WMI Issues after ZeroAccess removal

[NYJimbo]

Thanks for the effort!

I've been working on it off and on, but still not found a solution. I suspect registry permission errors, however I have yet to successfully restore to default permissions. The D7 Repair Permission tool has been unsuccessful so far. It completes, but indicates failures numbering in the tens of thousands. Running subinacl from an elevated command prompt produces the same results (obviously, as I believe D7 uses subinacl as well). Is this normal behavior for subinacl? Maybe I should give secedit a try?

note also: I have edited my original post to reflect the correct O/S. I mistakenly typed Vista, actually it's Win7. Apologies

Did you try running chkdsk and sfc, you could be seeing a failing drive in addition to the viruses. Also check system event logs for any disk i/o or similiar errors.

 

[SilverLeaf]

Did you try running chkdsk and sfc, you could be seeing a failing drive in addition to the viruses. Also check system event logs for any disk i/o or similiar errors.

Yeah, everything checks out fine. All my critical log events are WMI related.

Looks like I'm going to be doing an in-place repair install to fix this.

 

[glricht]

If I can just offer a note here. I have found that KillEmAll (its also in D7 in the malware section) is better than Rkill and gives you a much better idea of what it kills. Kills more and also finds files in suspicious areas.

Pretty much the first thing I run is KillEmAll if I have desktop control and am chasing viruses.

Understand your point. I mentioned Rkill simply because the infection often prevents D7 itself from running. But if D7 will start, then "KillEmAll"!

/EndThreadHijack (sorry)

 

[FoolishTech]

Understand your point. I mentioned Rkill simply because the infection often prevents D7 itself from running. But if D7 will start, then "KillEmAll"!

/EndThreadHijack (sorry)

Actually KillEmAll is a separate executable so you can run that without D7. Just FYI

 

[glricht]

Actually KillEmAll is a separate executable so you can run that without D7. Just FYI

Thanks Nick, didn't realize that. Just checked and found KillEmAll.scr and KillEmAllPlus.scr. Do they work differently? (they're the same size)

 

[FoolishTech]

KillEmAllPlus launches under the system account, so it is able to end processes that are also started under the system account. To be honest it's almost a failed experiment. But it was just that, an experiment. Most malware launches as a user process anyway so standard KEA will work, and Plus takes longer to start up so malware has more of a chance to stop it. KillEmAll standard is the best to use in most situations.