Removal of the Cloud Security family of FakeAV + Zeroaccess Rootkit

The removal of this family with Zeroaccess also infecting the system gives an extra challenge due to Zeroaccess being protective and blocking security programs (tripwire) no matter what the file name is.

 

The Family of FakeAV includes  OpenCloud Antivirus, OpenCloud Security, Security Guard 2012, AV Guard Online and Guard Online. and Online Protection  . Online protection has extra files to deal with  

 

Zeroaccess blocks security software no matter what you rename the file as.   That includes Hijackthis, Malwarebytes, NPE and so it goes on.

 

I actually infect my PC with AV Guard Online and Zeroaccess like a standard user. so I know what happens, what gets blocked and work my way around it.

 

I did this in Normal Mode (not Safe Mode) ,During the step by step removal in Normal Mode you will find the FakeAV will always popup with warnings and trying to get you to buy it. this gets annoying during the breaking process but keep closing the window or clicking "No Thanks" "Continue unprotected" etc 

 

 

Step 1.

 

Change the view settings for Show Hidden files and folders, System files and showing file known extensions. For XP, Vista and Windows 7

 

XP

 

  1. Double-click on the My Computer icon.
  2. Select theTools menu and click Folder Options.
  3. After the new window appears select the View tab.
  4. Put a checkmark in the checkbox labeled Display the contents of system folders.
  5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  8. Press the Apply button and then the OKbutton and shutdown My Computer.
  9. Now your computer is configured to show all hidden files.

 Vista

 

  1. Close all programs so that you are at your desktop.
  2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
  3. Click on the Control Panel menu option.
  4. When the control panel opens you can either be in Classic View or Control Panel Home view: 

  5. If you are in the Classic View do the following:
    1. Double-click on the Folder Options icon.
    2. Click on the View tab.
    3. Go to step 5.

    If you are in the Control Panel Home view do the following:
    1. Click on the Appearance and Personalization link .
    2. Click on Show Hidden Files or Folders.
    3. Go to step 5.

  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button.
  10. Now Windows Vista is configured to show all hidden files.

 Windows 7

 

Close all programs so that you are at your desktop.

  1. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
  2. Click on the Control Panel menu option.
  3. When the control panel opens click on the Appearance and Personalization link.
  4. Under the Folder Options category, click onShow Hidden Files or Folders.
  5. Under the Hidden files and folders section select the radio button labeled Show hidden files, folders, or drives.
  6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
  7. Remove the checkmark from the checkbox labeled Hide protected operating system files (Recommended).
  8. Press the Apply button and then the OK button..
  9. Now Windows 7 is configured to show all hidden files.

Step 2.

 

a) Go into the Windows\system32 folder and find the file named taskmgr.exe

b)  Right Click  taskmgr.exe, and select Copy from the menu.  

c) Then say on your desktop right click and select Paste.  Now you should have a copy of  taskmgr.exe on the desktop.  

d)  Right click the Desktop copy  of taskmgr.exe and select  rename in the menu, Rename the file from taskmgr.exe to  iexplore.exe.

 

renamed_taskmgr.jpg

 

What does this do.

 

1.  The file taskmgr.exe is not a security program so that if the PC has zeroaccess as well it does not get blocked by the tripwire, zeroaccess  allows it through.

 

2. Renaming taskmgr.exe to iexplore.exe for the desktop copy also means the FakeAV family in question also allows it through so doesn't block it either.

 

Remember I did this in Normal Mode, but here is a screenshot after clicking and running the desktop copy of the renamed Task Manager..

 

zeroaccess and AVGuard family.jpg

 

 

3 entries of note for me in the screenshot above is,

 

iexplore.exe,  This is the running Task Manager renamed.

 

jccc52iib......   This is the FakeAV running as a Random file name (the FakeAV Online Protection many have more than one listed.).

 

169439....:4103.....  This is my copy of Zeroaccess showing in the list, there is nothing that can be done about this one at this point.

 

If you are unsure of what you are looking at in the list, write down all of the files and asked someone on whatever forum you are on, it's better safe than sorry.

 

e) End / Kill the process(es) that belong to the FakeAV in question (in my case "jccc52iibDpnGaH.exe"), after doing so you will notice the Fake AV has shutdown / closed including the systray ico down by the clock on the lower right hand corner, you may have to run the mouse cursor over the icon to watch the icon disappear.

 

DO NOT RESTART THE COMPUTER!!!

 

Step 3.

 

Now that the FakeAV process(es) have been stopped other .exe files can run.

 

a) Run msconfig 

 

XP

 

Go Start then Run  from the menu and type msconfig and press OK.

 

Windows 7 / Vista

 

 In the Search box type msconfig and press ENTER.

 

Click on the Startup Tab

 

Here is a screenshot of my startup tab

 

FAKEAV_Msconfig.jpg

 

I have Highlighted above the entry that is for the FakeAV, Once again If you are unsure of what you are looking at in the list, write down all of the files and asked someone on whatever forum you are on, it's better safe than sorry.

 

b) Uncheck / Untick the entry (entries) that are present on your system.

c) Press Apply, then press OK.

d) When given the option to Restart or Exit without Restarting, select to Exit without Restarting.

 

DO NOT RESTART THE COMPUTER!!!

 

Step 4.

 

Download zeroaccess removal tools , You may have to turn off Auto-Protect for say 1 hour before running the tools. 

 

antizeroaccess (updated) http://blog.webroot.com/tag/antizeroaccess/  Download link on the right hand side Download the ZeroAccess/Max++ rootkit remover 

 

ZeroAccessRemovalTool    http://www.malwarecity.com/community/index.php?app=downloads&showfile=34

 

The tool ZeroAccessRemovalTool will do as system scan for Zeroaccess and both tools will disinfected.

 

My log


Execution time: 10/10/2011- 16:03 

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

16:03:48 - CheckSystem - Begin to check system...

16:03:48 - OpenRootDrive - Opening system root volume and physical drive....

16:03:48 - C Root Drive: Disk number: 0  Start sector: 0x0000003F   Partition Size: 0x12A18A82 sectors.

16:03:48 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".

16:03:48 - InstallAndStartDriver - Main driver was installed and now is running.

16:03:48 - CheckSystem - Warning! Disk class driver is INFECTED.

16:03:50 - CheckFile - Internal consistence error: Sector buffer is not of a PE file!

16:03:50 - CheckFile - Warning! File "serial.sys" is Infected by ZeroAccess Rootkit.

16:03:53 - DoSecondPhaseCheck - Found and destroyed ZeroAccess self defense Service Key: "b71190a".

16:04:00 - DoRepair - Begin to perform system repair....

16:04:00 - DoRepair - System Disk class driver was repaired.

16:04:00 - DoRepair - Infected "serial.sys" file was renamed.

16:04:00 - DoRepair - Infected "serial.sys" file was successfully cleaned!

16:04:00 - DoRepair - "desktop.ini" ZeroAccess file NOT found.

16:04:00 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

16:04:00 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!

16:04:00 - Execution Ended!


After Now RESTART your Computer 

 

Step 5.

 

Now Zeroaccess is gone and the FakeAV is disabled you can now run Programs like Malwarebytes, Superantispyware Free and any others, that once installed and the definitions are updated run a Full Scan to remove the dormant leftover objects

 

Quads