0Access Rootkit?

[ProfessorCPU]

Have any of you had luck in removing the 0Access virus from PCs without reformatting? This has got to be one of the most difficult viruses I have come accross.

Just thought I'd ask what you guys have come accross when dealing with this rootkit.

Thanks

[Mr.Mike]

My last experience was to reinstall Vista x86 and run getdataback on the clone of the original drive. Managed to rebuild most of the file system (mainly photos, & docs) but many files and folders were trashed. The MBR and system files was the worst affected. It was a challenge to get the good stuff off as windows could not access the drive. Repair was out of the question and no restore points were available. Wasted a lot of time chasing ghosts. Tons of fun.

[hacknscan]

go to foolishit.com and on the d7 page click on pics and vids then at the bottom go to malware vids. He gives you the tools and a video on removing it

[Tekguy]

The download link for Foolish IT's ZeroAccess removal tool didn't work for me. Here's a video from Britec that shows how to manually remove ZeroAccess.

http://www.youtube.com/watch?v=F7KlPBv0yp8

[Martyn]

Here is Nick's removal process using D7

https://www.youtube.com/watch?featur...&v=Ge8QKr1yg_o

[FoolishTech]

Quote:

Originally Posted by ProfessorCPU

Have any of you had luck in removing the 0Access virus from PCs without reformatting? This has got to be one of the most difficult viruses I have come accross.

Just thought I'd ask what you guys have come accross when dealing with this rootkit.

Thanks

The Youtube vid I did was for a pretty old ZeroAccess variant. It's changed a lot since then.

There's a variant not long ago out there that hooks system drivers that's very difficult to remove, but it doesn't work on 64bit OSes...

The latest variant that does infect 64bit OSes however is a "user mode" variant and no longer technically a 'rootkit', so it is surprisingly easy to remove IF you know where to look; I wrote a tool to do just that in a few minutes. Attached... of course this automatic detection/removal is also part of D7 v6.4 and again, it ONLY works for the latest and greatest user mode variant of ZeroAccess.

[iisjman07]

Quote:

Originally Posted by Mr.Mike

My last experience was to reinstall Vista x86 and run getdataback on the clone of the original drive. Managed to rebuild most of the file system (mainly photos, & docs) but many files and folders were trashed. The MBR and system files was the worst affected. It was a challenge to get the good stuff off as windows could not access the drive. Repair was out of the question and no restore points were available. Wasted a lot of time chasing ghosts. Tons of fun.

I'm confused, did it muck up your partitions or something? Even on an infected machine you're able to boot, or slave the drive and copy the user profile across, aren't you?

[Mr.Mike]

Quote:

Originally Posted by iisjman07

I'm confused, did it muck up your partitions or something? Even on an infected machine you're able to boot, or slave the drive and copy the user profile across, aren't you?

That is exactly what it did, trashed the recovery partition. Sorry I didn't mention that the first time. I did slave the drive but never could get my bench machine's windows to recognize/load the drive. It would assign a letter to the drive, but show no content and gave no access. This was a seriously "mucked up" drive.