Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Zeroaccess. Should I be worried? Please advise!


  • Please log in to reply
5 replies to this topic

#1 Foldingchair

Foldingchair

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:08:19 AM

Posted 22 April 2016 - 01:25 PM

Hi wonderful professionals of Bleeping Computer,

 

An hour or two ago after I came back to my room from dinner to notice that Norton Security had resolved a security threat. This usually already worries me.

Apparently Norton solved a security threat that (for some reason) resided in the Malwarebytes Anti-Malware folder.

 

Infected File: "c:\program files (x86)\malwarebytes anti-malware\00004963.tmp" to be precise.

 

Out of paranoia and caution I've already run several scans:

 

- Malwarebytes Anti-Malware (Check for Rootkits enabled)

- Malwarebytes Anti-Rootkit Beta

- Norton Security Full Scan

- Norton Power Eraser

 

All of these scans came out clean with no issues found.

 

 

What bothers me is the fact that Norton picked up on the file at random, and what worries me even more is that it was found in the MBAM folder. How it got there and why is beyond me.

I haven't noticed any strange behavior in Windows 10, nor did I notice any odd processes running from what I can tell. Performance is normal and I haven't installed any dodgy software. Coincidentally I installed LibreOffice before dinner as I like it in Linux. I do Norton Live Updates almost hourly. I have no idea how and why this zeroaccess trojan suddenly appeared. I barely download anything and don't insert any foreign removable media.

 

Should I be worried about this? I know Norton Security says the threat has been resolved, but WHY was it there in the first place!? And what the hell was it doing in the MBAM folder? I'm starting to get worried now. :mellow:

 


"Peace and blessings be upon you all."


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,856 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:19 AM

Posted 22 April 2016 - 02:50 PM

Folding Chair:
 
Good day.  My name is Phil and I will help you with your concerns.  May I address you by your first name since we will be working together?
 
I commend you for your diligence in keeping your computer safe. :thumbup2:
 
This is most likely what is known as a "false positive."  Anti-malware software is coded such that, to some anti-virus scanners, it represents a potential threat.  That MBAM folder probably contained definition updates, which would contain signatures, and I suspect that Norton reacted to ZeroAccess signature known to it.  I would not be too concerned, but just to be sure, and to set your mind at ease, let's run an online ESET scan.  This is a very thorough anti-virus scanning tool.

 

When you are ready to run the ESET scan, please disable your Norton anti-virus active scanning module, as it could interfere with the ESET scan until ESET has finished.


ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

*Click this link to open ESET OnlineScan.
* Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
* When prompted allow the Add-On/Active X to install.
* In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
* Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):

  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

*Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
*When the scan completes, click List Found Threats (only if anything is found).
*Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
*Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!


Please post any log produced by ESET.  What we are both hoping for is that ESET won't find anything, so there will be no log to post! :)

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:08:19 AM

Posted 22 April 2016 - 05:21 PM

Hi Phil. Sure, no problem! And thank you for the compliment. I did as you suggested and let ESET Online run its scan. It did detect threats, but I am fully aware of what said threats are. I'll add the log anyway. It also occurred to me that it's not unlikely that Norton Security has thrown a false positive about MBAM, seeing as I've got it set to the most aggressive settings possible, which normally yields no problems.

C:\Users\Marcy\AppData\Roaming\DVDVideoSoft\FreeYouTubeToMP3Converter.exe	a variant of Win32/OpenCandy.A potentially unsafe application	deleted
D:\Music Production Data\VST Plugins\Native Instruments\Native Instruments Kontakt 5\NIKONTAKT501.iso	a variant of Win32/TrojanDownloader.Agent.RJK trojan	deleted
E:\Software\Office Activator\Office 2010 Toolkit 2.2.1.exe	a variant of MSIL/HackKMS.G potentially unsafe application	cleaned by deleting

This is the log as produced by ESET Online.

 

I'm familiar with OpenCandy, normally Malwarebytes gets rid of it, but apparently it missed it this time. I know it's harmless, but it's still a PUP regardless.

Long ago I obtained Kontakt 5 not entirely legally. It has its own crack, which usually gets picked up by Norton as well but is considered safe. I used to use it for hobby purposes, but not anymore. It's one of those things I never removed.

The Office activator is self explanatory. It dates back to when I used Windows 7. I had a pirated version of Office 2010, also obtained long ago. Nowadays I just use LibreOffice. Again, it's one of those things I never bothered removing since my father occasionally needs it for his own office work, since he always seems to lose his.

 

I decided to let ESET remove all of the "threats"  in question, and I cleaned up after it right away, seeing as it's pointless to keep these files around.This leaves me pretty convinced that the Zeroaccess trojan that Norton picked up was indeed a false positive, seeing as it sat in the MBAM folder and all other scans came out clean, including ESET. It would make absolutely ZERO sense for my system to have contracted a virus. For now I'll assume I have nothing to worry about. I'll check back before I go offline and first thing the next morning.

 

Thanks anyway! I did notice ESET leaves quarantined files in C:\Program Files (x86)\ESET\ESET Online Scanner\Quarantine. I assume these are safe to delete now?


Edited by Foldingchair, 23 April 2016 - 05:37 AM.

"Peace and blessings be upon you all."


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,856 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:19 AM

Posted 23 April 2016 - 11:39 AM

Foldingchair:

 

Thank you for your post.  Yes, it is safe to delete the ESET Quarantine files.

 

I am not going to give you a lecture, but I assume you do know that using software "cracks" is not an approved practice because it comes bundled with malware usually.  You are putting your computer at risk. It is also unethical.

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:08:19 AM

Posted 23 April 2016 - 01:17 PM

Oh yes, I know, which is exactly why I don't use them anymore. Everything in my Windows 10 is completely legitimate, which actually also feels a lot better. :)

Glad to know there's nothing wrong in terms of infection though. I'm going to assume it was a false positive, especially because it came out of nowhere. The only thing I downloaded or installed recently was LibreOffice, anyway. I haven't seen anything occur again ever since, nor do things seem out of order.

 

Thanks for the support and thinking along with me. It really puts my mind at ease.


"Peace and blessings be upon you all."


#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,856 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:19 AM

Posted 24 April 2016 - 06:37 AM

Foldingchair:

 

Thank you for your post.  I am glad to hear that all is well, and even happier to learn that your Windows 10 computer has only legitimate software installed.  You're right, it does feel better, and it is MUCH safer! :thumbup2:

 

You are most welcome for my assistance.  On behalf of the Bleeping Computer community, thank you for choosing us to help you with your computer issues.  Please stay safe out there in cyberspace.

 

Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users