Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Totalaccess rootkit. What a terrible thing.

by r. proffitt Forum moderator Aug 23, 2012 7:20AM PDT

My dad's machine is infected with this one and the usual advice (thanks Grif) has not done anything but remove all the other pests that were on the machine.

When I started it had the usual Babylon hijack and more. Cleanup used Grif's advice with Rkill then scans with MBAM and SAS and later HitMan Pro cloud scanner when the others didn't remove the Totalaccess infection.

All the other pests were safely removed but this one, Totalaccess was a real nasty piece or work which is a rootkit that puts in it's own services.exe via a root exploit.

Yes, I tried the SFC scannow and a handful of Totalacceess removal kits (Mcafee and norton have them) but it would not budge in any Windows mode (safe, command line, repair console).

I had to leave that one installed for now given time ran out but did see to it that the firewall was working (seems to be in force.)

Sorry for the lack of detail but this title is being discussed and so far I'm reading folk are reloading the OS.
Bob

Discussion is locked

7 Posts
- Collapse + Expand Details
- Collapse -
Totalaccess rootkit?
by Carol~ Aug 23, 2012 7:42AM PDT

Would that by any chance be ZeroAccess, Bob?

Unless it's something new, I've never heard of it. Sad

Does this look familiar?

Carol

- Collapse -
In my research I did read that article.
by r. proffitt Forum moderator Aug 23, 2012 9:13AM PDT

I even went so far to boot linux and check out the areas noted by that article. It appears to be a newer variant and if I was lucky, that would have given me enough information to clean it out manually.

But alas it is ZeroAccess but some other variant.

Yes I made a TYPO in the name in my top post. I am a little fatigued from the trip and was working from memory.

For now, we'll kill it by reinstalling since the page you gave didn't apply directly and the tools that were supposed to clean it do not.

-> There is a pretty fast way to detect this pest and that is with RKILL. After trying a few other removers I needed a way to see if it was still installed. RKILL turned out to be very handy.
Bob

PS. As I no longer have access to the machine (long story) this post is more of a warning that the pests are indeed getting better.

- Collapse -
And Did You Try TDSSKiller?
by Grif Thomas Forum moderator Aug 23, 2012 11:49AM PDT

It seems to effectively remove certain types of these rootkits.. Here's the link:

http://support.kaspersky.com/faq/?qid=208283363

Kaspersky seems to be updating it enough that it may be effectively on this new variant.

Hope this helps.

Grif

- Collapse -
The things we do for family...
by mchainmchain Aug 23, 2012 2:57PM PDT

As if doing this sort of work elsewhere, sometimes we are asked to do more.... can be a little draining at times.

Yes, TDSSKiller is needed as the rootkit will create a new hidden partition on the HDD that needs to be deleted to totally erase it (after all modules and files related to it are removed).

Wish you luck in getting this resolved.

- Collapse -
Yes, I did try TDSSKiller.
by r. proffitt Forum moderator Aug 24, 2012 2:28AM PDT

Thanks Grif,

I used the usual RKILL, MBAM, SAS to clean up but this one remained and as a rootkit, it's a real work of art.

Since the article noted above plus some rootkit specific tools didn't remove it, I was left with that one on the machine. They'll have to backup and start over at this point. Long story about no support where they are.
Bob

- Collapse -
Yep, Had To Reinstall The OS Here A Few Times Also
by Grif Thomas Forum moderator Aug 24, 2012 4:07AM PDT

Sometimes, the malware had been on the machine too long, or there's been too much damage that reinstalling everything from scratch was simply the "better part of valor".

Grif

- Collapse -
Thanks for that.
by r. proffitt Forum moderator Aug 24, 2012 4:27AM PDT

In this case, if I had the full retail OS DVD, I would have manually removed it. I could see most of the problem with Ubuntu and a registry editor but without the OS DVD I could never coax that install back to life. So I had to stop at that point.

But here's my thanks for your advice about rkill, mbam, sas and more as it wiped out all the pest after about 3 passes. And without crashing the OS.

I'm sure a new tool will arrive to deal with this variant but it wasn't out the days I looked for it. I was checking the usual bleeping computer site and was not happy that others appeared to be working on the infection without resolve.

I have no doubt a removal is possible but for now, it's firmly rooted into the OS without a removal tool for now. Again, no doubt that tool or procedure will show up but just like an arms race, both sides get ahead of each other.
Bob

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info