The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.
Course Of The Month
7 days, 6 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Zero Access infection
Posted on 2013-01-05
This workstation is running Win 7 Pro sp1. Automatic Update wasdisabled so I checked services.msc and discovered the services were missing. I have installed latest versions of rkill, rogue killer, tdsskiller, and malwarebytes. Rogue killer and rkill both report zero access root kit. tdsskiller found no infection. while booted to normal desktop using administrator user account I ran rkill and then ran Malware bytes which stopped responding in the middle of the scan. log files are attached. I have not deleted any files or registry entries yet.
RKreport-1--S-01052013-02d1015.txt
Rkill.txt
RKreport-1--S-01052013-02d1015.txt
Rkill.txt
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
5
4
2
11 Comments
Active today
Root kit viruses are very difficult to remove completely (or even remove at all). You have sufficient problem here to warrant backing up, formatting and then doing a fresh install of Windows. Then get a good, paid, commercial antivirus.
..... Thinkpads_User
..... Thinkpads_User
@ Thinkpads_user
I do understand your point but this is a business workstation. reconfiguration would require + 4 hours after OS install due to multiple 3rd party softwre. User had allowed AV to lapse. Found related post here; http://www.bleepingcomputer.com/forums/topic449600.html but
atapplies and what doesn't. Would like to attempt repair. please advise
I do understand your point but this is a business workstation. reconfiguration would require + 4 hours after OS install due to multiple 3rd party softwre. User had allowed AV to lapse. Found related post here; http://www.bleepingcomputer.com/forums/topic449600.html but
atapplies and what doesn't. Would like to attempt repair. please advise
Active today
Most of the stuff in that article applies. You need to work through each section.
As you can tell from the length of the article and the responses, getting rid of a rootkit can take more time than re-installing Windows.
If you do decide to re-install, do not forget to delete all the partitions on the disk and start again. Otherwise the rootkit will just come back.
Please explain to the user that the damage could take longer to fix than re-installing.
Good luck. ... Thinkpads_User
As you can tell from the length of the article and the responses, getting rid of a rootkit can take more time than re-installing Windows.
If you do decide to re-install, do not forget to delete all the partitions on the disk and start again. Otherwise the rootkit will just come back.
Please explain to the user that the damage could take longer to fix than re-installing.
Good luck. ... Thinkpads_User
@ Thinkpads_User
I've seen a lot of your posts. Usually spot on. Thanks for the advice. I'll get back to you.
I've seen a lot of your posts. Usually spot on. Thanks for the advice. I'll get back to you.
Active 2 days ago
Just a tip: Eset has a remover for zeroaccess / sirefef - see here: http://kb.eset.com/esetkb/index?page=content&id=SOLN2895
Maybe worth a try...
Maybe worth a try...
@ Thinkpads_User and gerwinjansen
I followed the steps in the Bleeping Computer tutorial but Malwarebytes and Combofix (step 4) both stopped responding while running. Next I ran the Eset removal tool mentioned above. After this MS Updates started working but still couldn't run MWB. I noticed that MWB was hanging on a file in the Temporary Internet Files folder so I tried removing using IE which appeared to work but didn't fix the problem. I also tried CCleaner but it ran overnight without finishing. Next I started manually removing files in Temporary Internet Files folder from a command prompt. Then MWB ran to completion without finding anything but 15 risks showed up in Vipre AV (which was installed after lapse of coverage). I realize I can't be sure the system is clean but I think I may have gotten it. I intend to run Eset online scanner as well as running rkill and Rogue Killer again just to see if they come back clean. Do either of you want to see any log files? HJT etc.?
I followed the steps in the Bleeping Computer tutorial but Malwarebytes and Combofix (step 4) both stopped responding while running. Next I ran the Eset removal tool mentioned above. After this MS Updates started working but still couldn't run MWB. I noticed that MWB was hanging on a file in the Temporary Internet Files folder so I tried removing using IE which appeared to work but didn't fix the problem. I also tried CCleaner but it ran overnight without finishing. Next I started manually removing files in Temporary Internet Files folder from a command prompt. Then MWB ran to completion without finding anything but 15 risks showed up in Vipre AV (which was installed after lapse of coverage). I realize I can't be sure the system is clean but I think I may have gotten it. I intend to run Eset online scanner as well as running rkill and Rogue Killer again just to see if they come back clean. Do either of you want to see any log files? HJT etc.?
Active today
You can never be sure with rootkits because they come back again. If you think the system is working, run it for a while to see if it is stable.
.... Thinkpads_User
.... Thinkpads_User
Active 2 days ago
Might be an idea to run a virus scanner from a bootable cd. Avg has one, as do Comodo, bitdefender and Avira.
I neglected to mention earlier that I was also reluctant to do a fresh install because the computer has a recovery partition but no Disks. Not insurmountable but it can be difficult to find drivers sometimes.
The Eset online scan found and fixed one more problem, rkill and Rogue Killer both found no issues. Vipre full scan also found nothing. I'll run a CD based scan as suggested above but I think I may have it cleaned up. Thanks for the suggestions.
The Eset online scan found and fixed one more problem, rkill and Rogue Killer both found no issues. Vipre full scan also found nothing. I'll run a CD based scan as suggested above but I think I may have it cleaned up. Thanks for the suggestions.
Featured Post
![[Webinar] Learn How Hackers Steal Your Credentials](https://filedb.experts-exchange.com/files/public/2017/5/21/e0b7778f-e79e-4b5d-9ec6-5496e40be42e.png)
Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information.
According to “Computerworld”, well over one million web sites have been co…
There are many reasons malware will stay around and continue to grow as a business. The biggest reason is the expanding customer base. More than 40% of people who are infected with ransomware, pay the ransom. That makes ransomware a multi-million…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
- Anti-Virus Apps
- Ransomware
- The Email Laundry
- Email Servers
- Cybersecurity
- Microsoft Access, *malware
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email
Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month7 days, 6 hours left to enroll
726 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.