Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3823 Views 8 Replies Latest reply: Sep 7, 2013 11:36 AM by mvalentino RSS
blshoe Newcomer 5 posts since
Aug 19, 2013
Currently Being Moderated

Aug 19, 2013 7:35 PM

ZeroAccess Trojan

PC is infected with ZeroAccess. Normal McAfee doesn't clean.  ran GetSup, Rootkit remover and Stinger all to no avail.  What now please?

  • Hayton Volunteer Moderator 4,597 posts since
    Sep 27, 2010
    Currently Being Moderated
    1. Aug 19, 2013 8:29 PM (in response to blshoe)
    Re: ZeroAccess Trojan

    Moved to Security Awareness / Malware Discussion / Home User Assistance to be with the other ZeroAccess posts.

     

    ZeroAccess detected but not cleaned may mean the infection has installed itself so as to make it very difficult to remove. First thing to try is a System Restore to an earlier time, but that may not repair the damage entirely.

     

    There are threads here which may offer some ideas. Try this for starters -

    https://community.mcafee.com/message/300256#300256

     

    A lot depends on which version of ZeroAccess this is and what else came with it. ZeroAccess hides itself very well, and makes many modifications to the host system. Think of it as the PC equivalent of malaria.

     

    My first port of call, if the usual remedies don't work, would be Microsoft - I can't give a link to the actual page without knowing which variant you've been infected by.

     

    If you want to try TDSSKiller, Hitman Pro, ESET, Kaspersky, or even Malwarebytes feel free to do so.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,597 posts since
    Sep 27, 2010
    Currently Being Moderated
    3. Aug 20, 2013 9:05 PM (in response to blshoe)
    Re: ZeroAccess Trojan

    If the PC is running slow that could be other stuff that comes in with ZeroAccess trying to run. Or worse, actually doing something. I don't know what the OS is but "debilitating effects of age" sounds like XP or Vista rather than Win 7 or 8.

     

    If you run Process Explorer you can see what processes are active and whether they're signed or not by the vendor (and you can kill anything running if it's a malware process); if you have any suspicions about what runs when you start up, Autoruns is invaluable (it allows you to disable processes and programs you don't recognise) -  although if you use it, it's better to leave things be and Google to see what they are before you disable anything. Both of those programs are from SysInternals (now part of Microsoft) and are trusted programs.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,597 posts since
    Sep 27, 2010
    Currently Being Moderated
    5. Aug 22, 2013 7:23 PM (in response to blshoe)
    Re: ZeroAccess Trojan

    it seems I disabled both the mouse and the keyboard so I can no longer even log onto the PC

     

    Oh dear. I did make a point of saying ".. it's better to leave things be .. "

     

    You're not the only one who's ever done this. From the SysInternals forum, in the Autoruns sub-section

    (http://forum.sysinternals.com/autoruns_forum16.html)

    there is a recent post from someone saying

    have accidentally disabled my keyboard, touchpad, and other drivers with Autoruns

     

    Alas, no-one's bothered to answer. Possibly because there are warnings all over the place to the effect that

     

    + You may use Autoruns to view everything. No problem.

    + Do not change anything unless you know what the effect will be.

     

     

    We-e-ll, if you want to try an experiment, the first thing to do is to reboot and keep tapping the F8 key. If you are presented with the Recovery Console the keyboard at least isn't affected during startup. If it works there should be an entry that says something like Last Good Configuration - select that and it might restore the mouse and keyboard settings.

     

    Otherwise (if the keyboard really is kaput or Last Good doesn't restore things, there are ways to get things back to normal - but they involve changing entries in the registry, and may even involve removing the hard drive and adding at a slave drive to another PC so you can use regedit to fix it. Complicated, but someone worked out how to do it and posted to their forums to share the repair fix.

     

     

    See these posts and articles from SysInternals (including the FAQ) -

     

    Introduction to AutoRuns :

    http://blogs.technet.com/b/askperf/archive/2009/02/10/who-s-that-hiding-in-my-wi ndows.aspx

     

    FAQ : http://forum.sysinternals.com/faq-common-autoruns-issues_topic4719.html

     

    http://forum.sysinternals.com/what-to-uncheck-and-what-not_topic5226.html  - read posts 2 and 4

     

    Fixing an AutoRuns disaster by repairing the registry, making the HD into a slave drive : NOTE, the steps outlined here were to fix his problem; yours is different. But it shows that the recovery can be done.

    http://tc2.atspace.com/0020-AutorunsMistake.htm

     

     

    Your best hope of getting authoritative advice on how to proceed might be to ask in the Autoruns section of the Sysnternals forum. But don't expect an instant response : I posted once and had to wait two weeks to get an answer.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,597 posts since
    Sep 27, 2010
    Currently Being Moderated
    7. Aug 22, 2013 8:22 PM (in response to blshoe)
    Re: ZeroAccess Trojan

    Autoruns is a powerful tool and is much used for serious investigative work, but they really should send an Instruction Manual along with the download. Actually there is a good manual, for all the SysInternals tools. I keep meaning to buy it.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • mvalentino Newcomer 3 posts since
    Sep 7, 2013
    Currently Being Moderated
    8. Sep 7, 2013 11:36 AM (in response to Hayton)
    Re: ZeroAccess Trojan

    I too tried many rootkit trojan/virus removers, including McAffee's, TDSSKiller, Malwarebytes Rootkit removal, Symantec, AVG, the list goes on and on.  Spent many hours of running these programs in safe mode and standard mode, clean boot, etc., etc.  Zaccess screwed with McAffee anti-virus, my firewall, ability to get on the internet, and that list goes on.  God knows what info that thing was sending off my PC.

     

    The only two programs that appear to have completely rid the PC and registry of this nasty zaccess trojan were RogueKiller followed by ComboFix.  I HIGHLY recommend you and others use these two programs to remove zero or zaccess trojan.  You'll possibly save hours and hours of aggravation, not to mention you could be doing other things than sitting in front of your PC running anti-virus software and rebooting all day.

     

    Mike

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points