You are here: Home > Malware > rootkits
Archive | rootkits RSS feed for this section

Rootkit Causes Windows Not To Boot – Freezes at Windows Load Screen

Hi Guys,  just an FYI here.  I’ve had 3 rootkits this week that prevent Windows 7 from loading.  Basically when you start the PC Windows starts to load and then freezes on Windows screen (black background, before the colored spinning balls).

This is easy to resolve.  Just download the latest Kaspersky Rescue Disk, burn the ISO or create the bootable USB stick.  Boot the PC from the Kaspersky Rescue Disk, update it (via a wired or wireless connection) and then scan the entire C drive as well as Disk Boot Sectors.  

After the scan is complete Kaspersky will allow you to disinfect, delete or quarantine any malware found.  Here is the order I always try to choose:

  1. Disinfect
  2. Quarantine
  3. Delete

Reboot the PC after the malware has been removed.  Follow up with a Malwarebytes scan.



Read full story · Comments { 1 }

Rootkit Zero Access Removal Notes

This post is split up in a few sections.  It’s mostly my notes on dealing with rootkit zero access (a.k.a – rootkit.zeroacess, w32/Sirefef or Max++)

Methods of Infection for Rootkit Zero Access (max++)

  • Outdated Java (this seems to be the #1 way)
  • .exe’s that have random porn type names.  They are made to look like videos.  For example – filename.avi.exe
  • game cracks and serial number generators (that are actually rootkit zeroaccess installers)
  • Outdated Adobe Reader (acrobat)
  • Windows updates not being installed
  • Using only definition based anti-virus
X64 Notes
  • drops usermode malware into ”$windir\assembly”
  • autorun key is set here:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
  • x64 modules are injected into services.exe
  • removing any of the x64 max++ modules will result in a bsod if the above registry key still exists


How to remove rootkit zero access (what’s worked for me).

  1. Kaspersky Rescue Disk (make sure you update the databases).  I scan the entire hard drive because rootkit zero access has popped up in unusual locations.  For example it’s now residing here: C:\WINDOWS\$NtUninstallKBxxxxx$  (the x’s are random nunbers).  KRD will delete the rootkit or disinfect it.
  2. Combofix.  Sometime it works.  I’ve had to run it twice.
  3. Using Specific Rootkit Zero Access removal tools:
    - VBA32 Removal Tool - http://anti-virus.by/en/download_arkit_beta.php
    - Symantec’s FixZeroaccess - http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
    - Kaspersky’s TDSSKiller - http://support.kaspersky.com/downloads/utils/tdsskiller.exe
    - Webroot ZeroAccess Removal - http://anywhere.webrootcloudav.com/antizeroaccess.exe
    - Eset’s Sirefef Removal (a.k.a – zeroacess) http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe


I’ll update this post with more notes later.

update – 1.9.12

I’ve been dealing with rootkit zeroaccess everyday now.  Rootkit Zeroaccess inserts itself into the TCP/IP stack and it’s extremely tough to get rid of.  The TCP/IP stack is usually corrupted and needs to be repaired/reinstalled.

Here’s what’s working for me this week.

  1. Scan the entire hard drive via the Kaspersky Rescue Disk.  Try to disinfect files, if disinfection isn’t possible then delete.
  2. Download Combofix from another computer onto a USB stick.  
  3. Rename Combofix to some random name.
  4. Reboot the infected computer into Windows.
  5. Disable the Antivirus (for Combofix).
  6. Unplug the network adapter or shut off the wireless.
  7. Run Combofix.
  8. Run Combofix a second time.
  9. At this point the rootkit should be gone.
  10. Run a Malwarebytes scan to clear up any remnants.
Read full story · Comments { 37 }

Remove-Malware Traffic Stats