1 2 3 Previous Next 23 Replies Latest reply on Sep 30, 2013 1:22 AM by pls

    ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed

    pls

      Operating system:

      -----------------

      MS Windows XP Professional

      Version 2002

      Service Pack 3

      all Microsoft/Windows updates were up-to-date at the time of this incident.

       

      Product Info:

      -------------

      McAfee SecurityCenter

      Version: 11.6

      Build: 11.6.511

      AffId: 910

      Language: en-us

      Last update: 5/15/2013

       

      McAfee Virus Scan

      Version: 15.6

      Build: 15.6.245

      Last Update: 9/5/2013

      DAT version: 7189

      DAT creation date: 9/5/2013

      Boot DAT Version: 7186.0000

      Boot DAT Creation Date: 9/2/2013

      Engine Version: 5500.1093

       

      Malware Info:

      -------------

      Detected: ZeroAccess-FAT!D1A909DB8D6F (Trojan)

      Quarantined From: C:\WINDOWS\assembly\GAC\Desktop.ini

       

      SecurityCenter says that Windows Firewall is disabled.  Attempts to enable it fail.

       

      Full McAfee virus scan detects nothing.  But McAfee pops up a window saying:

       

      McAfee

      Trojan Detected

      McAfee detected an infected file on your PC. Restart your PC so we can fix it.

      About This Trojan

      Detected: ZeroAccess-FAT!D1A909DB8D6F (Trojan)

      Quarantined from: C:\WINDOWS\assembly\GAC\Desktop.ini

      We cannot remove a Trojan while the infected file is in use. Restarting your PC frees up

      the infected file allowing McAfee to fix the issue. [Restart now] [Restart later]

       

      Restarting fails to fix it.  Full Scan detects no issues, but the popup window I've just described reappears.

       

      I have downloaded and run rootkitremover (v. 0.8.9.161).  It runs but detects nothing.  I still cannot enable firewall, and the "Trojan Detected" window reappears.

       

      I unplugged the computer from the network quickly when this all started, and am using a second, networked, computer to try to fix this, using a USB drive to transfer downloaded files.

       

      This version of McAfee was provided by my ISP (Time Warner) and has been kept up-to-date.  But now I see that TW apparently provides a newer version, McAfee 2013.  (Why my regular updates never acquired the current version, I don't know. TW doesn't have the greatest customer support!)  If I can install this latest version of McAfee AntiVirus, will it fix this variant of the ZeroAccess trojan?  A web search produces no info at all about ZeroAccess-FAT!...etc. although other variants are mentioned.

       

      I've just read "Required Reading - Home User Assistance Malware Troubleshooting" at https://community.mcafee.com/docs/DOC-1294 .  Since my SecurityCenter is RED (Windows Firewall is OFF), I did not proceed to Step 2 of that document.

       

      Thanks for reading this.  I'd really appreciate help to remove this nasty rootkit and get my computer back!

       

      - Pat

        • 1. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
          Peter M

          There are so many variants of ZeroAcess it's not surprising that some are difficult to remove.   McAfee does detect a large number but nothing is perfect.

           

          Try running Stinger and Malwarebytes Free, see the last link in my signature below for hints and a link to them.   To keep Malwarebytes free oif charge do NOT accept the free trial offer.

           

          If that doesn't help then I suggest running either Hijackthis or DDS as suggested lower down that last link and posting their log as suggested on a specialist forum for expert advice.

           

          By the way your Windows Firewall will show as off  as the McAfee one is on.

          1 of 1 people found this helpful
          • 2. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
            Hayton

            This is a new variant of ZeroAccess, hence the string of characters in the suffix. It needs to be analysed properly before it can be countered. I don't know whether the Labs have had access to an infected system yet to do the analysis.

             

            Nevertheless, infecting desktop.ini in that location is what most ZeroAccess variants do. Stinger might have been updated by now to deal with it, so that's worth a try.

             

            See these threads where earlier variants were involved

            https://community.mcafee.com/message/252951#252951

            https://community.mcafee.com/message/244593#244593

             

            Windows system files may need replacing with their original versions (via 'sfc /scannow') and the integrity of the MBR should be checked. The posts in those threads should cover those points.

             

            Bear in mind what Microsoft say about ZeroAccess (or Sirefef, the MS name for it)

            "Particular variants ofWin32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

             

            Due to the severe consequences associated with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup if your computer is infected with any of the following Sirefef variants:

            - Trojan:Win32/Sirefef.AA

            - Trojan:Win32/Sirefef.AC

            - Trojan:Win32/Sirefef.AH"

            1 of 1 people found this helpful
            • 3. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
              pls

              Thank you so much, Hayton and Ex-Brit, for your responses!

              Having learned that ZeroAccess is also known as Sirefef, I dug around the Microsoft support site last night and found their Safety Scanner:

              http://www.microsoft.com/security/scanner/en-us/default.aspx

               

              Ran Safety Scanner this morning as directed, and it worked!!!  It detected and fixed Sirefef variants .AB and .CA

              I then ran McAfee's updater, then Windows updates.  These seemed to go well.  On restart, the computer seemed to get stuck on FlashPlayerUpdateService -- it wouldn't finish starting up but I couldn't shut it down nicely either, so pressed the RESET button, which got it to come back up normally.  Now everything seems to be running right.  {BIG SIGH OF RELIEF}

               

              Based (only) on this experience, I can recommend MS Safety Scanner for this particular trojan.

               

              By the way, I believe the trojan was acquired by clicking a link within an email message that appeared to be a LinkedIn.com invitation.  I KNOW better than to do stuff like that!!  I NEVER click on stuff like that!  Until... I did...  Hmm, guess I hadn't had enough coffee that morning and wasn't thinking straight.

               

              Hope this helps the next victim.

              • 4. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
                Peter M

                There are a lot of pseudo Linkedin invitation emails caught by my spam service so avoid such things at all costs.   Even genuine Linkedin messages apparently have been suspects in spreading infection.  Needless to say I ditched Linkedin altogether becuase it obviously isn't secure at all.

                1 of 1 people found this helpful
                • 5. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
                  pls

                  Update:

                  Three days after successful removal, the following set of malware was detected by McAfee AntiVirus and successfully QUARANTINED and removed with no effort required from me.

                   

                  ZeroAccess-FCF!00B49E4F691A

                  ZeroAccess-FAT!D1A909DB8D6F

                  ZeroAccess.a!cfg

                  Exploit-CVE2013-2465

                  Exploit-FLK!CVE2013-2465

                   

                  Way to go, McAfee !!!   Your diligence in swatting down the nasties is appreciated!

                   

                  (BTW, this time it wasn't me on the computer when the infection arrived, so I don't know the cause of it.)

                  • 6. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
                    Peter M

                    ZeroAccess has new variants appearing constantly so the software will catch more as time goes along but I would be concerned as to where thos are coming from in the first place !?!

                    • 7. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
                      pls

                      Yep, I'm concerned too.  Since security issues are rare on our computer (we're smart, careful, and keep everything updated), my first thought with this latest batch was that the original ZeroAccess infection just hadn't been completely eliminated.  When I saw that McAfee had detected & quarantined these things, I scanned with a fresh copy of MS Safety Scanner and then a full McAfee AV scan, and both came back clean.  No sign of problems since then.

                       

                      The new stuff was detected while Firefox was connected to youtube, watching videos demonstrating coffeemaker accessories (not an especially high-risk search topic).

                       

                      As I'm typing this, Firefox has popped up its "software updates available" window "strongly recommending" the installation of 17 security hole fixes.  Eleven of those vulnerabilities permit compromise of a machine via normal browsing activity.    *sigh*...   I hates bad guys.  Hates 'em, hates 'em, I do.

                      • 8. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
                        Peter M

                        I here you.  My Firefox updated just now and am now in the process of trying to update iOS on my iPad.

                        • 9. Re: ZeroAccess-FAT!D1A909DB8D6F rootkit trojan - help needed
                          bwnatural

                          Thank you pls!!!

                           

                          I had a ZeroAccess trojan virus that was quarantined by McAfee. I couldn't use my PC because I couldn't get rid of the McAfee alert message.

                           

                          I followed your advice and ran MS Safety Scanner and my PC is back to normal again.

                          It saved me support fees and lots of time!

                           

                          Best regards to you!

                          1 2 3 Previous Next