This one's REALLY quite annoying.
A friend called me last week, saying they were having problems with their computer (again; I'd fixed it a couple of months ago when his registry exited stage left) and asked me if I could come over Saturday and have a look at it.
McAfee's writeup:
https://kc.mcafee.com/resources/sit...US/McAfee Labs Threat Advisory-ZeroAccess.pdf
You really should read the above, as this ZeroAccess not only kills most antivirus tools, it buries them by revoking access privileges.
I spent the better part of Saturday trying to get his system cleaned of this thing. Didn't know what it was at first; kept getting browser redirects when trying Google searches. I'd installed AVG Free 2012 previously, but it wasn't working. Unfortunately, his CD-ROM drive wasn't functional, so my toolkit of diagnostic CD's was worthless.
The Windows Installer was not active, and I couldn't start the task. Turned out when I tried running msiexec.exe that "Access is denied" - the rootkit had removed all access privileges after killing the process. Apparently, Microsoft Update had tried to install a replacement for a "tripwire" (think of it as a file used as "bait"), and when msiexec.exe tried to update the tripwire file (in this case it was mrxsmb.sys, as in the .pdf file - but it can be many other files). As soon as a process/program tries to access the tripwire files, the rootkit attaches an APC that causes the process/program to exit immediately - and revokes access.
This really gets annoying as tool after tool gets killed and access removed. I couldn't even install a number of tools I normally would use since msiexec wasn't started. Tried using GMER, but didn't know about the "tripwire", so GMER got killed along with the other tools.
It can't revoke privileges on flash drives/USB sticks nor CDs, so they are good things to have handy.
I took the computer home with me so I could swap out the CD-rom with a working one. Finally got rid of the rootkit using the latest ComboFix; and then it's been a time putting the machine back together.
Of course you have to reset privileges back to defaults, but this rootkit ALSO got rid of (deleted) secedit.exe, along with revoking privs; had to expand a new one but call it secedi.exe until the privs were restored.
A friend called me last week, saying they were having problems with their computer (again; I'd fixed it a couple of months ago when his registry exited stage left) and asked me if I could come over Saturday and have a look at it.
McAfee's writeup:
https://kc.mcafee.com/resources/sit...US/McAfee Labs Threat Advisory-ZeroAccess.pdf
You really should read the above, as this ZeroAccess not only kills most antivirus tools, it buries them by revoking access privileges.
I spent the better part of Saturday trying to get his system cleaned of this thing. Didn't know what it was at first; kept getting browser redirects when trying Google searches. I'd installed AVG Free 2012 previously, but it wasn't working. Unfortunately, his CD-ROM drive wasn't functional, so my toolkit of diagnostic CD's was worthless.
The Windows Installer was not active, and I couldn't start the task. Turned out when I tried running msiexec.exe that "Access is denied" - the rootkit had removed all access privileges after killing the process. Apparently, Microsoft Update had tried to install a replacement for a "tripwire" (think of it as a file used as "bait"), and when msiexec.exe tried to update the tripwire file (in this case it was mrxsmb.sys, as in the .pdf file - but it can be many other files). As soon as a process/program tries to access the tripwire files, the rootkit attaches an APC that causes the process/program to exit immediately - and revokes access.
This really gets annoying as tool after tool gets killed and access removed. I couldn't even install a number of tools I normally would use since msiexec wasn't started. Tried using GMER, but didn't know about the "tripwire", so GMER got killed along with the other tools.
It can't revoke privileges on flash drives/USB sticks nor CDs, so they are good things to have handy.
I took the computer home with me so I could swap out the CD-rom with a working one. Finally got rid of the rootkit using the latest ComboFix; and then it's been a time putting the machine back together.
Of course you have to reset privileges back to defaults, but this rootkit ALSO got rid of (deleted) secedit.exe, along with revoking privs; had to expand a new one but call it secedi.exe until the privs were restored.