8 Replies Latest reply: Sep 7, 2013 11:36 AM by mvalentino RSS

    ZeroAccess Trojan

    blshoe

      PC is infected with ZeroAccess. Normal McAfee doesn't clean.  ran GetSup, Rootkit remover and Stinger all to no avail.  What now please?

        • 1. Re: ZeroAccess Trojan
          Hayton

          Moved to Security Awareness / Malware Discussion / Home User Assistance to be with the other ZeroAccess posts.

           

          ZeroAccess detected but not cleaned may mean the infection has installed itself so as to make it very difficult to remove. First thing to try is a System Restore to an earlier time, but that may not repair the damage entirely.

           

          There are threads here which may offer some ideas. Try this for starters -

          https://community.mcafee.com/message/300256#300256

           

          A lot depends on which version of ZeroAccess this is and what else came with it. ZeroAccess hides itself very well, and makes many modifications to the host system. Think of it as the PC equivalent of malaria.

           

          My first port of call, if the usual remedies don't work, would be Microsoft - I can't give a link to the actual page without knowing which variant you've been infected by.

           

          If you want to try TDSSKiller, Hitman Pro, ESET, Kaspersky, or even Malwarebytes feel free to do so.

          • 2. Re: ZeroAccess Trojan
            blshoe

            Hayden,

             

            Thanks for the advise.  Malwarebytes seems to have eliminated ZeroAccess (Malaria), but my PC sure is slow but this in probably caused by the depilitating effects of age as well as a lot of screening programs to keep the bugs at bay.  Again thanks

            • 3. Re: ZeroAccess Trojan
              Hayton

              If the PC is running slow that could be other stuff that comes in with ZeroAccess trying to run. Or worse, actually doing something. I don't know what the OS is but "debilitating effects of age" sounds like XP or Vista rather than Win 7 or 8.

               

              If you run Process Explorer you can see what processes are active and whether they're signed or not by the vendor (and you can kill anything running if it's a malware process); if you have any suspicions about what runs when you start up, Autoruns is invaluable (it allows you to disable processes and programs you don't recognise) -  although if you use it, it's better to leave things be and Google to see what they are before you disable anything. Both of those programs are from SysInternals (now part of Microsoft) and are trusted programs.

              • 4. Re: ZeroAccess Trojan
                blshoe

                Hayden,

                 

                Thanks again for the advice.  On another PC (my wife's!) that was running slow I ran Autoruns and got obviously oversealous in disabling things which looked benign enough.  Problem is,  it seems I disabled both the mouse and the keyboard so I can no longer even log onto the PC to reactivate those items I disabled.  Any advice as I'm stuck and in the dog house for messing up my wife PC?

                • 5. Re: ZeroAccess Trojan
                  Hayton

                  it seems I disabled both the mouse and the keyboard so I can no longer even log onto the PC

                   

                  Oh dear. I did make a point of saying ".. it's better to leave things be .. "

                   

                  You're not the only one who's ever done this. From the SysInternals forum, in the Autoruns sub-section

                  (http://forum.sysinternals.com/autoruns_forum16.html)

                  there is a recent post from someone saying

                  have accidentally disabled my keyboard, touchpad, and other drivers with Autoruns

                   

                  Alas, no-one's bothered to answer. Possibly because there are warnings all over the place to the effect that

                   

                  + You may use Autoruns to view everything. No problem.

                  + Do not change anything unless you know what the effect will be.

                   

                   

                  We-e-ll, if you want to try an experiment, the first thing to do is to reboot and keep tapping the F8 key. If you are presented with the Recovery Console the keyboard at least isn't affected during startup. If it works there should be an entry that says something like Last Good Configuration - select that and it might restore the mouse and keyboard settings.

                   

                  Otherwise (if the keyboard really is kaput or Last Good doesn't restore things, there are ways to get things back to normal - but they involve changing entries in the registry, and may even involve removing the hard drive and adding at a slave drive to another PC so you can use regedit to fix it. Complicated, but someone worked out how to do it and posted to their forums to share the repair fix.

                   

                   

                  See these posts and articles from SysInternals (including the FAQ) -

                   

                  Introduction to AutoRuns :

                  http://blogs.technet.com/b/askperf/archive/2009/02/10/who-s-that-hiding-in-my-wi ndows.aspx

                   

                  FAQ : http://forum.sysinternals.com/faq-common-autoruns-issues_topic4719.html

                   

                  http://forum.sysinternals.com/what-to-uncheck-and-what-not_topic5226.html  - read posts 2 and 4

                   

                  Fixing an AutoRuns disaster by repairing the registry, making the HD into a slave drive : NOTE, the steps outlined here were to fix his problem; yours is different. But it shows that the recovery can be done.

                  http://tc2.atspace.com/0020-AutorunsMistake.htm

                   

                   

                  Your best hope of getting authoritative advice on how to proceed might be to ask in the Autoruns section of the Sysnternals forum. But don't expect an instant response : I posted once and had to wait two weeks to get an answer.

                  • 6. Re: ZeroAccess Trojan
                    blshoe

                    Hayden,

                     

                    You did warn me, but I unfortunately am too impulsive and do things without knowing what the consequences might be (curiosity) and it gets me in trouble in all kinds of ways.  But,  your proposed experiment with F8 worked and I'm back in action.  I'm going to take another run at Autoruns but will try to be a bit more careful this time.  Thanks for bailing me out yet again.

                    • 7. Re: ZeroAccess Trojan
                      Hayton

                      Autoruns is a powerful tool and is much used for serious investigative work, but they really should send an Instruction Manual along with the download. Actually there is a good manual, for all the SysInternals tools. I keep meaning to buy it.

                      • 8. Re: ZeroAccess Trojan
                        mvalentino

                        I too tried many rootkit trojan/virus removers, including McAffee's, TDSSKiller, Malwarebytes Rootkit removal, Symantec, AVG, the list goes on and on.  Spent many hours of running these programs in safe mode and standard mode, clean boot, etc., etc.  Zaccess screwed with McAffee anti-virus, my firewall, ability to get on the internet, and that list goes on.  God knows what info that thing was sending off my PC.

                         

                        The only two programs that appear to have completely rid the PC and registry of this nasty zaccess trojan were RogueKiller followed by ComboFix.  I HIGHLY recommend you and others use these two programs to remove zero or zaccess trojan.  You'll possibly save hours and hours of aggravation, not to mention you could be doing other things than sitting in front of your PC running anti-virus software and rebooting all day.

                         

                        Mike