You are here: Home > Rootkit Zero Access Removal Notes

Rootkit Zero Access Removal Notes

This post is split up in a few sections.  It’s mostly my notes on dealing with rootkit zero access (a.k.a – rootkit.zeroacess, w32/Sirefef or Max++)

Methods of Infection for Rootkit Zero Access (max++)

  • Outdated Java (this seems to be the #1 way)
  • .exe’s that have random porn type names.  They are made to look like videos.  For example – filename.avi.exe
  • game cracks and serial number generators (that are actually rootkit zeroaccess installers)
  • Outdated Adobe Reader (acrobat)
  • Windows updates not being installed
  • Using only definition based anti-virus
X64 Notes
  • drops usermode malware into ”$windirassembly”
  • autorun key is set here:  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystems
  • x64 modules are injected into services.exe
  • removing any of the x64 max++ modules will result in a bsod if the above registry key still exists


How to remove rootkit zero access (what’s worked for me).

  1. Kaspersky Rescue Disk (make sure you update the databases).  I scan the entire hard drive because rootkit zero access has popped up in unusual locations.  For example it’s now residing here: C:WINDOWS$NtUninstallKBxxxxx$  (the x’s are random nunbers).  KRD will delete the rootkit or disinfect it.
  2. Combofix.  Sometime it works.  I’ve had to run it twice.
  3. Using Specific Rootkit Zero Access removal tools:
    - VBA32 Removal Tool - http://anti-virus.by/en/download_arkit_beta.php
    - Symantec’s FixZeroaccess - http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
    - Kaspersky’s TDSSKiller - http://support.kaspersky.com/downloads/utils/tdsskiller.exe
    - Webroot ZeroAccess Removal - http://anywhere.webrootcloudav.com/antizeroaccess.exe
    - Eset’s Sirefef Removal (a.k.a – zeroacess) http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe


I’ll update this post with more notes later.

update – 1.9.12

I’ve been dealing with rootkit zeroaccess everyday now.  Rootkit Zeroaccess inserts itself into the TCP/IP stack and it’s extremely tough to get rid of.  The TCP/IP stack is usually corrupted and needs to be repaired/reinstalled.

Here’s what’s working for me this week.

  1. Scan the entire hard drive via the Kaspersky Rescue Disk.  Try to disinfect files, if disinfection isn’t possible then delete.
  2. Download Combofix from another computer onto a USB stick.  
  3. Rename Combofix to some random name.
  4. Reboot the infected computer into Windows.
  5. Disable the Antivirus (for Combofix).
  6. Unplug the network adapter or shut off the wireless.
  7. Run Combofix.
  8. Run Combofix a second time.
  9. At this point the rootkit should be gone.
  10. Run a Malwarebytes scan to clear up any remnants.

,

  • http://techmansworld.blogspot.com/ MHazell

    According to Java, they say that they have 7.0 out now, but when I went to upgrade my XP machine, it updated to 6.30 (from 6.29), but that was how far it wanted to go. It would not update to 7.0. Is this a sign that Oracle has stopped supporting XP, or does it mean that they are still working on the release of Java 7?

  • Ben

    From what I can tell, 7.0 is still not in “Mainstream” it’s still being “tested” even if Update 2 has been posted.. because even going to java.com – it’s still suggesting 6.30 instead of 7

    • http://techmansworld.blogspot.com/ MHazell

      Thanks for that info.

  • thomas

    thanks for the post Matt!

  • Jonathan

    Java 7 has to be downloaded from http://www.oracle.com here is a direct link http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html#javasejdk

    There is a help page on http://www.java.com explaining why its not there and explaining that you can get it from http://www.oracle.com . Here is a direct link to the help page https://www.java.com/en/download/faq/java7.xml

    • http://techmansworld.blogspot.com/ MHazell

      I think I’ll wait until it goes mainstream. Besides, I have Microsoft Security Essentials along with MBAM Free.

  • 1234shre

    Matt zero-access infection also hides in system restore a week ago i cleaned this infection on my uncles pc using tdsskiller..redbook.sys was infected…i even saw it hiding in system restore u should add the point a point to this guide:
    clear system restore.

    Its very important to do that thought i tell u..thanks! for your vids.

    • mrizos

      thanks, I’d add that to the notes.

  • Adam

    If you have to run all of those tools to make sure you got it all, what’s to say you didn’t get it all even with all of those tools. At which point do you just go the safer route and reinstall windows with that type of rootkit infection?

  • Eric5176

    After I clean up home customer’s pc’s from malware infections, removing Java is post cleanup step. Not everyone can do without java, but a majority of them don’t do anything that requires it.

    • estechguy

      I think it is us geeks that do use it.

  • http://www.mspy.com/ Adele

    I just experienced Rootkit.ZeroAccess the other day. After several unsuccessful attempts i concluded that i I couldn’t put any more time in to trying to clean it and opted to just reinstall the OS. That’s it.

  • Mcarthy Jamie

    Great info!! I just used the Mcafee’s RoorkitRemover to get rid of ZeroAccess from my pc. Its simple and efficient….

  • Dave

    The problem I had was after you remove Zero Access it left me with a netbios over tcpip problem that I could not fix. I saw the post below about clearing the System Restore and wished I had done that, it may have restored the connection.

  • Anonymous

    updated this post to my latest removal technique

    • Bubba

      matt when will you do part 2 of your NIS 2012.

      • http://remove-malware.com malwarekilla

        Depends on when these calls slow down. Either tonight or Saturday. It’s going to be short. Just covering insight.

      • Anonymous

        Depends on when these calls slow down. Either tonight or Saturday. It’s going to be short. Just covering insight.

  • ZOU

    Can TCP/IP be fixed utilizing fix.exe or is it to be re-installed manually via command prompt?

  • ZOU

    I have another question. What are your options if you damage critical OS files during removal of this type of malware?

    • Anonymous

      I have copies of each OS. I can replace corrupt/deleted OS files via mounting the clients drive using a USB enclosure (dropping the files in the correct dirs).

  • john

    Suit filed against Symantec, claiming it sells Scareware http://www.thewindowsclub.com/suit-filed-symantec-claiming-sells-scareware

  • john
  • ZOU

    Man, that rootkit is turning out to be a real pain in the pants huh?

  • WBY

    Very good info, very close to what I’ve previously been doing, but something changed this week which dropped my success level from 90% to 20%. Obviously the zeroaccess people have updated something and I hope you will be posting a new update. I’ll be checking every day for it. Thanks!

  • http://ducktoes.com Cathie

    This is great. We’ve been doing something similar but sometimes can’t get Combofix to run.

    • WBY

      Recently Microsoft created and updated a new version of “Offline Defender” which looks like Microsoft Security Essentials. You can download both the 32bit and 64bit versions from their website. When you click on the file it will ask you if you want to burn it to a CD, USB, etc. making them bootable devices. I have had some success with this on PC’s which will not connect to the Internet. Boot to the CD, and run UPDATE. In many cases it will actually connect, update itself, then you can run a quick or full scan. I usually start with the quick scan because the full scan can run several hours. If it detects anything during the scan a small yellow triangle will appear and let you know that it has found infections, and to wait until the scan is complete to view the details and remove them. Dr.Web has a similar file you can download to create a bootable CD with, but I haven’t tried that one yet to see if it will connect to the internet in cases where safe mode w/networking won’t. Hope that helps.

      • Cathie

        I did try Dr. Web Cureit with a bootable cd once, but it didn’t work well. I think it hung. I had better luck doing it with a UBCD disk that had Dr. Web Cureit on it. I used that for curing the Virut virus a couple years back. It “cured” instead of deleted infected system files.

        I’m trying a Kapersky Boot disk right now, but it hasn’t caught anything yet. Thanks so much for your response.

        • http://www.cbdaze.blogspot.com/ WBY

          Did you ever get it fixed? We received a flood of infected PC’s and the fastest turnaround was format/re-install. With 17 computers on the bench it was becoming too time consuming to spend hours and hours on each machine. Surprisingly, the calls stopped coming in about a week later, and we didn’t run into it again until late last week.

  • 12345shre

    http://forum.avadas.de/threads/2994-avast

    avast 7 release roadmap

    if u use chrome u can translate the language to english using the plugin…on visiting thes ite u would automatically be prompted to translate in english.

  • albert

    It worked for us. Thanks a lot !!!

    • mrizos

      Sure, my pleasure!

  • Kosch

    does help! Thank you alot! Was infected nearby 4 weeks, while I discovered Zero Access, 10 days before, I was not able to reinstall the system, cuz of study projects and deadlines. After alot try-outs in different ways, ur guide gives me the chance, to finish my projects and re-installing with time and planned!

    a big fat +1 for ya, dude!

    • mrizos

      Thanks so much Kosch!

  • Fadingaqueous

    Have you tried anything that ESET had to offer? Im going to try it, but concerned even though MANY sites have told me that it is safe and efficient. Any opinions?


Remove-Malware Traffic Stats