---

Quads wrote:

Just a Note,

 

Some variants of Zeroaccess can or will shut down Norton and other security products or Stop scans from occuring /won't start.

 

Quads

---

Sure hope you can dig us out of this one - I'd be totally lost

Zeroaccess is not that hard you just have to track down which variant, and where the objects are, also is there anything else that came along with it.

It's harder id it's a Combo infection,  say zeroaccess + Pihar + FakeAV's + other malware, you just have to figure out which to break first as tools to scan looking for the rootkit / bootkit may not work or work properly  as the FakeAV or other malware over the top may be trying to block it.

Have these tools malfunction during their scans may cause a bigger hole to deal with.

Quads

---

Quads wrote:

Zeroaccess is not that hard you just have to track down which variant, and where the objects are, also is there anything else that came along with it.

 

It's harder id it's a Combo infection,  say zeroaccess + Pihar + FakeAV's + other malware, you just have to figure out which to break first as tools to scan looking for the rootkit / bootkit may not work or work properly  as the FakeAV or other malware over the top may be trying to block it.

Have these tools malfunction during their scans may cause a bigger hole to deal with.

 

Quads

---

Thanks for the short lesson.

When I get in trouble I'll come calling. You have convinced me with your posts that I'd be way out of my knowledge zone trying to play with any of this stuff.

Thank you for being here and even more so thank you for all of your time and expertise helping all of us.

If there's anything I can do for you, ask, I'll try

The services.exe I directly sent SSR (Symantec) is now detected as Trojan.Patchep!sys, Dormant state at least, although now the Writeup is out of date haha.

Quads

---

Quads wrote:

The services.exe I directly sent SSR (Symantec) is now detected as Trojan.Patchep!sys, Dormant state at least, although now the Writeup is out of date haha.

 

Quads

 

---

Quads,

Isn't that about normal? About the time you get it written/published it's out of date. Got to love the speed at which things change these days - not!

The older I get and the harder I try the behinder I get. Makes life interesting.

Again, thanks for all of your hard work and dedication to helping others.

I will not use NPE on the new mods and variants from MaxSS, pihar, Zeroaccess as it can't handle it + the subsystems.

New variants are CLSID's  2 locations with desktop.ini and  services.exe 

NPE with the ever changing zeroaccess sucks  it can't handle it and causes with the other family mods Windows to not boot after, freeze, NPE freezes / locks  let alone you have to do a system restart first before even scanning.

I have had to get around NPE on my own system from the screw ups or lock ups.

No way will I ask a user to use it if a rootkit is suspected.

Do a proper job and log and target what is found, Malware removalists do.

Another zeroaccess services.exe MD5 I have https://www.virustotal.com/file/e647717985bf0a1c6b3e2464d4f95d2efe3b77801c43246bde45eae908b940b8/ana...

Quads

Quads,

Again, thank you for keeping us informed but even moreso for helping us out of the holes we dig for ourselves.

I gave Symantec over 2MB (compressed) of the CLSID variant zeroaccess,   They asked me.   The payload is now started being detected as Trojan.Zeroaccess instead of Trojan.Gen.2

Quads