Jump to content

ZEROACCESS Rootkit


Recommended Posts

A friend of mine has MBAM Pro installed on a Win7 desktop. A couple weeks ago he got a piece of ransomware that I was able to remove only by starting the PC in Safe Mode and running a Full Scan with MBAM. Tuesday he got ZEROACCESS, which once again I could only remove by running MBAM in Safe Mode. I see from reading forum messages that this rootkit has been known for some time. Shouldn't MBAM Pro be able to stop this? Does this mean MBAM is not configured properly?

Link to post
Share on other sites

  • Root Admin

The issue is that there are hundreds of new "droppers" and methods used to install malware.   The best thing to do is have an Expert assist you with clean up and then putting things in place to prevent further infections.

 

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.


Thanks

Link to post
Share on other sites

Hello and :welcome:

Just to say, that Malware changes very quickly and it could be possible that at the time he got infected, Malwarebytes may have not known about the particular variant or Malware. That being said....

It could be possible that your Malwarebytes may have been out of date, or protection disabled. It could also be that Malwarebytes notified him of the block and the user just ignored it or it could also be a configuration issue, we would need logs for that. One other thing that it could be is that the computer could have still been infected from the prior infection and that allowed the computer to get compromised once again.

If the computer was/is infected with Rootkit.ZeroAccess, a BackDoor Trojan see the warning below.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

We can attempt to clean this machine but we cannot guarantee that it will be 100% secure afterwards nor that we can repair whatever damage may have already been done.

If you decide to clean it,

I would suggest you have an expert help you with this computer to make sure it is completely clean before proceeding with anything else.

Being that the computer is probably still infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites

JJDetroit:
 
You should have a talk with your friend and find out if he is performing risky activity as all the software in the world won't protect one if they don't practice Safe Hex.
 
BTW:  You didn't mention what anti virus application is used in conjunction with MBAM.  MBAM is an adjunct to a fully installed anti virus application and not a replacement.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.