OT- ZeroAccess rootkit trojan: Anyone with experience/advice on removing?

Submitted by NoVaWolverine on June 11th, 2012 at 3:39 PM

Mods, feel free to delete if you like ... but I recalled how knowledgeable many people were on this board during last year's MGoBlog malware mess, so I'm hoping to tap into MGoBlog's collective wisdom here...

So my home laptop has picked up the ZeroAccess rootkit trojan, which I've read is a nasty little bugger to remove. Feeling like an idiot, because I clicked on the trojan -- what pretended to be an Adobe Flash update -- even when part of my interior B.S. detector KNEW it was phony. Stupid is as stupid does... argh.

I need to get rid of this thing ASAP. Here's the rundown ... I'd appreciate any help/advice anyone can offer (my machine is a Gateway, running Vista and McAfee):

* Soon after making the fateful click on the trojan, I started getting numerous McAfee trojan removal popups (sometimes as often as every few seconds) saying something like "Trojan detected/removed, no further action required." Under "more," it listed ZeroAccess as the culprit.

* I ran a full McAfee scan, which detected & quarantined 2 items

* Then I downloaded and ran the McAfee rootkit remover -- it found nothing

* Then I downloaded Malwarebytes, ran the quick scan, which detected and removed two items, and then rebooted

* Alas, after reboot I still kept getting the same McAfee trojan popups. However, the rest of the machine seemed to be running normally -- I'm not getting redirected to any crazy websites, etc. But I'm keeping the laptop off for now as a precaution.

What should I do next? My computer skills are limited to the basics, although I can follow directions OK. I'm fairly certain I haven't eliminated this bugger, and want to make sure my computer's clean before getting back online and doing anything like paying bills, etc. 

* I dug up some very thorough Zeroaccess/Sirefef rootkit removal guides, like this one. (e.g., run a Kapersky rescue disk reboot, then run a bunch of malware scanners like Rkill, Malwarebytes, and Emsisoft Emergency Kit, and then follow a few more steps at the end to remove any residual damage from the rootkit -- check DNS settings, HOSTs file, and run the Tweaking.com Windows Repair tool.)

It looks tedious and time-consuming to this layman, but I'm willing to do it, if it means I'll have a clean machine at the end. But how confident can I be that I've removed the rootkit completely?

* Another option I've read about is doing a system restore, via the Command prompt. (i.e., rstrui.exe) But doesn't a rootkit have the ability to survive that?

* That leads me to wonder if the only way I can truly be sure I've got a clean computer is to wipe/reformat my hard drive and reinstall the factory settings from the Gateway recovery partition. (The partition allows me to reformat and reinstall factory settings/programs without original disks, right? I'm not even sure the laptop came with any disks, and if it did, hell if know where they are, since I bought the thing 4-5 years ago...)

How much of a pain will this be? If I back up non-execute/system files (personal files, docs, photos, music, etc that I want to keep) onto disks/external drives before I do the reformat/reinstall, could those still be infected w/the rootkit when I copy them back onto the (presumably) clean computer? Or does a rootkit just mess around with system/.exe type files?

Again, I appreciate any help anyone on the board can offer!

Comments

Moleskyn

June 11th, 2012 at 3:52 PM ^

To be honest, just treat yourself to a new laptop. In this day and age, any piece of technology over 5 years old is ancient. Plus, Vista was an awful OS. Windows 7 is so much faster, easier to use, etc. I'm sure this will draw some snarky responses from Mac or Linux users, but whatever. Depending on what you need out of a computer, you could easily find a decent one for well under $1,000.

NoVaWolverine

June 11th, 2012 at 4:02 PM ^

I'd prefer first to make a good effort at saving my current machine, before buying a new one w/$$ that I'd rather spend on other family priorities right now. That's just how I am when it comes to big-ticket items -- e.g., the family minivan has 65k miles on it and I plan on us driving that thing until the 150k mark at least before even thinking about getting a new one. 

But I'm preparing myself mentally for the prospect that you might be right.

Moleskyn

June 11th, 2012 at 4:36 PM ^

I hear you! My car is coming up on 190K, and I'm hoping to milk 200K out of it. As I said below, my laptop at home has Vista on it, but I don't use it often enough to warrant a replacement at this point. Plus, higher financial priorities right now. But having used work laptops with Windows 7 for the past couple of years, I greatly prefer 7 to Vista.

joeyb

June 11th, 2012 at 4:02 PM ^

Vista was not an awful OS. It had a very rocky launch due to lack of driver support and it had new features that some people didn't like, which could be turned off in 10 seconds. Windows 7 is basically Windows Vista with a new skin and a few new features. Nothing changed under the hood, which is why it had a much smoother launch and everyone loves it. Once it got off to a rocky start, all of the bad reviews came out and that frame of mind stuck around. I guarantee that Windows 8 is doomed because it offers so many new features that many won't like. They won't bother to look into how to turn those settings off and they will label it as a failure, just like they did with Vista.

Moleskyn

June 11th, 2012 at 4:34 PM ^

Eh, I disagree. I got a Dell with Windows Vista on it, and I really liked the OS compared to XP. But it wasn't the features that turned me off from it. It was the performance. It took longer to boot than XP. FWIW, I still have that laptop at home, and use it, but my work laptop has Windows 7 and I like this one a lot more than the one at home. Maybe my view of Vista is jaundiced since the time when I used it most heavily was not long after it came out. Vista was a necessary step for Microsoft to take, since they botched the version before that (can't remember the name, it was something native-Americanny if I remember correctly), but Vista was a bridge between XP and Windows 7. From what I've read, Microsoft is going to be rolling out new operating systems every few years now; a lot more frequently than the amount of time that went between XP and Vista, at least.

JHendo

June 11th, 2012 at 4:47 PM ^

Windows Vista with the latest service pack is essentially Windows 7.  Transversely, Windows 7 really should have just been a final service pack for Vista (even though thems is fighting words to some people).  That being said, the early versions of Vista were god awful and it is a terrible OS.

To put it in football terms, if a football team had lost it's first 10 games of the season, but somehow pulled off a couple shockers to win it's final 2 against decent teams, it doesn't stop the fact that they're a terrible 2-10 team at the end of the day.

joeyb

June 11th, 2012 at 5:38 PM ^

My point was that the early versions of Vista were god awful because they changed the framework for drivers and the hardware manufacturers didn't do anything about it until after launch. That was the single biggest issue with Vista. It literally made Vista unusable, but there wasn't anything that Microsoft could do about it, but all of the blame falls on them because what worked in XP no longer worked in Vista.

There were other bugs, but there were lots of bugs for Windows 7's launch too. It's just that those issues got exacerbated in the media because of the issues with the drivers. Then, you throw new features, like UAC, which were pretty much universally hated, into the mix and you get a perfect storm of events that places the entire OS into a bad light for it's lifespan, even though, the new features could be turned off, the bugs were fixed in a timely fashion just like every other launch, and the hardware manufacturers got their act together and fixed their drivers (for the most part) within a week of launch.

If you are going to compare it to a football season, I'd say it was much more like a team that had extremely high expectations, but lost it's first game inexplicably, then lost it's second game, basically condemning the whole season. That team then goes on a huge win streak, but even though it did everything right in the end, the first two losses, particularly the first one, will always hang over it's head, even if they win their conference and bowl game.

switch26

June 11th, 2012 at 8:45 PM ^

sorry to say, but you know nothing about computers..  Vista was TERRIBLE..  they even acknowleged how bad it was.

 

Win7 is beyond far and above vista..  If your computer can handle vista, you should be able to easily upgrade to Win7...  win7 had a rocky start?  huh?  

 

There isn't the same frame of mind with win7 as win vista at all..   Not sure who you talk to or who you hang around with, but Win7 has never had a problem on my rig, but i custom build PC's and Vista was nothing but a joke, and Win7 has run flawless.. You are wrong sorry

 

I agree win8 could be not for everyone, but who cares..  Vista sucked period..  Sorry to break your heart

 

this was in response to joeyb, but it didn't reply properly

 

 

 

In other news.. i have no clue how you people get so many viruses/malware.. Once i rebuilt my new rig, i didn't download stupid shit and i never have problems ever.. 

joeyb

June 11th, 2012 at 9:03 PM ^

I never said that Windows 7 had a rocky start. I said it had bugs like everything else. XP had them too. Every release of OS X and Linux has them too, but they get patched. Windows 7 is the Windows 6.1 kernel with a new user interface, i.e. Windows 7 is Windows Vista with a new skin. They changed nothing on the back end, which is why Windows 7 works flawlessly on all machines; the manufacturers had 3 years to get the drivers perfect with Vista.

I really don't care if you don't like Vista. That's your opinion and you have a right to it. It just bothers me when people try telling people that they have to "upgrade" from Vista to Windows 7 because of bad reviews stemming from issues that were fixed within the first month of release.

And before you twist my words again, I liked Vista since Beta and thought it was a huge step up from XP. I like Windows 7 even more than Vista due to the interface, but I'm familiar enough with what's underneath the skin that I know they are pretty much the same OS.

Hannibal.

June 12th, 2012 at 9:33 AM ^

Vista's problems weren't fixed.  From a gamer's standpoint, it was an absolute;y attrocious operating system.  An terrible piece of festering monkey shit.  Knowing that there might be some problems, I kept a dual boot system with XP on an old hard drive.  Even a couple of years after Vista was launched, all of the games that I tried in both XP and Vista ran either the same or significantly better in XP (Crysis, Gears of War, GTA IV, and The Witcher are some of the ones that I tried).

When I upgraded from Vista to 7, the improvement was immediate and noticable.  If it's just Vista with a new coat of paint, then that is one effective coat of paint. 

Hannibal.

June 11th, 2012 at 3:53 PM ^

I have this same problem right now, and I have already backed up everything in anticipation of wiping and re-installing the operating system.  i even have a dual boot system and when I ran a virus scan and Malaware after booting up on the other drive, it still couldn't get it clean.  When I researched the problem, I found some solution-like substances that involved some complicated-looking stuff that had the risk of screwing up your system. 

NoVaWolverine

June 11th, 2012 at 4:19 PM ^

I've only read a little about this approach, but it seems to be another challenge -- how do you make sure all the files you've backed up are clean before you put them on the newly wiped computer? I'd hate to go through the hassle of a wipe/reinstall if I'm just going to reinfect the machine when I reload all the files I've saved.

Purkinje

June 11th, 2012 at 4:27 PM ^

I work for the University as a computer consultant, and when we get an infected machine, we handle it like this: 1) backup user profiles to external source 2) wipe infected HDD with DBAN 3) reload the OS and bring back the profile backups. Better to be safe than sorry.

It's not too involved a process unless you have a zillion software packages you'led to reinstall.

M - Flightsci

June 11th, 2012 at 10:40 PM ^

You seriously just wipe the HDD's and don't attempt an in-place removal?  Wow... I worked for a college IT help desk and we would spend hours upon hours attempting to remove malware without resorting to nuking most of the data.  That certainly would have been a more efficient solution on our end, although in no way elegant.

bluebloggin

June 11th, 2012 at 10:53 PM ^

And this approach is more common than you'd believe. It's up to the user to diligently backup because it's a waste of time to try and remove viruses especially if they're root kits. Root kits drive into the cornerstone and it's better to backup and nuke it.

With viruses your run the risk of leaving hangerons so just blow it up and be more careful next time

jlcoleman71

June 11th, 2012 at 4:24 PM ^

and trojan/malware issues in the past year, the standard programs were no good......malwarebytes and others did nothing.

I did some digging around online at the time and came across a program called "ComboFix.exe"...........I've used it twice now and have found it to be my last defense against these types of problems........it's looks ghetto and runs out of the DOS window........it runs an initial scan, will detect the problems and then ask to reboot.........once it reboots, it goes through a number of steps and ultimately got rid of the issues I had..........I was skeptical at first, but it works great.

You can download it from the cnet.com website.......and it's free.

http://download.cnet.com/Combofix/3000-8022_4-75221073.html

htownwolverine

June 11th, 2012 at 5:22 PM ^

Combofix will remove pretty much anything. I use it all the time. Run it two/three times and you should be ok. Kapersky and others like it are desiged for end users who are stupid and click on bad looking things (just kidding).

I have run my machines for 10 years with no AV. I use spyobt and superantispyware in the background and have Combofix and Malware Antibytes for cleaning.

Also, check out Hirens boot Cd as this has most any tool you need. Including the ability to load a lite version of Linux via flash drive to access hard drives when the dreaded Blue Screen of Death appears.

 

Check out this link sounds like this virus is a real MF'er :

 

Bleepingcomputer

 

NoVaWolverine

June 12th, 2012 at 9:34 AM ^

I've read of people having success using Combofix to remove the ZeroAccess rootkit only to find that they can't get an internet connection, can't connect to their network printer, etc.  So if I choose that path I'll proceed with caution (and probably with the help of one of the forums mentioned elsewhere in this thread).

joeyb

June 11th, 2012 at 4:30 PM ^

So, here is my thought on viruses. 90% of the time, anti-virus should take care of viruses with no issue. 9% of the time, you might have to do a little bit more, but everything works out. That 1% of the time, though, even if you manage to remove it from your system, it leaves it's mark behind. I find that when a virus is difficult to remove, the damage has already been done and it's easier to just cut your losses and start clean. I go with this mentality from the start and I keep all of my data separate from the OS. Lately, it's been a lot easier because I can keep almost everything online.

I know nothing about this particular rootkit, but, generally, rootkits are so deep in the system, they essentially become or appear to be part of the system, which is why they are so hard to remove. If you wipe, there should be no trace of the rootkit left over.

Depending on your priorities, here is what I would do.

  1. Back everything up.
  2. Try some of the more dangerous procedures to remove the virus (I'd skip this but it is an option).
  3. Format your system and start fresh.
  4. Get rid of McAfee, do a bit of research, and pick the best AV for you. I use Microsoft Security Essentials. Avast and AVG are also free. I've heard good things about Panda Security, but I think that costs money.

As Moleskyn mentioned above, there is the option of buying a new computer as well. That is not necessary, though, if your laptop was running to your satisfaction before the virus. If a computer is built right when you buy it, it can last years before it needs to be replaced. I built a computer for $600 6 years ago, replaced the graphics card 2 years ago, and it's still kicking. I won't upgrade that computer until I start having issues running software, which hasn't happened yet. If, however, your computer was slow, even before the virus, I suggest that you purchase a new laptop as reformatting would be like doing a full detail on a car with 150k miles on it that you don't plan on keeping for too much longer.

If you decide to do #2 in the list above, I found plenty of resources with a google search that should walk you through the steps necessary to remove it. You could also probably post on one of those forums and have someone help you one-on-one with your specific scenario.

Moleskyn

June 12th, 2012 at 8:44 AM ^

So, question: I've never had a problem with a virus on my computer, so I've never really thought of these things, but regarding storing all of your data somewhere other than your hard-drive, do you mean you store all of your files (Word docs, Excel spreadsheets, etc.) elsewhere? You can't do that with program files, can you? For instance, I have a 320 GB external hard drive that I pretty much just use for pictures and videos and such, so that they don't bog down my computer, but could I place my executables for Word, Excel, Photoshop, etc. on there, too? Basically just use the computer as an interface for accessing everything on my external hard drive?

joeyb

June 12th, 2012 at 11:16 AM ^

The first thing that I do with a new laptop is I zero the hard drive to get rid of all manufacturer stuff. Then, I partition the hard drive and put the OS on a ~50GB partition and give the rest to the second partition which I use for data, e.g. pictures, videos, documents, spreadsheets, etc. I used to change My Documents to point to the D: drive (Data partition) in XP so that nothing was ever stored on the C: drive, but Vista and 7 require a much bigger process to get the same functionality. Now, I just use Google Docs and back up all of my pictures to Google, so the partition is generally just used for random stuff like downloads or programs that I'm working on.

Executables are kind of tricky. Basically, you can install to the data partition, but if they need access to the registry and you wipe your OS, then you just FUBARed your program. They do make versions of software, meant to go on thumb drives, that you can choose to install on your data partition or external hard drive. Those update on their own schedule, but would do what you are looking to do. Like I said, it's meant for flash drives, so you probably aren't going to see a lot of really big programs available to you. Also, they have to have access to the source code and they rebuild them with this specific purpose, so I doubt that you can find MS Office, but who knows? Usually, though, I find it's just better to install all of your programs again. A lot of programs don't update, so installing fresh will get you the latest version. If you purchased (or downloaded) a program that can't be upgraded, then just keep the installer on your data drive in folders. I used to do that for hard-to-find programs.

NoVaWolverine

June 12th, 2012 at 11:28 AM ^

Thanks for your thoughts, joeyb -- appreciate your insights.

One question: There seem to be a lot of negative opinions of McAfee on this board, and I'm genuinely curious why that's so, as I don't follow this world of antivirus programs closely. (I suppose that's about to change...) McAfee has always worked fine for us, and I certainly don't blame it for my current predicament, which is my fault. (Unless someone tells me that a better AV would've blocked those phony Adobe Flash update popups from even appearing.) I also work at a place where, to put it mildly, there is an extreme emphasis on IT security, and we have McAfee on the computers here.

Are McAfee/Symantec etc. just too big to be agile enough to keep up with the ever shifting threats from hackers? Or is there some other reason they aren't as good as others? 

 

joeyb

June 12th, 2012 at 11:46 AM ^

Personal experience for me. McAfee just used to slow my computer to a hault. It also did little to prevent the worst viruses and still didn't clean the computer very well when it managed to find viruses. I used to have to supplement McAfee with AdAware and Spybot way back in the day. It is also confirmed in a lot of tests between AV programs; it just doesn't protect or clean as well as other programs.

We use Symantec at my work too. I don't know if there is a major difference between their enterprise and home AV solutions, but our CSO doesn't use Symantec at home either. Maybe it's just because the free AV programs are as good as, if not better than, the ones you pay for.

For a while, I dropped anti-virus altogether. I went years without getting a virus just by being smart about what I was doing. I did manage to get a virus at one point, but I'm pretty sure it was from one of my room mates.

When Microsoft Security Essentials came out, I tried it out with the thought that MS knows their system better than anyone else and it should integrate really well. It runs so flawlessly that I forget that I have it installed. I install it on every computer that I fix for people. What kills me is when I go to my in-laws and they (I'm thinking it's my brother-in-law) installed AVG on top of MSE. In case you weren't aware, having two AV programs is bad. Essentially, AV programs act like a bigger, badder virus and watch over your stuff for you. When you have two competing, they get in each others' ways and you end up with lapses in coverage.

a non emu

June 11th, 2012 at 4:30 PM ^

The laptop is old enough. Get your data off and re-image. if you don't have your original windows product key, just put Ubuntu/Linux Mint on it. for day to day tasks like browsing you won't notice a difference. If anything it'll probably run a little faster.

Griff88

June 11th, 2012 at 5:14 PM ^

In this case, system restore will not work. Before you run any tool/cleaner, turn it off.

Download Tdsskiller from here

 http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Follow the instructions here

http://support.kaspersky.com/faq/?qid=208280684

Good luck, I hope you get rid of this nasty bug. If you want to be completely sure, then backup everything you want to save. Either burn the saved items to disk, or back them up to an external hard drive. Once that's done, make sure you have unpluged your external from the laptop. It's easy to forget that it's still connected, and you can accidentally format the external as well. Once you have everything backed up, then you can reformat/reinstall windows. All you need is a Windows Operating System Disk. You don't need the original recovery disks that came with the laptop.

If you don't know how to reformat/reinstall Windows. You will want to delete all partitions on the laptop, and then do the reinstall. You can find many youtube tutorials on how to do it. It's not hard, just take your time.

Dantana

June 11th, 2012 at 4:41 PM ^

I have dealt with these things in the past and am currently in the middle of trying to clean my computer from Trojan Sirefef.

To me, wiping the hard drive is the absolute last chance fix. There are many good forums much like this one that have techs who will walk you through the process of cleaning the computer for free.

The one I use is called www.techsupportguy.com. Create a login, then go to the  virus/malware removal forum and post your symptoms/malware/etc and wait for someone to respond. To speed things up, download a program called hijackthis (link should be on techsupportguy site) and run it and post the results in your initial post. This is a quick system snapshot of what programs are running and they can see what doesnt belong.

A few years back my computer autoinstalled an update which completely screwed up my computer, blue screen of death and all. I called Dell and explained it was one of their updates which caused the problem. Their solution? Wipe out the entire hard drive. I said F that and got on to techsupportguy and explained my situation. They walked me through uninstalling that particular update and bingo...computer back to normal.

 

bronxblue

June 11th, 2012 at 4:45 PM ^

I ran into this problem with my netbook a couple of years ago, and ultimately all I did was clean the system and reinstall the OS.  If you have your files backed up, you should be good.  Might need to follow up with some of the vendors if you have license keys, but that's relatively trivial and shouldn't be an issue for those that rely on physical addresses/IDs for authenticating your system.

Rootkits are notoriously tough to get rid of, and at some point just starting over makes more sense than slamming your head against a wall.

Blue Durham

June 11th, 2012 at 4:50 PM ^

back.  I went to the web site AUMHA.net and looked/searched through a variety of threads.  A number of other people were having similar problems and they fixed it for them.  About AUHMA:

  • They are computer guys who do this free but expect donations.  If they fix your problem, then I am sure you will be willing to donate.
  • They solve a variety of problems for a lot of people.  Look through the relevent threads and see how they handle people and what they expect.
  • How it works:  Unlike MGoBlog, you are instructed to post on your own thread ONLY.  If you post on someone else's thread, they will likely not only not help you but ban you. 
  • These guys do not suffer fools at all.  Do exactly what they ask, everything they ask, and in the order that they ask.  You screw up once, they will berate you.  Screw up a second time and they likely will lock your thread and not deal with you.
  • Your problem will be solved, but it will probably take a couple of days of back and forth e-mails and you sending some logs for them to check.

You will get one-on-one help with an expert with no cost except you donation if and when you choose to make one.  However this dialog that you have will be visible to anyone on the net. 

Everyone is instructed not copy the protocol set forth in threads (no matter how pertinent the other person's situation is to yours) other than the one(s) you start.  If you do, and this does not solve you problem, and then you start a thread asking for help, they will likely lock you thread.

Hope that helps.

NoVaWolverine

June 11th, 2012 at 5:27 PM ^

I love MGoBlog.  Lots of options to consider... I'll let you know how it works out.

One question I asked above, still not clear on the answer -- when I do a backup of all the stuff I want to save in case I need to reformat or buy a new machine, how do I ensure that stuff isn't infected before loading it onto the clean/new computer?

Thanks again!

Griff88

June 11th, 2012 at 5:51 PM ^

everything on the external hard drive. As long as you are not backing up system files, dll's, unfamiliar exe's, or registry entries... you should be fine.

I would recommend getting rid of McAfee Antivirus. For free Antivirus use either Microsoft Security Essentials or AVAST. For paid Antivirus, ESET Nod32 is excellent.  There is also a free online scanner from Trend Micro, that is good as well.

http://housecall.trendmicro.com/

Simply put, just scan everything.

BlueMan80

June 11th, 2012 at 5:52 PM ^

I need to backup my computer.  Haven't done that in a while.  Once my kids got their own computers, things have been a lot "cleaner" with this system.

Sac Fly

June 11th, 2012 at 6:59 PM ^

Trojans are tricky to get rid of because they update themselves. You can scan and remove all you want, but if there is a connection to the internet it will not go away. To fix this problem you have to scan in safemode.

If you want to make sure it gets out you have to learn the hard way. Find out which files are executing, back everything up and get rid of them manually.

Ditch your anti-virus, the knowlegde of protection systems and intrusion prevention is better then any anti-virus you could ever buy.

orobs

June 11th, 2012 at 8:18 PM ^

this thread makes me happy i no longer use windows.  I splurged on a shiny new imac in 2006.  It still works like new.  I've never had a virus.   I think the last time I rebooted it was 5 months ago