Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Clarification on rkill process termination/possible infection

  • Please log in to reply
No replies to this topic

#1 DB1990


  • Members
  • 1 posts
  • Gender:Male
  • Local time:08:55 AM

Posted 12 August 2013 - 05:42 PM

Hello, a few days ago Norton Internet Security began notifying me of three trojans attempting to access my computer, which were trojan gen 2, trojan zeroaccess b and trojan zeroaccess c.

Whilst it reported it was able to block, quarantine and remove these threats, they would continually attempt to access my laptop every few minutes when connected to the internet. Aside from this, I was often redirected to spam or ads when browsing. Windows Update and Windows Security Centre were disabled and I was unable to fix them, and the trojan would not let me download any security software or indeed anything(deleting it as a virus immediately), so I had to put them on via USB.

I ran Norton Power Eraser,which removed 2 threats, after which the intrusion attempts and redirects ceased and have not returned since. Tdss killer came back clean, as did SUPERantispyware and Malwarebytes . Microsoft Malicious Software Removal Tool removed a total of 4 threats, which enabled me to download Windows updates again, and the only symptom I had left was being unable to download anything. If it is of any significance whatsoever, all infected files and programs higlighted in scans were located in a Google folder or named Google.

I ran rkill, the log of which showed that zeroaccess was still active. At this point I gave in and did a full factory reset,as the files on my computer were not important to me, and I wasn’t keen on messing around with combofix.


All ‘symptoms’ are gone and all scans have came back clean.

rkill is no longer reporting zeroaccess activity, however it does terminate one process every timewhich is -


Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\SysWOW64\ezSharedSvcHost.exe (PID: 1476) [WD-HEUR]

1 proccess terminated!


Is this legit, or evidence of an unresolved threat? 64 bit, Windows 7.

I thank you in advance for any assistance.



BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users