Discovered: May 29, 2014
Type: Removal Information
This tool is designed to remove the infection of the Gameover variant of Trojan.Zbot
which drops and installs the Necurs rootkit as a kernel driver to protect the malware files on disk and in memory.
How to download and run the tool
- You must have administrative rights to run this tool on Windows XP, Windows Vista, or Windows 7.
- There are two versions of this tool, one designed to run on 32-bit computers and one designed to run on 64-bit computers. To find out if your computer is running a 32-bit or 64-bit version of Windows, please read the following Microsoft Knowledge Base article: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, read the Microsoft Knowledge Base article: Issues caused by a back up or a scan of the Exchange 2000 M drive
Follow these steps to download and run the tool:
- Download FixNecurs64bit.exe for 64-bit computers and FixNecurs32bit.exe for 32-bit computers.
- Save the file to a convenient location, such as your Windows desktop.
- If you are sure that you are downloading this tool from the Security Response website, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the Digital Signature section before proceeding with step 4.
- Close all the running programs.
- If you are running Windows XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation.
- Double-click the FixNecurs64bit.exe or the FixNecurs32bit.exe file to start the removal tool.
- Click I Accept to accept the EULA, then click Start to begin the process and allow the tool to run.
- Restart the computer when prompted by the removal tool. Multiple restarts may be required.
- When the tool has finished running, you will see a message prompting you to check the logfile for results. You will also be prompted to run Norton Power Eraser for additional cleanup.
- Click Yes to run Norton Power Eraser.
The removal tool writes a summary of its operation to a logfile named FixTool.log with results similar to the following:
- List of detected processes
- List of detected files
- List of terminated processes
- List of removed files
- List of removed registry keys
- List of removed registry values
- List of removed registry values on reboot
If the system is clean, no restart is required and the logfile will be blank.
What the removal tool does
The removal tool carries out the following actions:
- Terminates the associated processes
- Removes the associated files
- Removes registry keys/values added by the threat
The following switches are designed for use by network administrators:
- /HELP, /H, /?
Displays the help message
- /SILENT, /S
Enables silent mode
If silent mode is enabled, no reboot will occur
- /LOG=[PATH NAME]
Creates a logfile where [PATH NAME] is the location in which to store the removal tool's output. By default, this switch creates the logfile in the same folder from which the removal tool was executed.
Scans the mapped network drives. (We do not recommend using this switch.*)
*Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
- The scanning of mapped drives scans only the mapped folders. This may not include all of the folders on the remote computer, which can lead to missed detections.
- If a viral file is detected on the mapped drive, the repair may fail if a program on the remote computer uses that file.
- On Windows Vista and Windows 7, scanning mapped drives may fail if the user account running the removal tool is not the administrator account, even if it is a member of the Administrator group. In these cases the mapped drive will appear as disconnected after scanning with the removal tool. Please see the following Microsoft Knowledge Base article for more information: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems
Therefore, you should run the removal tool on every computer.
For security purposes, the removal tool is digitally signed. Symantec recommends that you use only copies of the removal tool that have been directly downloaded from the Symantec Security Response website. If you are not sure, or are a network administrator and need to authenticate files before deployment, you should check the authenticity of the digital signature. Follow these steps:
- Go to http://www.wmsoftware.com/free.htm.
- Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.
Note: Most of the following steps are done at a command prompt. If you downloaded the removal tool to the Windows desktop, it will be easier if you first move the tool to the root of the C drive. Then save the Chktrust.exe file to the root of the C drive as well. (Step 3 assumes that both the removal tool and Chktrust.exe are in the root of the C drive.)
- Click Start > Run.
- Type the following: cmd
- Click OK.
- In the command window, type the following, pressing Enter after typing each line:
chktrust -i FixTool.exe
- You should see one of the following messages, depending on your operating system:
Windows XP SP2: The Trust Validation Utility window will appear. Under Publisher, click the Symantec Corporation link. The Digital Signature Details appear.
Verify the contents of the following fields to ensure that the tool is authentic:
Name: Symantec Corporation
Signing Time: 08/30/2014 10:22:13
All other operating systems: You should see the following message: Do you want to install and run "FixTool.exe" signed on Saturday, August 30, 2014 10:22:13 and distributed by Symantec Corporation?
Notes: The date and time in the digital signature above are based on Pacific Time. They will be adjusted for your computer's time zone and regional options settings. If you are using Daylight Saving time, the displayed time will be exactly one hour earlier.
If this dialog box does not appear, it may be because the removal tool is not from Symantec: Unless you are sure that the removal tool is legitimate and that you downloaded it from the legitimate Symantec website, you should not run it.
- Click Yes or Run to close the dialog box.
- Type exit, and then press Enter. (This will close the MS-DOS session.)