ZeroAccess Virus

[buttersk]

My Vista-64 bit PC was infected with ZeroAccess Virus.  

I feel fairly confident that I have successfully cleaned all remaining remnants of the virus, however, I have one outstanding issue that I have been unable to resolve.

 

(I have Tomato Version 1.27  installed on a linksys WRT54G)

 

The infected PC (192.168.1.50) seems to block all incoming Ping requests.  

 

I have tried pinging from several different computers all on the same subnet.

 

The WRT54G router (192.168.1.1) with Tomato has a Ping tool that allows you to ping from the router to any

I am able to use the router ping tool to ping other devices connected to the Router.

I am able to use the router ping tool to ping www.google.com

 

The infected PC can successfully ping the router, and it can successfully ping other devices on the network

I can see other networked devices just fine from the affected PC.

I can successfully ping other devices from the affected PC.

 

The only thing I cannot do, is ping the affected PC.

 

This PC was used as a host for my Plex Server, and so now, since the PC seems to be hidden, that service can no longer connect to it.

 

I have turned off windows firewall

I don't have any other firewall installed on the machine.

 

Any ideas on how to correct the ping --- short of re-installing the entire OS?

 

[AdvancedSetup]

Just so you're aware - this is the typical response for the ZeroAccess rootkit.  We'll need to get some logs back from you in order to see what's going on.
 
 

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.  You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

 

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

 

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

Message borrowed from quietman7 with minor wording and link changes
 
 
 
 
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[buttersk]

Reading the material you supplied has convinced me that it is not worth trying to clean the PC.

 

I do not want to be in a position to worry about whether or not financial transactions are at risk.  It is not worth it.

 

That being said, I do have one more follow up question.

 

The machine is a DELL machine.  It has a partition on it that allows for a system restore.  The warning when accessing it, says something along the lines that the PC will be wiped and restored to factory condition.

 

I'm reading that to mean it would be like re-imaging the drive.

 

My question is, would that be a secure route to take, or do you think that the partition that contains the system restore info would have been compromised as well?

[AdvancedSetup]

You should be able to use the Dell Factory Restore without any issues.  I've not seen or heard of any infections that have affected the OEM factory recovery partitions.  Though sometimes the tools used to bring it up I've seen damaged.

 

I would recommend that factory restore choice as otherwise you probably don't have a windows installation disk and all the drivers on hand to do it.

[buttersk]

Dell factory restored worked fine.  Thank you for the advice. 

 

I was able to ping from router to PC after factory restore.  It'll be more work, but I think I will end up spending less time restoring my apps and data, than I've already spent troubleshooting.

 

I help a lot of friends clean up their PC's, and this was the first time I ever found damage I wasn't able to repair.

 

Thanks again!

[AdvancedSetup]

You're quite welcome.

 

Take care.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!