New
#21
Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.
@Kaktussoft
Never thought of ZeroAccess as a story, but, your comment made me laugh. It is a story, and a long one!!
From what I have read...
The new ZeroAccess Rootkit variant can get in the system, make a mess of some services, and then go after the Microsoft Security Client and Windows Defender to set symbolic links.
If I understand correctly, looking into these gives a clue:
C:\Program Files\Microsoft Security Client\MpEvMsg.dll
C:\Program Files\Windows Defender\MpSvc.dll
Unfortunately, the above is "not the whole story"...
...the story continues, and using WD as an example, need to find and remove the symbolic links on the files of Windows Defender. Then, turn the page of the storybook, for the previous is not enough. The files altered permissions need reset!
There are now some tools that will take care of the problem, either entirely, or to some extent.
We can be sure tool developers are working incessantly to give this new ZeroAccess story, like many times before, a good ending.
Hi tiberriver256,
Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts :) I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.
Thanks again,
Tom
Britton30,
The answer is No and Yes!! Not trying to confuse you!!Is the Sirefef removal tool a command line tool?
The ESETSirefefCleaner tool is run like any other tool, double-click, and follow a certain routine, etc.
However, once done, if the system still has problems, you go to an elevated command prompt, and run the tool in manual repair mode: /r
Have not used this tool, and do not know whether it addresses MSE, or whether it resets the permissions of all the files affected in WD and MSE.
Tom might give it a whirl in his VM...
If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.
If it goes beyond some basics, it is not for me either.
Messing with rootkits is kind of a post and pray deal. There are no guarantees.
I thought ZeroAccess wasn't a rootkit any more? I suppose it depends how you define a rootkit, but I don't think user mode 'rootkits' are real rootkits It switched to usermode in the last variant and I'm pretty sure this is the same because I can't see a driver anywhere.
Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode | Naked Security
Hey guys, I created an account on here just to post to this thread. I was having this same problem, SFC would not complete due to these Windows Defender/MSE files having an issue. I ran the Eset Sirefef remover tool with the /r option and it was able to fix the issue with these files. SFC now completes (It actually didn't even need to complete to fix my overall issue, once these files were repaired, my main issue was resolved).
Just wanted to say thanks, I've been working this for hours.