Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-08-2012, 10:26 PM
ProfessorCPU ProfessorCPU is offline
 
Join Date: Apr 2011
Posts: 112
ProfessorCPU is on a distinguished road
Default 0Access Rootkit?

Have any of you had luck in removing the 0Access virus from PCs without reformatting? This has got to be one of the most difficult viruses I have come accross.

Just thought I'd ask what you guys have come accross when dealing with this rootkit.

Thanks
__________________
Become a Techware Partner for FREE:
http://www.Techware.net

Your Automated Virtual Technician
PC Management Software
Reply With Quote
  #2  
Old 06-08-2012, 10:36 PM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,131
Mr.Mike is on a distinguished road
Default

My last experience was to reinstall Vista x86 and run getdataback on the clone of the original drive. Managed to rebuild most of the file system (mainly photos, & docs) but many files and folders were trashed. The MBR and system files was the worst affected. It was a challenge to get the good stuff off as windows could not access the drive. Repair was out of the question and no restore points were available. Wasted a lot of time chasing ghosts. Tons of fun.
Reply With Quote
  #3  
Old 06-09-2012, 04:05 AM
hacknscan hacknscan is offline
 
Join Date: Feb 2012
Posts: 39
hacknscan is an unknown quantity at this point
Default

go to foolishit.com and on the d7 page click on pics and vids then at the bottom go to malware vids. He gives you the tools and a video on removing it
Reply With Quote
  #4  
Old 06-09-2012, 01:34 PM
Tekguy Tekguy is offline
 
Join Date: May 2010
Location: USA
Posts: 341
Tekguy is on a distinguished road
Default

The download link for Foolish IT's ZeroAccess removal tool didn't work for me. Here's a video from Britec that shows how to manually remove ZeroAccess.

http://www.youtube.com/watch?v=F7KlPBv0yp8
Reply With Quote
  #5  
Old 06-09-2012, 01:49 PM
Martyn's Avatar
Martyn Martyn is online now
Administrator
 
Join Date: Apr 2010
Location: Bedfordshire UK
Posts: 5,703
Martyn has a spectacular aura aboutMartyn has a spectacular aura about
Default

Here is Nick's removal process using D7

https://www.youtube.com/watch?featur...&v=Ge8QKr1yg_o
Reply With Quote
  #6  
Old 06-09-2012, 04:27 PM
FoolishTech's Avatar
FoolishTech FoolishTech is offline
 
Join Date: Aug 2010
Location: Manteo, NC (USA)
Posts: 2,757
FoolishTech is a jewel in the roughFoolishTech is a jewel in the roughFoolishTech is a jewel in the rough
Default

Quote:
Originally Posted by ProfessorCPU View Post
Have any of you had luck in removing the 0Access virus from PCs without reformatting? This has got to be one of the most difficult viruses I have come accross.

Just thought I'd ask what you guys have come accross when dealing with this rootkit.

Thanks
The Youtube vid I did was for a pretty old ZeroAccess variant. It's changed a lot since then.

There's a variant not long ago out there that hooks system drivers that's very difficult to remove, but it doesn't work on 64bit OSes...

The latest variant that does infect 64bit OSes however is a "user mode" variant and no longer technically a 'rootkit', so it is surprisingly easy to remove IF you know where to look; I wrote a tool to do just that in a few minutes. Attached... of course this automatic detection/removal is also part of D7 v6.4 and again, it ONLY works for the latest and greatest user mode variant of ZeroAccess.
Attached Files
File Type: zip KillZeroAccessUserModeVariant.zip (78.8 KB, 101 views)
__________________


Author of d7 & d7II, and TONS of other FREE PC technician's tools. www.FoolishIT.com

Author of CryptoPrevent - Crypto/Malware prevention for any OS.

Latest free tool: dBug - Neutralize malware preventing you from running removal tools.

NEW d7II single technician pricing!

Last edited by FoolishTech; 06-09-2012 at 04:33 PM.
Reply With Quote
  #7  
Old 06-09-2012, 05:56 PM
iisjman07's Avatar
iisjman07 iisjman07 is offline
 
Join Date: Jul 2009
Location: South End Of The UK
Posts: 3,045
iisjman07 has a spectacular aura aboutiisjman07 has a spectacular aura about
Default

Quote:
Originally Posted by Mr.Mike View Post
My last experience was to reinstall Vista x86 and run getdataback on the clone of the original drive. Managed to rebuild most of the file system (mainly photos, & docs) but many files and folders were trashed. The MBR and system files was the worst affected. It was a challenge to get the good stuff off as windows could not access the drive. Repair was out of the question and no restore points were available. Wasted a lot of time chasing ghosts. Tons of fun.
I'm confused, did it muck up your partitions or something? Even on an infected machine you're able to boot, or slave the drive and copy the user profile across, aren't you?
__________________
put that in your pipe and grep it
Reply With Quote
  #8  
Old 06-10-2012, 12:13 AM
Mr.Mike Mr.Mike is offline
 
Join Date: Aug 2009
Location: California Central Coast
Posts: 1,131
Mr.Mike is on a distinguished road
Default

Quote:
Originally Posted by iisjman07 View Post
I'm confused, did it muck up your partitions or something? Even on an infected machine you're able to boot, or slave the drive and copy the user profile across, aren't you?
That is exactly what it did, trashed the recovery partition. Sorry I didn't mention that the first time. I did slave the drive but never could get my bench machine's windows to recognize/load the drive. It would assign a letter to the drive, but show no content and gave no access. This was a seriously "mucked up" drive.
Reply With Quote
Reply

Tags
format tutorial coming?

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:45 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.