I have a virus on my system and figured I’d check in here to see if anyone here knows a way to clean the thing off or at least neutralize it so that it’s not sending all of my personal information out to the assholes who wrote the thing. The virus is called Backdoor.Win32.ZAcess.aug and it’s located, according to Kaspersky 2011 AV in C:\Windows\assembly\GAC_32\Desktop.ini. It blew right through Kaspersky like it wasn’t even there, and while Kaspersky knows I have an infection there is apparently nothing it can do about it. I’ve been in contact with their tech support but they haven’t exactly been rapid in their help…and everything they have had me try (most of it generic BS I’d already tried) has failed miserably.
I’m fairly sure I’m going to have to blow the OS away and reload from scratch, but that’s such a pain in the ass that I thought I’d see if anyone here has any ideas of something else I can try. I’ve googled the virus, and there does seem to be some stuff online about puttering with the registry, but what I’d really like is some sort of cleaner tool that will get rid of or at least neutralize the virus for now. Anyone know anything about this? Preferably someone who has actually had to deal with it and figured out a way, short of the nuclear option, to get rid of the damn thing.
ETA: This system is running Windows 7, if that helps.
You need to stop it from loading into memory. Go offline, boot up in Safe Mode, and use the tools in this thread (download them first, before going offline):
If you can I’d suggest just pulling the drive and putting it in another system that’s in good working order to do the clean up work. Other than that I guess you could try the Trinity rescue disc since that has multiple antivirus.
Thanks for the suggestions. I’ve tried all of them except putting in another drive and booting a different OS and they didn’t work. I’ve also used several Kas cleaners but they didn’t work either.
I’ll give the secondary hard drive/OS method a shot though and see if that works. Would be nice to save the system if I can.
If you’ve identified all the virus’ files, you can use the Windows permissions system to prevent them from loading at startup.
What you do is locate each virus file in Windows Explorer, right-click and choose Properties, choose the Security tab, click “All Users” in the list of Group or User Names, click Edit… then click the Deny checkbox next to Full Control.
To delete the file, you need to cut the power to your computer (sorry, but if you restart the traditional way you’re giving the virus an opportunity to rename its own files or make more copies of itself; cutting the power is the only way to “catch it by surprise”), and reboot.
Once rebooted, the virus should have been prevented from loading into memory, since the system doesn’t have permissions to access the file. The only problem is, you also don’t have permissions to throw the file away… so you need to go back to the file, remove the Deny checkbox, then you can toss the file in the Recycle Bin and empty it.
I’ve had a lot of success with this method before. For some reason, a lot of anti-virus guides never think of using the Windows file permission system to prevent viruses from loading-- it’s a lot easier than creating custom boot disks or mounting the drive in another system. The only catch is you need to know all the filenames used by the virus.
It’s about the best way to do it be blunt. Actually the couple of times I did that with computers owned by my family it all went pretty straight forward. (I have Windows Vista/7 with Avast and it was fairly easy to do since the OS automatically identified the drive.) Oh one thing, make sure you check the bios and boot from your regular drive, not the drive you’re trying to clean up.
Oh one other thing. If you don’t want to actually remove the drive you can sort of simulate it. If you put a linux live disk like Ubuntu you can boot up first. Then make the hard drive available on your network with Samba. Once the drive is available on the network you can then take another machine that has a good antivirus and is in good working order to clean the drive over the network. (To be blunt I haven’t really had much success with anti-virus programs running in linux from a live disk but this way the anti-virus is actually running on the remote windows machine. Obviously though pulling the drive and hooking it up directly is faster.)
I still haven’t had the time to do anything with the system. I got a reply from Kaspersky AV tech support earlier this weekend that they have upgraded my ticket to their next tier support, but I haven’t seen any movement on actually getting a solution. I’ve been working though so haven’t had time to take the system apart. I can say that the c:\windows\assembly\gac_32\desktop.ini file doesn’t seem to exist, despite the fact that Kaspersky insists that this is what is infected. I did some cursory looking for the file on Saturday but was unable to locate the thing.
I’m hoping to have some time to give some of the suggestions in this thread a try either Wednesday (work permitting…I’m HOPING it will be a really slow day, and I don’t have anything on my schedule atm) or over the long weekend (again, work permitting). I actually have not only a LINUX boot disk at work but also an AV scrubber tool that will scrub a Windows partition (we use it for our MS servers when they get an infection that can’t be removed using our AV software). I’ll post anything that Kaspersky AV tells me via email, in case anyone is interested in options, or anyone does a search on this virus on the board and wants to know how to get rid of it, short of the nuclear option.
Thanks again for all the suggestions. If anyone has any other suggestions, please feel free to post them. Hopefully one of them will work for me or for other posters that might be in the same fix.
go to computer hope and use their forums as a resource, they will have somebody guide you through a step by step process that should work fairly efficiently and with some fairly fast responses.
So far they haven’t recommended anything. They have just asked me to produce various reports for them using different tools (well, the first tier guys basically explained to me that I had to use the cleaning tools that come with the software, and were a bit miffed that I had already done everything they wanted to suggest).
You can try Download Free Tools| Trend Micro. You can remove the virus from the registry or furnish the results to a forum that can help you with the removal.
Figured I’d update the thread with the resolution and what worked and what didn’t. I didn’t end up having time to blow the OS away and reload from scratch due to work and RL constraints, but I did try a number of things. First off I tried several of the suggestions in this thread and used a version of Trinity that we had at work (and what was linked too in this thread). Basically none of it worked. Trinity actually broke my system somewhat, as for a while I was unable to boot the OS properly. I managed to repair it, but Kas was still spamming me that the virus was on my system.
The tech support guys at Kas ended up sending me a program called CleanUp.exe and a text file called Cleanup_Script.txt and another program called ComboFix.exe that they wanted me to run in sequence. Basically I was to run CleanUp.exe and the text file that presumably has the script in it from the desktop and then send them the results (in a log file also put in a folder on the desktop). As far as I could tell this did nothing. On reboot I was to shut down Kaspersky and reboot into safe mode with networking and run the ComboFix.exe program. I did this and it took about 45 minutes with multiple reboots, but at the end I seem to have come out with a clean system. Kas is no longer saying I’m infected (I’m actually running a full up scan right now while I type this on the iPad), and everything seems to be running clean (my firewall software, for instance, was shut down and I couldn’t even access it or even Windows Firewall, but both seem to be functioning as they should again now).
Sorry about the late appearance, zero access rootkits has made for a busy day here in the tech world.
We have had mixed results from combofix today, on several occasions combofix shut down/crapped out mid stream, the nice thing is it did manage to shut down the virused task so we could slam in a copy of malwarebytes and run it which can kill it, as long as the task can be shut down that kills malwarebytes
Well, was a happy ending here. The scan ran clean and everything seems to be working fine now. I got a copy of Acronis from work and am in the process of getting a system image I can roll back to if this happens again.
(just FYI, I had tried malwarebytes and superantispyware as well as a few others when I was trying to get this fixed…none of them worked either)
Many of these viruses will block the tasks associated with the installers for common AV apps. renaming the installer and sometimes the executable for the av app often allows it to slip through
Well, spoke too soon. Either the virus was still there or I got another virus just playing Skyrim and surfing the Straight Dope. This time I don’t have any idea what it is, though. The only symptom I can say is that I can’t execute any programs on the system. Trying to execute anything comes back with an error to the effect that the executable associated with the icon I’m trying to run does not exist, and do I wish to remove it. This goes for literally everything…including Kaspersky. And control panel…I can’t execute any programs in there. And it seems to do the same thing when I go into safe mode. I can’t even run MSCONFIG this time, though I haven’t tried putting it on a flash drive or running it off the other OS partition.
Things I’ve tried so far is booting into safe mode (as indicated above I still can’t run anything), booting a secondary drive and running AV from there (all of the AV programs I ran came back negative…they detect no virus at all), and Trinity (the 2 virus defs I ran last night came back clean…no virus). Any suggestions? I actually have less to work with this time and there seems to be a lot less I can do here.
We picked up a TDSS variant last summer - well, my daughter did. We’re still not sure where it came from, but all the AVG alerts that kept saying “virus found!” flagged files under her user, and none under anyone else’s. AVG would clean 'em up, but the next day there would be more.
I downloaded Malwarebytes and it didn’t detect anything. I wound up getting help from one of their forums (similar to the help you can get from the Hijackthis forums). Combofix was involved, as well as some other steps to really clean out a lot of old files etc.
If you haven’t gone to one of those forums, I’d suggest you do so pronto. I probably spent 10 or more hours, spread out over a few days, but the computer has been behaving correctly since then.
In our case, what saved us from some really nasty stuff was that my daughter’s user didn’t have admin rights. So nobody else’s files were affected. There was one time where she got a popup saying “this program needs admin rights, please enter admin password”. She told me about this - didn’t attempt to grant permission, fortunately (not that she has the admin password as far as I know…).
At this point I’m probably just going to blow the system away (as I should have done in the first place) this weekend. I should have the time since I don’t have any travel plans until after the first of the year…and we are supposed to get the snow-pocalypse this weekend, so I’ll probably be stuck at home anyway. Really I just want to save my game files, loaded games and, most crucially, my porn collection. Other than that the rest of the stuff, including all that nasty work stuff, can fry for all I care.
(Going to some of the other forums is good advice, though in this case I’m not even sure what to tell them…basically ever program seems to be disabled on bootup, and nothing works at all, even in Safe Mode. The system seems totally locked. I might try to run Combofix, just for S&Gs before I take the plunge and blow the system away, assuming I can even run it from a flash drive)
