8 Replies Latest reply on Apr 11, 2013 7:48 AM by tschwab05

    free tools "rootkitremover"

      Hello - I have a client who seems to have a "zero-access-rootkit" on their server.  When I run the "rootkitremover" tool it responds that it has found the trojan, cleaned it, and requires a reboot.  After doing so, I re-run the tool and receive the same message.  This has happened several times and it will not clean.  I have tried numerous scans (sorry, not all McAfee) including Malwarebytes (1st run found and removed 14 infections - reboot required); Kaspersky's TDSSKiller (nothing found); Stinger (nothing found).  Any ideas would be greatly appreciated.







      [TimeStamp: 20121228102248]

      Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]

      McAfee Labs.


      Windows build 5.2.3790 x86 Service Pack 2

      Checking for updates ...

      Now Scanning...


          Malware Found --> ZeroAccess trojan detected!!!

            --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )

            --> Malicious file: c:\windows\system32\wbem\wbemess.dll ( will be deleted after restart )

            --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )

            --> Malicious file: c:\windows\system32\wbem\fastprox.dll ( will be deleted after restart )

            ZeroAccess trojan was cleaned successfully!


      Scan Finished



      Other recommendations:

          1. Perform full scan with McAfee VirusScan product after reboot.


      Press any key to exit.