×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
thatguywhowants
Former Member
Message 1 of 18

MCShield.exe detected as zero access rootkit, why?!

I'm conducting scans with RogueKiller on some infected machines here that all had McAfee Internet Security, and all of a sudden I see a red flag "ZeroAccess Activity Detected" File: "MCShield.exe"

Could anyone explain to me why exactly this software includes a rootkit?

I've removed the software completely, and sorry guys, replaced it HAPPILY with Norton.

17 Replies
exbrit
MVP
MVP
Message 2 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

McAfee software contains an anti-rootkit component.  Did it not occur to you that Roguekiller may be incorrectly diagnosing the files?

That would of course be a subject for their support forums.

thatguywhowants
Former Member
Message 3 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

I'm unaware of where the correct area to post this would be, I found the whole posting thing more unclear than the intentions of the software...

I'm not certain if it was an incorrect diagnosis or not, but I did find out in some searches that multiple people are having the same problem as this one user had on their machine.

I installed free McAfee on a few other computers at the shop here and ran the same scans:

all 4 of the machines detected MCShield.exe as a rootkit in Roguekiller

1 out of 4 detected ZeroAccess Rootkit Activity in a scan with RKill

All 4 of the systems were brand new and had not previously been connected to the internet until the installation of the McAfee software..........

Hayton
Reliable Contributor
Reliable Contributor
Message 4 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

Did you read what the developers of RogueKiller said about their program and false positives?

Also have you bothered to look on the RogueKiller forums and read the FAQ and Known Issues?

Known issues - RogueKiller - Adlice forum


3- ZeroAccess/Whatever found in Antivirus process


This is a false detection, due to database loaded in clear in the antivirus process. Please open a new thread on the forum and DUMP the process memory with process explorer to confirm and whitelist.




Tigzy, June 10 2014 :

Processes? - RogueKiller - Adlice forum


It looks like McAfee exposes its database in clear in memory.


So it's detected as ZeroAccess.




I'll try to find a way to avoid this detection. Thanks


thatguywhowants
Former Member
Message 5 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

Appreciate the answers guys, I haven't looked at them since they were in french as far as I could tell.  Thank you though, it was simple curiosity that led me to ask.  I've never encountered that before today, it's always alarming when you see ZeroAccess.

exbrit
MVP
MVP
Message 6 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

Alarming indeed and sorry you had trouble navigating these forums.  They were recently "upgraded" and are bamboozling everyone, including us Moderators.

Maybe you should think again about using RogueKiller.    I would have thought things like that would only be necessary if all else failed in a severely infected machine for instance.

We never recommend tools like that unless under the supervision of the forums that specialize in analysing Hijackthis logs, like BleepingComputer, Malwarebytes etc.

thatguywhowants
Former Member
Message 7 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

Ex_Brit

I am a member of Bleepingcomputer forums, going through their malware training at the moment.  I am also a computer technician by trade, thank you though.

exbrit
MVP
MVP
Message 8 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

Well all the best and good luck with the dark side (Norton).

😉

thatguywhowants
Former Member
Message 9 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

The dark side..............  You actually like McAfee products..?  Like for real, this isn't just a huge joke like I've always thought?

OPERATION TOVAR comes to mind.....?

exbrit
MVP
MVP
Message 10 of 18

Re: MCShield.exe detected as zero access rootkit, why?!

I wouldn't volunteer here if I didn't.

Have had very few problems with McAfee.  Had many with other brands over the years.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community