Suspect False Negative - Boot Scan Not Finding ZeroAccess Rootkit Virus.

When trying to sign up for a new forum, I was denied access due to my IP being Blacklisted. I went to the site that was blacklisting my IP and this is what they had to say (my IP removed from quote):

"IP Address xxx.xxx.xxx.xxx is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2017-03-09 23:00 GMT (+/- 30 minutes), approximately 9 days, 20 hours, 29 minutes ago.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.

If this IP address is a NAT gateway, it should be possible to find which computer on your internal network is infected by implementing a filter on your firewall to detect and log attempts to send UDP packets to the Internet with a destination port number of 16470.

How to find ZeroAccess on your network has more information on how to find ZeroAccess infections. That page talks about using Fortigate and Snort/Ossim. You should be able to do the same things with just about any other firewall router."

I ensured I had all the newest definitions, including the extras provided for boot-time scans, and avast boot time scan found nothing. I would think Avast techs would be interested that their boot-time scan is not finding a years-old Rootkit Virus. I am using the free antivirus. Doesn’t seem to be anywhere to report false negatives…

Anyone else have experience with the zeroaccess rootkit virus?

TIA,
MissMercury

Start a new topic in V&W: https://forum.avast.com/index.php?action=post;board=4