Usually I do not like to write in these kind of topics but this somehow I could not bypass.
Maybe all the experts should go back and try it again. They might learn something.
This word forced me to write a few words. Yes, I always want to learn something new, but when I carefully examined this topic...
@
obwhon58If I understand, now we just discuss about ZeroAccess rootkits and software that are currently able to remove it and disinfect ZA related(patched) files?
Before we continue you need to understand difference between active malware and inactive malware (which there are re-infection possible)
It took about 3 days to do so but the first thing you recommended running was Malwarebytes.
...
I just don't see why people think Malwarebytes is so fantastic...
Because Malwarebytes is as you said "so fantastic"
First, I'll write a few thinks for Malwarebytes.
Mbam use powerfull low level driver ( anti-rootkit driver look like ) to locate hidden files and uses some special search techniques and heruistic which enable it to detect a a good part of the world wide malware including active rootkits allow him so much force power that allow MBAM to realy kill and delete ( exterminate ) by ~90% of the active malware. When I say active malware, we must know that all malware uses various tricks to protect it from being deleted.
MBAM uses his heuristick to detect malware file / entries.. In simple translation, all files that are not in place and could use some known methods of abuse, it will be checked by MBAM.
( you may read this topic if you will.
link Also, please read
Interview with Malwarebytes' founder, Marcin Kleczynski)
After reading these two links, maybe you can understand why many of the world wide helpers recommend softwere named malwarebytes anti malware.
... and the Win32:sirefef-ZT virus and the Win32"sirefef-PL virus were gone never to return.
How you know that for shure? As I understand you're using varius scanner that will search your system for them known malware files and try to remove.
How do you know that you just deleted a some loading point of a malware? Maybe the configuration files are still there? Changes in the system that has been made by the ZeroAccess rootkit is still there?
ZA patch some legitimate Windows core file, that can not be "cured" so easy. And as far as I know, the classic tools do not want to play with windows patching files because they can easily cause the system to dropstop.
So, how do you know that your services.exe is legitimate one or it just waiting for the opportunity to again try to activate the infection?
There are so many things that needed to be checked, I just want to say that without a proper diagnosis is not possible for the system to claim as clean mashine.
The only thing is that you can assume that malware is not active any more.
It's not only great at removing malware and spybots but it builds a restricted site list in your browser to keep your computer from going to or linking to the sites that all this crap comes from.
I think they currently protect you from over 19000 web sites that distribute malware and spybots
SpyBot make changes to the hosts file that will block access to certain sites as far i know. I think it does not do anything more than that, but at some my opinion, it is an outdated method of protection.
When you try this program and find it as useful as I do, please donate money to their cause. They do it for free and it's on hell of a program.
...
but I think a lot of people overlook the value of Spybot S&D.
To be sure we all understand eachother, and I do not want to be misunderstood ... I completely agree with you in this one. I have no doubt that Spybot is phenomenal sotwere. I Agree...
I'm just stating facts
Malwarebytes also doesn't build the restricted site list for your browser so you're computer can't go to the sites that host the spybots and malware.
Are you shure?
http://www.malwarebytes.org/products/malwarebytes_free/But in my book it's a virus not malware.
And what is a malware? What all comes under the "malware" terms?
http://en.wikipedia.org/wiki/Malware--------------------------
To stop the note in the discussion, I've done a little test.
I've down&run SpyBot my test machine where I have active ZA loading points runnning of this rootkit and all configurations files are there. Windows core file where not patched by ZA rootkit becouse i've not reboot masine.
SpyBot did not find any of ZA loading points in my case. When I had more time, maybe I will done a better (one more ) testing with more accurate but for now...
