Re: Symantec Please Speak Up About Rash of Trojans

Quads · ‎07-21-2008

JohnM

Trouble is users are using the 2 tools, mainly NPE looks like the problem and with the new usermode variant of zeroaccess and services.exe one user had a BSOD on the restart twice (didn't learn the first time)

Others with the zeroacces can have the combo, or have had the Combo of zeroaccess and what looks like Boot.Pihar (or maxSS). Norton can detect it as Boot.Pihar or Boot.Tidserv.

Problem, using NPE on what is not the old TDL4 (Tidserv) causes a non booting Windows as it is incorrectly dealt with as TDL4.

I have to use FRST to complete the remove / repair after NPE for the user to be able to have Windows correctly startup in Normal Mode, or Both Normal and Safe Mode.

I have not tested any new zeroaccess droppers over the last few days as I trying to keep up on the forum with the threads, feels like I am trying to climb everest with all 4 legs.

Quads

Apostolos · ‎01-06-2011

Hello to all,

After reading carefully the text posted by JohnM, one thing is clear to me.

ZeroAccess malware writers are BY FAR better than Symantec's or other AV developpers.

Maybe Symantec should consider to hire some of them to give a solution on this problem otherwise I'm pretty sure that even after 2 or 3 years of investigations and NIS 2013, 14 or 15 the results will be the same.

If you are at the wrong place at the wrong time, ZeroAccess and it's variants will gain control over your pc.

Conclusion: Everyone please back up your data, if possible format your pc every day to be at 100% sure and say a lot of prayers!!

I know this may sound negative but according to JohnM's post we are not ready to see results soon, only investigations and investigations....

Also, I have one question: If you are hit by this malware, would a format be considered as a 100% removal solution (by installing Windows with an installation disc or from a hidden partition), or as long as the format is performed some remnants of ZeroAccess will say "hello" after the format is finished?

Thanks for any advice.

Kindest regards,

dickevans · ‎04-08-2008

Hi,

Just a couple of comments. If the malware and virus developers wanted honest jobs I'm sure they would apply

Reinstalling from the installation disk is not 100%. Some things have been known to slip past and remain to bite again

Stay well and surf safe

Dick
Win7x64 SP1 current NIS V20

Apostolos · ‎01-06-2011

Dickevans,

Thank you for your comments.

If reinstalling from the installation disc is not a 100% solution as you mentionned what are the options left?

Throw the pc or deal with a removalist like Quads?

Any alternatives? If there are some, could you please explain in detail? (other than Norton removal tools).

Many thanks.

Best,

car825 · ‎03-28-2009

dickevans wrote:
Hi,
Just a couple of comments. If the malware and virus developers wanted honest jobs I'm sure they would apply
Reinstalling from the installation disk is not 100%. Some things have been known to slip past and remain to bite again
Stay well and surf safe

What malware can survive a reinstall from a system image? What about the malware giving people on the forum so much trouble now?

Topopurim47 · ‎02-21-2009

sandbox your brower www.sandboxie.com

SendOfJive · ‎02-07-2009

Apostolos wrote:
After reading carefully the text posted by JohnM, one thing is clear to me.
ZeroAccess malware writers are BY FAR better than Symantec's or other AV developpers.

Hi Apostolos,

The malware writers are not better. But malware writers always have an advantage, because AV products cannot provide an ironclad defense against a threat that they haven't yet seen. So the bad guys will tweak Zeroaccess to create a new, slightly altered sample, and test it against security products to make sure that it is not detectable prior to releasing it. Once it is released, AV vendors will quickly find it and create detection signatures that will protect users against it. Although modern techniques allow signatures to be put in place rapidly, in the interim the malware has the advantage. Thousands of new malware variants are released every day, This is why you will continually read here that no AV product can detect 100% of the threats in the wild. They all protect against the known threats, but with thousands of new threats to contend with daily, there are always some that have not yet been seen, and those are the ones that are able to evade detection.

Quads · ‎07-21-2008

Sorry have to admit I had a chuckle at this in a new zeroaccess (services.exe) patch thread

I just got off the chat with a Norton tech who was not able to help me with this issue. Then I saw that it is fixable.

Would someone please walk me through the process?

Thanks

Quads

car825 · ‎03-28-2009

car825 wrote:
dickevans wrote:
Hi,
Just a couple of comments. If the malware and virus developers wanted honest jobs I'm sure they would apply
Reinstalling from the installation disk is not 100%. Some things have been known to slip past and remain to bite again
Stay well and surf safe
What malware can survive a reinstall from a system image? What about the malware giving people on the forum so much trouble now?

Does anyone know the answer to this? My system is clean, but I like knowing I can fix things with a full image copy restore. How confident should I be in percentage terms that this is true.

2YsUR · ‎06-03-2012

_______________________________________________________________________________________________
car825 wrote:
Does anyone know the answer to this? My system is clean, but I like knowing I can fix things with a full image copy restore. How confident should I be in percentage terms that this is true.

A full image copy restore should solve all of your problems except in the very very rare instance where malware has infected the system BIOS, in which case the BIOS chip would almost certainly need to be replaced.

I would be 99.9999 confident. I hope I don't give anyone any ideas

___________________________
2Ys U R 2Ys U B I C U R 2Ys 4 Me