1 2 Previous Next 10 Replies Latest reply on Sep 7, 2013 11:37 AM by Peter M

    Zeroaccess trojan and rdn/generic backdoor!s! trojan

      I have been lucky for 15 years, not to get anything like this happen to my computer, so have not taken as many precautions as I now will. I do not have my computer doing backups, so do not have a restore point to go back to.

      I now have 2 Trojans that have made their way to my computer.

      1. ZeroAccess!982EABD5D105 regularly appears and changes many times to different versions (Zeroaccess.cf or ef, cfg etc...).
      2. genericbackdoor!s! .

      Using MacAfee site, and community I have tried many of the things suggested, all without success.

      • I tried many full scans, sometimes finding something but most of the time it did not. When it did find something, it quarantined it, which I have removed.
      • On reboot, the start-up scan would find between 2 and 6 Trojans alternating between the above.
      • I have tried removal instructions as per McAfee removal instructions and advice offered to others in this
      • I have tried Rootkill which comes up clean.
      • I have tried Stinger which comes up with between 1 and 7 events - all zero access variations.
      • I tried using my original disk from Dell and finding the cmd prompt. I tried bootrec/fixmbr (restore master boot record) which did nothing.
      • I have tried to open in safe mode, run McAfee (total protection 2013) and nothing has been found. The only issue created is real time scanning keeps switching off. If I enable it, it undoes this about 5 seconds later.
      • I have tried rootkill in offline mode, and again no virus or Trojans are found.
      • I have tried stinger in offline mode. It offers the same result, up to 7 Zeroaccess events.

      As Rootkill does not show anything, but stinger does, I wondered if this really was a problem, but realised it was when in google, I tried to go to a webpage, and the link diverted me, and then again to another webpage I assume to bitcoin or whatever it is…

       

      Can anyone offer any suggestions. Please excuse my lack of computer knowledge.

        • 1. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan
          Peter M

          You may not have backups but is System Restore turned on?   You may be able to access that, if not in regular mode, certainly in Safe Mode, to go back to before all this started.

           

          If successful, temporarily disable System Restore to get rid of the infection.  

           

          If you can try to run RootkitRemover, Stinger and perhaps also Malwarebytes Free - all listed in the last link in my signature below.

           

          If you use Malwarebytes, to keep it free of charge, do NOT accept the free trial.

          1 of 1 people found this helpful
          • 2. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan
            Hayton

            System Restore might not work. When I looked at this my first thought was, because different ZeroAccess variants are being detected it's likely that there's something on the system that connects to a C&C server at system startup to download fresh malware. If there's a backdoor resident on the system (genericbackdoor!s) it ought to be detected unless it's very well hidden - and ZeroAccess is infamous for its success in staying hidden. There are learned discussions a-plenty about how it installs itself in such a way that it can detect when AV software is looking for it, and can deceive the scanners by using ultra-low-level system calls.

             

            As a first step to killing this it might be a good idea to attempt to block internet access at start-up (option is in Security Center settings somewhere) and set the firewall settings to Stealth so the PC can't be found from outside. Of course that won't help if the PC is dialling out somewhere and effectively inviting a server to download more malware.

             

            This might be a case for specialist help from one of the other forums, but have another go at removing it using the available tools; read the information first about these two pieces of malware that McAfee and Microsoft provide (below).

             

             

            ZeroAccess!982EABD5D105

             

            http://home.mcafee.com/virusinfo/VirusProfile.aspx?key=742143

             

            The removal instructions note that you will need to repair the  MBR.

            The applications attempted the following network connection(s):

             

            hxxp://85.17.226.180/*****

            85.17.226.***:8083

             

            Not very informative. Fortunately this is known to Microsoft as  "TrojanDropper:Win32/Sirefef.B", and there's a much fuller account of it - with detailed removal instructions - at

            http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Tro janDropper%3AWin32%2FSirefef.B

             

            If McAfee isn't fully removing the infection then follow carefully the instructions given on the above Microsoft page.

             

            TrojanDropper:Win32/Sirefef.B is a trojan that drops Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.

             

            Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal.

             

            As a consequence of being infected with this threat, you may need to repair and reconfigure someWindows security features.

             

            Sirefef makes lasting changes to your computer’s security settings that may need to be repaired.Sirefef stops and deletes a number of different security-related services on your computer. When using Microsoft security solutions to clean a Sirefef infection, these services will be restored to theWindows default installation settings.

             

             

            genericbackdoor!s

             

            http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=131850

             

             

            "Generic Backdoor.s” is a detection for this Trojan that receives commands from an attacker that to access the infect machine and to downloads other malicious files. The Trojan also opens backdoor in order to send and receives commands from the remote attacker. It may also post collected data to the remote attacker. Once it successfully executes it tries to delete the source file.

             

            Upon execution the Trojan tries to connect to the following URL through remote port 8080 in order to allow the remote attacker to issue commands to control the compromised machines and to download other payload ...

             

             

            Unfortunately this McAfee detection is so generic that it matches several different names used by each of the other AV vendors I checked. The all-encompassing nature of the description is evident from the McAfee virus profile linked to above, which spans at least two years and has been modified a number of times. Even I got confused trying to make sense of it.

             

            Take your pick from any of the following Microsoft definitions, which match the McAfee name -

             

             

            It's clear that you've been thoroughly infected. With luck all that your PC has been used for is click-fraud or BitCoin mining, but being taken over means that all your passwords - email, banking, websites, everything - must be regarded as known to the attackers, and all your activities on the PC may have been monitored. Most likely all they were interested in was the easy pickings, but you can't be sure of that.

             

            After this is over you'll need to change all your passwords, and you should run a series of scans with McAfee and a few other different vendors' products. Some people go so far as to wipe the disk completely and re-image. Whether that's overkill or not I wouldn't like to say.

             

            Message was edited by: Hayton on 18/08/13 03:38:28 IST
            1 of 1 people found this helpful
            • 3. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan

              Peter.

               

              Thanks for the quick response. I had system restore on, but a few of the tips I was trying mentioned to turn it off.

              It now says when I try to restore that there is no point to restore to.

               

              I have treid the rootkitremover (sorry I called it Rootkill), unsussfully locating anything on 3 separate occasions.

               

              I have downloaded malwarebytes to try. It has found 7 entries half way through. Will ley you know how I go. Thanks for the tip of the trial.

               

              Anthony

              • 4. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan
                Peter M

                Malwarebytes can be updated and run all in Safe Mode with Networking too FYI...if needed.

                 

                Also check what Hayton has said.

                 

                 

                 

                .

                 

                Message was edited by: Ex_Brit on 18/08/13 8:21:07 EDT AM
                1 of 1 people found this helpful
                • 5. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan

                  Hello noidea,

                   

                  You probably are getting reinfected by some malware that simply is not known to the McAfee scanners yet. I suggest you continue to try other scanners as they may pick up things McAfee missed.

                   

                   

                  Here are some specific tools to remove ZeroAccess and other common/targetted rootkits/malware.

                  The reason I recommend these other scanners is because they have a high rate of detection of new and unknown variants of viruses - they tend to pick up unknown malware that looks like known malware.

                   

                  TDSSKiller - Kaspersky Rootkit Removal Tool  (Just removes top rootkit threats)

                  ESET Sirefef / ZeroAccess Remover (Just removes Sirefef/ZeroAccess)

                  Microsoft Malicious Software Removal Tool (Removes top virus and root threats)

                   

                  For a more compreshensive scan, you can try these more advanced scanners from the same companies listed above.

                  Kaspersky Virus Removal Tool - Scans and cleans most all threats detected by Kaspersky

                  ESET Online Scanner - Scans and cleans most all threats detected by ESET NOD32.

                  Microsoft Safety Scanner - Scans and cleans most all threats detected by Microsoft (Windows Defender/Security Essentials).

                   

                  Finally, you can use these boot CD scanners to remove rootkits that can't be removed while Windows and the rootkit are active.

                  Kaspersky Boot CD

                  Microsoft Windows Defender Offline (Boot CD)

                   

                  Message was edited by: secured2k on 8/19/13 11:27:48 AM EDT
                  • 6. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan

                    Hayton.

                     

                    After trying Malwarebytes as suggested by Peter, I was able to remove all but 1. Zeroaccess!cfg.

                    All other instances of zeroaccess and the backdoor!s! trojan have gone - or so it appears. I have run Stinger64 about 5 times since, al with onlyu 1 messed file appearing. This file is named @ and is located at C:\Program Files (x86)\Google\Desktop\Install\{6b4f2846-fe5b-51ef-6803-4423d13fe7b4}\   \  \...

                     

                    I looked into your option after Malwarebytes ran, looking only at the suggested solution for the zeroaccess trojan. The removal instructions suggest downloading from a clean computer. Unfortunately, the only other computre i have access to is under and SOE due to needing a secure environment for my client files.

                     

                    I am going to try to get this downloaded from another computer in a few days if i can hold out.

                     

                    I have backed up all of my files in case i need to wipe the disk completely - as you say overkill but getting close to this.

                    • 7. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan

                      After several attempts at all suggestions, i still could not shake that 1 last Trojan. As i was running Vista, I took the opportunity to wipe my computer and load Windows 7. I do thank you all for your suggestions and time.

                      • 8. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan
                        Peter M

                        Glad you sorted it out, albeit the hard way.  Make sure you keep Win 7 up to date, SP1 etc. and IE10 rather than it's default version, even if you don't use IE.

                         

                        Good luck ;-)

                        • 9. Re: Zeroaccess trojan and rdn/generic backdoor!s! trojan

                          Noidea,  I too tried many rootkit trojan/virus removers, including McAffee's, TDSSKiller, Malwarebytes Rootkit removal, Symantec, AVG, the list goes on and on.  Spent many hours of running these programs in safe mode and standard mode, clean boot, etc., etc.  Zaccess screwed with McAffee anti-virus, my firewall, ability to get on the internet, and that list goes on.  God knows what info that thing was sending off my PC.

                           

                          The only two programs that appear to have completely rid the PC and registry of this nasty zaccess trojan were RogueKiller followed by ComboFix.  I HIGHLY recommend you and others use these two programs to remove zero or zaccess trojan.  You'll possibly save hours and hours of aggravation, not to mention you could be doing other things than sitting in front of your PC running anti-virus software and rebooting all day.

                           

                          Mike

                          1 2 Previous Next