Hello - I have a client who seems to have a "zero-access-rootkit" on their server. When I run the "rootkitremover" tool it responds that it has found the trojan, cleaned it, and requires a reboot. After doing so, I re-run the tool and receive the same message. This has happened several times and it will not clean. I have tried numerous scans (sorry, not all McAfee) including Malwarebytes (1st run found and removed 14 infections - reboot required); Kaspersky's TDSSKiller (nothing found); Stinger (nothing found). Any ideas would be greatly appreciated.
Thanks
Tim
ex
.
[TimeStamp: 20121228102248]
Rootkit Remover v0.8.9.160 [Dec 4 2012 - 17:44:01]
McAfee Labs.
Windows build 5.2.3790 x86 Service Pack 2
Checking for updates ...
Now Scanning...
Malware Found --> ZeroAccess trojan detected!!!
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )
--> Malicious file: c:\windows\system32\wbem\wbemess.dll ( will be deleted after restart )
--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )
--> Malicious file: c:\windows\system32\wbem\fastprox.dll ( will be deleted after restart )
ZeroAccess trojan was cleaned successfully!
Scan Finished
PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.
Other recommendations:
1. Perform full scan with McAfee VirusScan product after reboot.
Press any key to exit.
Solved! Go to Solution.
We posted an updated Rootkit Remover build today v0.8.9.161 that fixes the Zero Access false positive.
Thanks for reporting!
Nothing is guaranteed unfortunately. Have you tried a) System Restore to before all this happened, b) try running MalwareBytes in Safe Mode...if that fails then follow the Hijackthis suggestion at the bottom of the last link in my signature below.
I moved this out of Live Support and put it in Malware Discussion > Corporate User Assistance (because you mentioned a server) otherwise they will steer you to their virus removal service which costs money.
P.S. Also try Stinger.
.
On second thoughts, I moved this to "Top Threats" as there are a number of other threads here about Zero Access.
Thanks, much Ex_Brit!
Hope it helps, good luck.
Just stumbled upon this thread and brought it to the notice of the developers.
This is a false positive and we’re fixing it in the next version of the tool. No changes have been done to the operating system or other files on disk by RR due to this false.
Sorry for the delay, Vinoo. Just wanted to thank you for this reply!
We posted an updated Rootkit Remover build today v0.8.9.161 that fixes the Zero Access false positive.
Thanks for reporting!
AWESOME! Thanks, Vinoo!
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA