Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess - still infected?


  • Please log in to reply
2 replies to this topic

#1 fizzlepop

fizzlepop

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 15 December 2011 - 03:48 PM

The other day while browsing for some obscure object I landed on a website and immediately got a message from McAfee saying it had detected/deleted "ZeroAccess.b". Simultaneously, I got a dialog box saying Adobe needed to update. Since this was suspicious, I tried to kill the dialog using task manager; when it wouldn't die, I ended up shutting off power to the PC rather than click on anything in that dialog box.

Upon restarting, I found this bogus antivirus program popping up and McAfee Firewall wouldn't stay on. I then logged into another account on the PC and ran MalwareBytes which came up with a half dozen or so malware apps which it killed successfully. I then restored my PC to a previous good point and McAfee Firewall stayed on. I *appeared* to be okay.

Anyway, after researching this nasty ZeroAccess rootkit and seeing how tough it is, I'm afraid I still might be infected. So...
1. Win 7 update process worked fine (updated Malicious Software Tool, et al).
2. McAfee Firewall turns on and stays on. Windows Firewall says it's being managed by McAfee.
3. MalwareBytes runs and detects nothing.
4. Microsoft Malicious Software tool runs and finds nothing.
5. Kasperkey's TDDSKiller runs and detects nothing.

I've found on the web that ZeroAccess will kill/prevent most/all antivirus & detection programs so the fact that I can run any of the above makes me feel a little better. But did McAfee really get rid of it (which would surprise the heck out of me) or did it just hide itself and is now semi-dormant?

Here's the thing:
1. When I start my browser I find the initial loading of a webpage takes a little long - not excessive, just a little bit.
2. When I shutdown, Windows 7 sometimes, not always, tells me that some process is still running and gives me the option to either kill it or let it finish.
3. When I booted into Safe Mode, I got the warning from McAfee that the firewall was off and wouldn't turn on - oddly, when I boot regular it is on and stays on.
4. Windows Defender won't start - in fact I don't even see it in the list of services.

Now all this could be just me being paranoid - my computer seems to be working okay and all my protection programs still seem to work. So of these things could be normal, e.g. I've read online that McAfee blocks Windows Defender but I have a different Win 7 PC that is running both without problem.

Is there anything else I can do, short of formatting my disk, to ensure my computer is clean?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:45 PM

Posted 15 December 2011 - 03:51 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 fizzlepop

fizzlepop
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 05 January 2012 - 12:19 PM

I just wanted to update my status...

After looking over the instructions I decided to just go ahead, bite the bullet, and reformat my drive. My computer comes with a Factory Restore partition which you can use to restore the computer to it's default factory settings. Looking at all the steps and with the strong suspicsion that my computer was still infected I figured that I could spend several days downloading and running programs, posting logs, et al OR just dump everything on the drive and start fresh. Note - I am not knocking the wonderful service provided here, I'm just saying that reformatting seemed to be the most expedient alternative.

While the backup, format, and restore to factory image as well as loading the few programs that I really wanted to keep was relatively quick, going through two years of Windows Updates took FOREVER! But I'm happy with the end result. I now have a clean machine that doesn't act funny, Windows Defender works (gave an error when trying to run it and didn't appear in list of services), Windows Updates actually updates, and I feel like I can finally trust my machine.

Couple of things I learned:
1. If Windows Defender gives you an error when you try to run it and it doesn't appear on your list of services, something killed it and it wasn't your anti-virus program. I've seen several posts indicating that popular AV programs disable Defender. While this might be true I can tell you unequivacably that I have two WIN 7 machines with both Antivirus software AND Defender running.
2. Backing up - while most programs backup files to My Documents there are a few that go a level up so to be safe, when backing up backup the entire users directory.
3. If you want to save your browser favorites IE in particular has a Import & Export feature which works.
4. If you're using Windows Live Mail, you can backup all your received/sent/composed emails.
5. Go out and get yourself an external hard drive - they're cheap and easy to use and worth the $100 or so you'll spend. Plus it's a good practice that we should all fall into regardless of whether our computers get infected.

It's really now that difficult. Most PC manufacturers include the Factory partition these days although they should (but don't) still ship the CDs which you can boot off of. Anyway, that's my $.02. Hope this helps someone.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users