Jump to content


Photo

ZEROACCESS Rootkit


  • Please log in to reply
3 replies to this topic

#1 JJDetroit

JJDetroit

    New Member

  • Members
  • Pip
  • 11 posts

Posted 18 July 2013 - 02:52 PM

A friend of mine has MBAM Pro installed on a Win7 desktop. A couple weeks ago he got a piece of ransomware that I was able to remove only by starting the PC in Safe Mode and running a Full Scan with MBAM. Tuesday he got ZEROACCESS, which once again I could only remove by running MBAM in Safe Mode. I see from reading forum messages that this rootkit has been known for some time. Shouldn't MBAM Pro be able to stop this? Does this mean MBAM is not configured properly?



#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,248 posts
  • Gender:Male
  • Location:US

Posted 18 July 2013 - 02:59 PM

The issue is that there are hundreds of new "droppers" and methods used to install malware.   The best thing to do is have an Expert assist you with clean up and then putting things in place to prevent further infections.

 

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.


Thanks


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,049 posts
  • Gender:Male
  • Location:USA

Posted 18 July 2013 - 03:03 PM

Hello and :welcome:

Just to say, that Malware changes very quickly and it could be possible that at the time he got infected, Malwarebytes may have not known about the particular variant or Malware. That being said....

It could be possible that your Malwarebytes may have been out of date, or protection disabled. It could also be that Malwarebytes notified him of the block and the user just ignored it or it could also be a configuration issue, we would need logs for that. One other thing that it could be is that the computer could have still been infected from the prior infection and that allowed the computer to get compromised once again.

If the computer was/is infected with Rootkit.ZeroAccess, a BackDoor Trojan see the warning below.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

We can attempt to clean this machine but we cannot guarantee that it will be 100% secure afterwards nor that we can repair whatever damage may have already been done.

If you decide to clean it,

I would suggest you have an expert help you with this computer to make sure it is completely clean before proceeding with anything else.

Being that the computer is probably still infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#4 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,256 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 18 July 2013 - 04:11 PM

JJDetroit:
 
You should have a talk with your friend and find out if he is performing risky activity as all the software in the world won't protect one if they don't practice Safe Hex.
 
BTW:  You didn't mention what anti virus application is used in conjunction with MBAM.  MBAM is an adjunct to a fully installed anti virus application and not a replacement.


David H. Lipman
DLipman@Verizon.Net




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users