cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tschwab05
Level 7
Report Inappropriate Content
Message 1 of 9
‎01-17-2013 05:31 AM

free tools "rootkitremover"

Jump to solution

Hello - I have a client who seems to have a "zero-access-rootkit" on their server.  When I run the "rootkitremover" tool it responds that it has found the trojan, cleaned it, and requires a reboot.  After doing so, I re-run the tool and receive the same message.  This has happened several times and it will not clean.  I have tried numerous scans (sorry, not all McAfee) including Malwarebytes (1st run found and removed 14 infections - reboot required); Kaspersky's TDSSKiller (nothing found); Stinger (nothing found).  Any ideas would be greatly appreciated.

Thanks

Tim

ex

.

[TimeStamp: 20121228102248]

Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]

McAfee Labs.

Windows build 5.2.3790 x86 Service Pack 2

Checking for updates ...

Now Scanning...

    Malware Found --> ZeroAccess trojan detected!!!

      --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )

      --> Malicious file: c:\windows\system32\wbem\wbemess.dll ( will be deleted after restart )

      --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )

      --> Malicious file: c:\windows\system32\wbem\fastprox.dll ( will be deleted after restart )

      ZeroAccess trojan was cleaned successfully!

Scan Finished

PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

Other recommendations:

    1. Perform full scan with McAfee VirusScan product after reboot.

Press any key to exit.

0 Kudos
Reply
1 Solution

Accepted Solutions
vinoo
Level 13
Report Inappropriate Content
Message 8 of 9
‎04-10-2013 09:42 PM

Re: free tools "rootkitremover"

Jump to solution

We posted an updated Rootkit Remover build today v0.8.9.161 that fixes the Zero Access false positive.

Thanks for reporting!

View solution in original post

0 Kudos
Reply
8 Replies
exbrit
MVP
Report Inappropriate Content
Message 2 of 9
‎01-17-2013 06:16 AM

Re: free tools "rootkitremover"

Jump to solution

Nothing is guaranteed unfortunately.  Have you tried a) System Restore to before all this happened, b) try running MalwareBytes in Safe Mode...if that fails then follow the Hijackthis suggestion at the bottom of the last link in my signature below.

I moved this out of Live Support and put it in Malware Discussion > Corporate User Assistance (because you mentioned a server) otherwise they will steer you to their virus removal service which costs money.

P.S. Also try Stinger.

.


Message was edited by: Ex_Brit on 17/01/13 9:22:46 EST AM
0 Kudos
Reply
exbrit
MVP
Report Inappropriate Content
Message 3 of 9
‎01-17-2013 06:21 AM

Re: free tools "rootkitremover"

Jump to solution

On second thoughts, I moved this to "Top Threats" as there are a number of other threads here about Zero Access.

0 Kudos
Reply
tschwab05
Level 7
Report Inappropriate Content
Message 4 of 9
‎01-17-2013 06:56 AM

Re: free tools "rootkitremover"

Jump to solution

Thanks, much Ex_Brit!

0 Kudos
Reply
exbrit
MVP
Report Inappropriate Content
Message 5 of 9
‎01-17-2013 07:30 AM

Re: free tools "rootkitremover"

Jump to solution

Hope it helps, good luck.

0 Kudos
Reply
vinoo
Level 13
Report Inappropriate Content
Message 6 of 9
‎02-01-2013 05:30 PM

Re: free tools "rootkitremover"

Jump to solution

Just stumbled upon this thread and brought it to the notice of the developers.

This is a false positive and we’re fixing it in the next version of the tool. No changes have been done to the operating system or other files on disk by RR due to this false.

0 Kudos
Reply
tschwab05
Level 7
Report Inappropriate Content
Message 7 of 9
‎02-14-2013 04:55 AM

Re: free tools "rootkitremover"

Jump to solution

Sorry for the delay, Vinoo.  Just wanted to thank  you for this reply!

0 Kudos
Reply
vinoo
Level 13
Report Inappropriate Content
Message 8 of 9
‎04-10-2013 09:42 PM

Re: free tools "rootkitremover"

Jump to solution

We posted an updated Rootkit Remover build today v0.8.9.161 that fixes the Zero Access false positive.

Thanks for reporting!

View solution in original post

0 Kudos
Reply
tschwab05
Level 7
Report Inappropriate Content
Message 9 of 9
‎04-11-2013 05:48 AM

Re: free tools "rootkitremover"

Jump to solution

AWESOME!  Thanks, Vinoo!

0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC