[Tigzy]

So I guess yes it's readable.
Sorry if it have been said yet, but this version does only patches x86/x64 services.exe on Vista/7 ?
No XP?

I've inspected ASLR wipe off, and it seems only binary on vista+ have it enabled by default (DllCharacteristics in optional header : http://msdn.microsoft.com/en-us/library ... s.85).aspx ) I'm trying to build general detection rules over it.

[360Tencent]

http://www.kindsight.net/en/blog/2012/0 ... esssirefef

New C&C Protocol for ZeroAccess/Sirefef

[thisisu]

Sorry if it have been said yet, but this version does only patches x86/x64 services.exe on Vista/7 ?
No XP?

I think the general consensus is that it's capable of patching XP services.exe but I have not seen anyone's malware logs that prove this.
These blog posts go into more detail on services.exe:

http://artemonsecurity.blogspot.com/201 ... ution.html
http://hitmanpro.wordpress.com/2012/06/ ... infection/

Also would like to thank you Tigzy and Erik as well for your hard work on developing tools that fight this infection (as well as many others). We have had success with both RogueKiller and HitmanPro in removing all components of ZeroAccess CLSID variant as well as restoring a clean services.exe.

[Tigzy]

Thank you thisiu.
Can you send me some links with RogueKiller usage against ZA?
It would help me

[thisisu]

Can you send me some links with RogueKiller usage against ZA?
It would help me

Sure, see attached.

Source: http://forums.majorgeeks.com/showthread.php?t=260946

[Tigzy]

Thanks!
If you see other thread with patched files not seen by rk, just tell me
Here it's normal cause this is not the latest version.

[Quads]

Found another file(s) location that FRST does not show in the log

c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CLSID}
c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CLSID}\@
c:\windows\system32\config\systemprofile\Local Settings\Application Data\{CLSID}\n

Quads

[Tigzy]

thanks Quads!!! :)

[Quads]

The system I am working on with that location also had ZA in the other known CLSID locations FRST found, but the system also had bamital and other Malware files to break.

Quads

[Tigzy]

@Quads : can you post some report to sum up what you found?