8 Replies Latest reply: Apr 11, 2013 7:48 AM by tschwab05 RSS

    free tools "rootkitremover"

    tschwab05

      Hello - I have a client who seems to have a "zero-access-rootkit" on their server.  When I run the "rootkitremover" tool it responds that it has found the trojan, cleaned it, and requires a reboot.  After doing so, I re-run the tool and receive the same message.  This has happened several times and it will not clean.  I have tried numerous scans (sorry, not all McAfee) including Malwarebytes (1st run found and removed 14 infections - reboot required); Kaspersky's TDSSKiller (nothing found); Stinger (nothing found).  Any ideas would be greatly appreciated.

       

      Thanks

      Tim

       

      ex

      .

      [TimeStamp: 20121228102248]

      Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]

      McAfee Labs.

       

      Windows build 5.2.3790 x86 Service Pack 2

      Checking for updates ...

      Now Scanning...

       

          Malware Found --> ZeroAccess trojan detected!!!

            --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )

            --> Malicious file: c:\windows\system32\wbem\wbemess.dll ( will be deleted after restart )

            --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )

            --> Malicious file: c:\windows\system32\wbem\fastprox.dll ( will be deleted after restart )

            ZeroAccess trojan was cleaned successfully!

       

      Scan Finished

      PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.

       

      Other recommendations:

          1. Perform full scan with McAfee VirusScan product after reboot.

       

      Press any key to exit.