ZeroAccess rootkit shows as a process in task manager that is a series of numbers with a colon in the middle, e.g. 1784223:3221239.exe, which cannot be killed.
ESET have a tool that detects and kills the process - requires a reboot.
Kaspersky have the TDSSKiller tool that detects the infection as Sirefef trojan.
MBAM and MSSE are halted when attempting to run a scan.
The trojan/rootkit is active whenever networking is active.
It continues to re-infect via driver files.
To clean the infection use a boot disk such as Parted Magic that contains Clamav - update the clamav pattern files then run a command such as:
clamscan -r -i /medica/sda1/
(-r = recursive, -i = show infected only)
Delete or overwrite the files as required.
No comments:
Post a Comment