Nope, it's above my pay grade I'm afraidThanks tom982!
This stuff is spreading like wildfire. There is work being done on it, but not sure as to whether a solution is yet found.
Like you mentioned, it symbolically links files associated with Windows Defender and/or MSE, and there are a couple of tools being used to detect and remove the junctions, but have not seen the final solution. Have you?
Thanks for telling. My laptop was hit by ZeroAccess. MSE failed to scan when hidden folder was scanned and scanning stopped as Not Responding. SFC reported Windows Resource Protection at 21% then 19%.Elevated to run as administrator still failed and used startup repair command prompt same result. No choice but to reformat and execute clean installation Windows 7 again.
So in a 'nutshell' C++ fails on MpEvMsg.dll > Client Security kernel-mode mini-filter, which gives/allows buffer overflows and exploitation... this would be a 'pointer' not a 'referrence'.
Just trying to get the basic understanding of this too. It all goes back to inadequate security, not updating Windows (and other vulnerable programs, such as Java and Adobe) and taking chances with file sharing (P2P).References cannot be null, whereas pointers can; every reference refers to some object, although it may or may not be valid
Thanks for the update, Jacee :)
Whilst the security software plays a large part in this, quite a lot of the onus is on the user in the first place. As far as I know this variant doesn't come with any form of exploit and requires the user to elevate the program by accepting the UAC prompt - but they've disguised this by loading their dodgy dll under an installer for Adobe Flash Player so the UAC prompt says that Flash wants to elevate, not the ZeroAccess dropper.
If a website ever says you have outdated software, be sure to check this yourself from the vendors website and don't download the file they are offering!
I found this thread very interesting as I'm not as savvy when it comes to the inner workings of Windows. As someone mentioned, this is above my pay grade (for now). But it is a fascinating read, and something to learn about.
That said, this caught my attention...
I was doing a Google search for something and ran across a site that piqued my interest. Normally I watch what site I enter, but the article got the better of me. Anyway I clicked the link, and was greeted with a "Your Flash" isn't working, click here to update". Well me being the suspicious type, and knowing my Flash was working, I ignored it. A few hour later I'm looking at this tread and see the above quote
Thank god for my intuition, and knowing my system!
So yes, keeping your programs, including Windows updated can avoid such problems. I get in arguments about this all the time, but some have the attitude of "if it ain't broke, don't fix it.
Anyway thanks for the info.
Sygnus I have found lately there are a lot of sites which pop up a window saying My Flash Player is out of date. I always ignore them too.
Some could be legit, but this is where knowing your PC and your (updating) habits comes into play. I'm pretty obsessive about keeping my stuff updated so when that one popped up it just made me think.
Anyway I don't want to hijack the thread, I just wanted to add that little tid-bit.
Peace
Couldn't this BSOD potentially also occur from stack buffer overruns?
STOP 0x000000F7: DRIVER_OVERRAN_STACK_BUFFER ~ BSOD Index
Is the faulty symlink always MpEvMsg.dll, or is this just an example?
In case it's always MpEvMsg.dll:Of course this doesn't remove ZeroAccess, but fixes the SFC problem(?) Or is this not the whole story
- delete the symlink
- reinstall microsoft security essentials
Quote
