[rkhunter]

Guys, congrats for Sophos, it found ZeroAccess without rootkit http://nakedsecurity.sophos.com/2012/06 ... -usermode/
:o

[thisisu]

Guys, congrats for Sophos, it found ZeroAccess without rootkit http://nakedsecurity.sophos.com/2012/06 ... -usermode/
:o

It's a nice article. Sophos is one of the blogs I enjoy reading the most. Very clear and concise.

[thisisu]

Adding another topic of interest: http://forums.malwarebytes.org/index.ph ... 10440&st=0
Note: Prioritize the CLSID folders.

I tried OTL in my topic, failed miserably. Trying FRST next and seems like Blitzblank is a nice tool, compatible with x64 too!

[Quads]

Working on one where it looks like the system has both the ZeroAccess KB folder variant and the CLSID + services.exe variant, and that is just for starters I think.

OTL log attached hahahaha

Quads

[thisisu]

That is impressive :lol:

__

MD5: 854b6ff9e88283e9cda3a92e061e54e9
https://www.virustotal.com/file/87a49a4 ... /analysis/
Prevented ComboFix from initiating scan for me.
Removing two CLSID folders allows it to scan. ;)

[thisisu]

Short video created by me: http://youtu.be/B0sY_1ZXxTU
Sample used in video attached here
MD5: f3e90a3eeafaeb748f86f3a467add76c
https://www.virustotal.com/file/f1d4392 ... /analysis/

[malwarian]

Hi guys,

My job is malware removal.Any idea on removing C:\windows\assembly\gac_32\desktop.ini,C:\windows\assembly\gac_64\desktop.ini.

It gets hooked into every process,it returns back even after combofix deletes it,we are not allowed to use blitzbank ,OTL.Also no chance of using farbar recovery scan tool ( remote support )

thanks

[rkhunter]

Hi guys,

My job is malware removal.Any idea on removing C:\windows\assembly\gac_32\desktop.ini,C:\windows\assembly\gac_64\desktop.ini.

It gets hooked into every process,it returns back even after combofix deletes it,we are not allowed to use blitzbank ,OTL.Also no chance of using farbar recovery scan tool ( remote support )

thanks

May be you safe remove CLSID key before? After reboot it would easy for delete files...

[erikloman]

Hi guys,

My job is malware removal.Any idea on removing C:\windows\assembly\gac_32\desktop.ini,C:\windows\assembly\gac_64\desktop.ini.

It gets hooked into every process,it returns back even after combofix deletes it,we are not allowed to use blitzbank ,OTL.Also no chance of using farbar recovery scan tool ( remote support )

thanks

You can use HitmanPro to remove this variant.

HitmanPro 3.6 Build 158
ZA_CLSID.png (45.61 KiB) Viewed 447 times

Current build 156 removes the CLSID variant. We've released a Beta build that performs both the Removal and Repair in one single pass:
http://dl.surfright.nl/HitmanPro36beta_x64.exe

[malwarian]

May be you safe remove CLSID key before? After reboot it would easy for delete files...

I'm not sure which key you're referring to? Doesnt malwarebytes remove the infected CLSID keys? Do you mean keys that points to wbemess.dll and shdocvw.dll ? yes i did that but desktop.ini returns back.

You can use HitmanPro to remove this variant.

Are you sure if this can remove more efficiently when combofix has failed?
Let me see if hitman pro can remove this.

Thanks