Zeroaccess and Norton / Symantec

Quads · ‎07-21-2008

Just a Note,

Some variants of Zeroaccess can or will shut down Norton and other security products or Stop scans from occuring /won't start.

Quads

dickevans · ‎04-08-2008

Quads wrote:
Just a Note,

Some variants of Zeroaccess can or will shut down Norton and other security products or Stop scans from occuring /won't start.

Quads

Sure hope you can dig us out of this one - I'd be totally lost

Dick
Win7x64 SP1 current NIS V20

Quads · ‎07-21-2008

Zeroaccess is not that hard you just have to track down which variant, and where the objects are, also is there anything else that came along with it.

It's harder id it's a Combo infection, say zeroaccess + Pihar + FakeAV's + other malware, you just have to figure out which to break first as tools to scan looking for the rootkit / bootkit may not work or work properly as the FakeAV or other malware over the top may be trying to block it.

Have these tools malfunction during their scans may cause a bigger hole to deal with.

Quads

dickevans · ‎04-08-2008

Quads wrote:
Zeroaccess is not that hard you just have to track down which variant, and where the objects are, also is there anything else that came along with it.

It's harder id it's a Combo infection, say zeroaccess + Pihar + FakeAV's + other malware, you just have to figure out which to break first as tools to scan looking for the rootkit / bootkit may not work or work properly as the FakeAV or other malware over the top may be trying to block it.
Have these tools malfunction during their scans may cause a bigger hole to deal with.

Quads

Thanks for the short lesson.

When I get in trouble I'll come calling. You have convinced me with your posts that I'd be way out of my knowledge zone trying to play with any of this stuff.

Thank you for being here and even more so thank you for all of your time and expertise helping all of us.

If there's anything I can do for you, ask, I'll try

Dick
Win7x64 SP1 current NIS V20

Quads · ‎07-21-2008

The services.exe I directly sent SSR (Symantec) is now detected as Trojan.Patchep!sys, Dormant state at least, although now the Writeup is out of date haha.

Quads

dickevans · ‎04-08-2008

Quads wrote:
The services.exe I directly sent SSR (Symantec) is now detected as Trojan.Patchep!sys, Dormant state at least, although now the Writeup is out of date haha.

Quads

Quads,

Isn't that about normal? About the time you get it written/published it's out of date. Got to love the speed at which things change these days - not!

The older I get and the harder I try the behinder I get. Makes life interesting.

Again, thanks for all of your hard work and dedication to helping others.

Dick
Win7x64 SP1 current NIS V20

Quads · ‎07-21-2008

I will not use NPE on the new mods and variants from MaxSS, pihar, Zeroaccess as it can't handle it + the subsystems.

New variants are CLSID's 2 locations with desktop.ini and services.exe

NPE with the ever changing zeroaccess sucks it can't handle it and causes with the other family mods Windows to not boot after, freeze, NPE freezes / locks let alone you have to do a system restart first before even scanning.

I have had to get around NPE on my own system from the screw ups or lock ups.

No way will I ask a user to use it if a rootkit is suspected.

Do a proper job and log and target what is found, Malware removalists do.

Another zeroaccess services.exe MD5 I have https://www.virustotal.com/file/e647717985bf0a1c6b3e2464d4f95d2efe3b77801c43246bde45eae908b940b8/ana...

Quads

dickevans · ‎04-08-2008

Quads,

Again, thank you for keeping us informed but even moreso for helping us out of the holes we dig for ourselves.

Dick
Win7x64 SP1 current NIS V20

Quads · ‎07-21-2008

I gave Symantec over 2MB (compressed) of the CLSID variant zeroaccess, They asked me. The payload is now started being detected as Trojan.Zeroaccess instead of Trojan.Gen.2

Quads