Jump to content

Malware/rootkit


Recommended Posts

I'm not sure if it belongs in this forum group or another, so I apologize if it is in the wrong spot. I have encountered about a dozen times in the last week a particular virus/rootkit that I have been unsuccessful in removing with a wide variety of methods and tools. Any removal utility will almost instantly be terminated, permissions and ability to access the program are broken. Some utilities can run but don't find it. The only thing I have to show is a screenshot of the running process that is always there when the rootkit is present. It is not able to be terminated from task manager, or command line, not that I've been able to determine at least. I'm hoping the screenshot will be recognized by someone who may have information on how it can be removed, if at all.

Thanks!

Aaron

post-95759-0-76035200-1317321664.jpg

Link to post
Share on other sites

Greetings :)

Based on your description, it sounds like you're dealing with ZAccess, also known as ZeroAccess or 0Access, a very nasty rootkit that blocks its files/processes from being accessed by closing the applications that try to do so and then stripping their permissions to prevent them from running again until permissions have been restored and the infection removed.

There are a few variants of this infection, each behaving a bit differently, so unfortunately the same method does not always apply to every variant but you can take a look in some of the topics in this forum to see how our expert helpers have been dealing with it (a lot of users have been hit by this lately, so finding threads about it won't be difficult at all).

Link to post
Share on other sites

I'm not sure if it belongs in this forum group or another, so I apologize if it is in the wrong spot. I have encountered about a dozen times in the last week a particular virus/rootkit that I have been unsuccessful in removing with a wide variety of methods and tools. Any removal utility will almost instantly be terminated, permissions and ability to access the program are broken. Some utilities can run but don't find it. The only thing I have to show is a screenshot of the running process that is always there when the rootkit is present. It is not able to be terminated from task manager, or command line, not that I've been able to determine at least. I'm hoping the screenshot will be recognized by someone who may have information on how it can be removed, if at all.

Thanks!

Aaron

Combofix worked for me but I had to uninstall and reinstall MWB to get it to work again.

Link to post
Share on other sites

  • Root Admin

Combofix is a good utility but it should not be used without supervision. There has been more than once that it has completely wiped out all data on computers. Without being in the know of the status of the tool you could make things much worse than they are.

Link to post
Share on other sites

Combofix is a good utility but it should not be used without supervision.

Agreed. I have used it a few times over the years with great results but I do have full backup.

Why is it that Mbam can't successfully quarantine the "rootkit:zeroacces:? The Mbam quarantine window started to load but then was gone and Mbam would not load.

Is their a way to protect "user access" from this type of malware? If I set Mbam to at high priority would this help?

Also do we know why combofix would wipe data? If all the files are infected?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.