Comments on: ZeroAccess Rootkit Guards Itself with a Tripwire http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/ WEBROOT - INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS Fri, 17 May 2013 20:44:03 +0000 hourly 1 http://wordpress.com/ By: charly http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/#comment-58917 Wed, 04 Jul 2012 17:06:52 +0000 http://blog.webroot.com/?p=4657#comment-58917 is there a way to decode the @-files to know which domains are in those?

]]> By: James http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/#comment-45631 Sun, 15 Apr 2012 13:16:14 +0000 http://blog.webroot.com/?p=4657#comment-45631 the removal tool that you have found the item but also became more agressive when I used it to remove and reboot the computer. I may need an update the removal program

]]> By: Windows rootkit developer battle proves there’s no honor among thieves | MyCE – My Consumer Electronics http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/#comment-16155 Thu, 11 Aug 2011 16:36:04 +0000 http://blog.webroot.com/?p=4657#comment-16155 [...] Blog has previously covered the pitfalls of ZeroAccess. One variant of the rootkit can effectively render anti-virus software useless via a “virtual tripwire.” While deleting TDL is a pleasant side effect, it’s [...]

]]> By: quartzie http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/#comment-16098 Wed, 10 Aug 2011 12:15:33 +0000 http://blog.webroot.com/?p=4657#comment-16098 Gerald, you can check whether your antivirus software is running – if it closes the moment you run a process scan, bingo.

(You can also check the permissions of the AV executable, they will be set to deny execution)

]]> By: Brooke http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/#comment-16069 Tue, 09 Aug 2011 23:26:55 +0000 http://blog.webroot.com/?p=4657#comment-16069 Gerald, from experience (I’m dealing with it now!), I can tell you that you’ll see the following symptoms if you’re infected: (a) every link you click in Google search results will take you to some stupid, junky ad site; and (b) you won’t be able to run any anti-virus software (MalwareBytes Anti-Malware, SuperAntiSpyware, Spybot Search & Destroy, Webroot, etc.).

Actually, my Webroot user interface is up and running, but I can’t run a manual scan and I can’t configure any settings — everything is greyed out. ARGH!!! A volunteer from the bleepingcomputer.com forum is helping me, but it has taken several days so far…

One of Marco Giuliani’s more recent posts mentions a ZeroAccess detection and removal kit; I need to look into that: “…you can download our ZeroAccess removal tool and check if your system is already infected by the ZeroAccess rootkit. Our free removal tool will be able to detect whether the system is infected and, if so, it’ll clean the system for you.” http://anywhere.webrootcloudav.com/antizeroaccess.exe

]]> By: Gerald D Cranford http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/#comment-14642 Sat, 09 Jul 2011 03:48:23 +0000 http://blog.webroot.com/?p=4657#comment-14642 how do I know if my computer is infected. Thanks you guys do a great job!

]]>