Are there other tools to detect and remove spyware or whatever might be causing my daily exact time network drops?

                        (3) What can I do to "lock down" this machine just to do my job? No measure is unreasonable. I would even buy another PC just for the internet. I'm not rich but I cannot afford to keep wasting time on these malware issues. It takes too much time and personally, I HATE ALL THIS JUNK. Geez,i look at task manager and there is so much running just after a reboot that it's overwhelming.  And the task manger descriptions are generic at best. AAAhhhh

                        • 9. Re: ZeroAccess - re-image or not?

                          Hi Graham,


                          I have recently been through a malware attack and the inconvenience of rebuilding my system disk from scratch.


                          This is laborious, time consuming and tedious.


                          I decided that the only sure and guaranteed way to safeguard your system is to image copy your system (C) disk to a similar sized disk.


                          Then swap the current C disk for the newly created disk. Boot the new disk and continue running with this copy, keeping your old disk as a bootable backup.


                          If you have 3 disks, as I now have, you can rotate these 3 disks, performing an image backup every two or three months.

                          This gives you double safety, so even if a disk copy failed and somehow corrupted the source disk, you would still have a not too old, bootable system disk.


                          Unfortunately this solution is really only practicable for technical users using desktop or tower type systems, with standard 3.5 inch disks, and not for laptops.

                          You could create an image copy of a laptop C drive, but you could not be really sure of it until you had restored it back onto the Laptop drive.


                          Windows does not make it easy to copy a system disk, but various partition manager programs can achieve this.


                          I use Easeus Partition Manager v 3.0 free s/w. This works a treat by shutting Windows down, rebooting and then performing the system image copy.

                          This particular version is not easiy available on the inetrnet, but v3.5 and newer versions are available to download for free.


                          Alternatively, other programs like Partition Magic, I believe, can also copy a system disk, but you will probably have to pay for this s/w, renewable 2 year licence.

                          You could also use Parted Magic. This is a Linux based bootable CD that can also perform a bootable image copy, but it is not as user freindly.


                          Lastly, can I advise everyone to keep only Windows and Program files on the C drive. Add a second physical D drive for your data and e-mail folders, or they will be lost when Windows has to be reinstalled following a system failure.


                          If you only have one disk (eg a laptop) and you are rebuilding, or setting up new system then create a second partition to hold your personal data and files.




                          Message was edited by: unimpressed on 7/25/13 6:45:32 PM CD


                          Message was edited by: unimpressed on 7/25/13 7:26:37 PM CDT
                          1 2 Previous Next