cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

free tools "rootkitremover"

Jump to solution

Hello - I have a client who seems to have a "zero-access-rootkit" on their server.  When I run the "rootkitremover" tool it responds that it has found the trojan, cleaned it, and requires a reboot.  After doing so, I re-run the tool and receive the same message.  This has happened several times and it will not clean.  I have tried numerous scans (sorry, not all McAfee) including Malwarebytes (1st run found and removed 14 infections - reboot required); Kaspersky's TDSSKiller (nothing found); Stinger (nothing found).  Any ideas would be greatly appreciated.

Thanks

Tim

ex

.

[TimeStamp: 20121228102248]

Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]

McAfee Labs.

Windows build 5.2.3790 x86 Service Pack 2

Checking for updates ...

Now Scanning...

    Malware Found --> ZeroAccess trojan detected!!!

      --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )

      --> Malicious file: c:\windows\system32\wbem\wbemess.dll ( will be deleted after restart )

      --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )

      --> Malicious file: c:\windows\system32\wbem\fastprox.dll ( will be deleted after restart )

      ZeroAccess trojan was cleaned successfully!

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:

    1. Perform full scan with McAfee VirusScan product after reboot.

Press any key to exit.

1 Solution

Accepted Solutions
vinoo
Level 13
Report Inappropriate Content
Message 8 of 9

Re: free tools "rootkitremover"

Jump to solution

We posted an updated Rootkit Remover build today v0.8.9.161 that fixes the Zero Access false positive.

Thanks for reporting!

8 Replies
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: free tools "rootkitremover"

Jump to solution

Nothing is guaranteed unfortunately.  Have you tried a) System Restore to before all this happened, b) try running MalwareBytes in Safe Mode...if that fails then follow the Hijackthis suggestion at the bottom of the last link in my signature below.

I moved this out of Live Support and put it in Malware Discussion > Corporate User Assistance (because you mentioned a server) otherwise they will steer you to their virus removal service which costs money.

P.S. Also try Stinger.

.


Message was edited by: Ex_Brit on 17/01/13 9:22:46 EST AM
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: free tools "rootkitremover"

Jump to solution

On second thoughts, I moved this to "Top Threats" as there are a number of other threads here about Zero Access.

Re: free tools "rootkitremover"

Jump to solution

Thanks, much Ex_Brit!

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: free tools "rootkitremover"

Jump to solution

Hope it helps, good luck.

vinoo
Level 13
Report Inappropriate Content
Message 6 of 9

Re: free tools "rootkitremover"

Jump to solution

Just stumbled upon this thread and brought it to the notice of the developers.

This is a false positive and we’re fixing it in the next version of the tool. No changes have been done to the operating system or other files on disk by RR due to this false.

Re: free tools "rootkitremover"

Jump to solution

Sorry for the delay, Vinoo.  Just wanted to thank  you for this reply!

vinoo
Level 13
Report Inappropriate Content
Message 8 of 9

Re: free tools "rootkitremover"

Jump to solution

We posted an updated Rootkit Remover build today v0.8.9.161 that fixes the Zero Access false positive.

Thanks for reporting!

Re: free tools "rootkitremover"

Jump to solution

AWESOME!  Thanks, Vinoo!

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community