SFC Warning

Kaktussoft said:

Is the faulty symlink always MpEvMsg.dll, or is this just an example?

In case it's always MpEvMsg.dll:

1. delete the symlink
2. reinstall microsoft security essentials

Of course this doesn't remove ZeroAccess, but fixes the SFC problem(?) Or is this not the whole story

It's always on MpEvMsg.dll but there are many other files. I can't go into any details on the security side of things I'm afraid as I haven't finished my training yet, I just wanted to give you guys a heads up if you see SFC failing with this error :)

@Kaktussoft

Never thought of ZeroAccess as a story, but, your comment made me laugh. It is a story, and a long one!!


From what I have read...

The new ZeroAccess Rootkit variant can get in the system, make a mess of some services, and then go after the Microsoft Security Client and Windows Defender to set symbolic links.

If I understand correctly, looking into these gives a clue:
C:\Program Files\Microsoft Security Client\MpEvMsg.dll
C:\Program Files\Windows Defender\MpSvc.dll

Unfortunately, the above is "not the whole story"...

...the story continues, and using WD as an example, need to find and remove the symbolic links on the files of Windows Defender. Then, turn the page of the storybook, for the previous is not enough. The files altered permissions need reset!



There are now some tools that will take care of the problem, either entirely, or to some extent.

We can be sure tool developers are working incessantly to give this new ZeroAccess story, like many times before, a good ending.

tiberriver256 said:

Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.

Hi tiberriver256,

Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts :) I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.

Thanks again,

Tom

tom982 said:

tiberriver256 said:

Hey guys, I hardly ever post but I thought this may help others with this particular problem. The ESET Sirefef removal tool does find and fix these symbolic links. You may have to run it with the /r switch to get it to repair the files if the main zaccess infection has already been removed.

Hi tiberriver256,

Thank you so much for taking the time to sign up here to let me know about this tool! I really appreciate you efforts :) I have passed this information on, including the logs of it purging ZeroAccess from my VM, to the security community and this should really aid us in the fight.

Thanks again,

Tom

how does this work? Is the Sirefef removal tool a command line tool?

Britton30,

Is the Sirefef removal tool a command line tool?

The answer is No and Yes!! Not trying to confuse you!!

The ESETSirefefCleaner tool is run like any other tool, double-click, and follow a certain routine, etc.

However, once done, if the system still has problems, you go to an elevated command prompt, and run the tool in manual repair mode: /r

Have not used this tool, and do not know whether it addresses MSE, or whether it resets the permissions of all the files affected in WD and MSE.

Tom might give it a whirl in his VM...

Thanks, I'm totally unfamiliar with running stuff from command line.

If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.

If it goes beyond some basics, it is not for me either.

Messing with rootkits is kind of a post and pray deal. There are no guarantees.

cottonball said:

If you keep it kind of basic, it's not difficult, once you get the hang of it. Bet you could do it if you wanted to.

If it goes beyond some basics, it is not for me either.

Messing with rootkits is kind of a post and pray deal. There are no guarantees.

I thought ZeroAccess wasn't a rootkit any more? I suppose it depends how you define a rootkit, but I don't think user mode 'rootkits' are real rootkits It switched to usermode in the last variant and I'm pretty sure this is the same because I can't see a driver anywhere.


Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode | Naked Security