Rootkit Zero Access Removal Notes

This post is split up in a few sections.  It’s mostly my notes on dealing with rootkit zero access (a.k.a – rootkit.zeroacess, w32/Sirefef or Max++)

Methods of Infection for Rootkit Zero Access (max++)

  • Outdated Java (this seems to be the #1 way)
  • .exe’s that have random porn type names.  They are made to look like videos.  For example – filename.avi.exe
  • game cracks and serial number generators (that are actually rootkit zeroaccess installers)
  • Outdated Adobe Reader (acrobat)
  • Windows updates not being installed
  • Using only definition based anti-virus
X64 Notes
  • drops usermode malware into “$windir\assembly”
  • autorun key is set here:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
  • x64 modules are injected into services.exe
  • removing any of the x64 max++ modules will result in a bsod if the above registry key still exists

How to remove rootkit zero access (what’s worked for me).

  1. Kaspersky Rescue Disk (make sure you update the databases).  I scan the entire hard drive because rootkit zero access has popped up in unusual locations.  For example it’s now residing here: C:\WINDOWS\$NtUninstallKBxxxxx$  (the x’s are random nunbers).  KRD will delete the rootkit or disinfect it.
  2. Combofix.  Sometime it works.  I’ve had to run it twice.
  3. Using Specific Rootkit Zero Access removal tools:
    – VBA32 Removal Tool – http://anti-virus.by/en/download_arkit_beta.php
    – Symantec’s FixZeroaccess – http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
    – Kaspersky’s TDSSKiller – http://support.kaspersky.com/downloads/utils/tdsskiller.exe
    – Webroot ZeroAccess Removal – http://anywhere.webrootcloudav.com/antizeroaccess.exe
    – Eset’s Sirefef Removal (a.k.a – zeroacess) http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe


I’ll update this post with more notes later.

update – 1.9.12

I’ve been dealing with rootkit zeroaccess everyday now.  Rootkit Zeroaccess inserts itself into the TCP/IP stack and it’s extremely tough to get rid of.  The TCP/IP stack is usually corrupted and needs to be repaired/reinstalled.

Here’s what’s working for me this week.

  1. Scan the entire hard drive via the Kaspersky Rescue Disk.  Try to disinfect files, if disinfection isn’t possible then delete.
  2. Download Combofix from another computer onto a USB stick.  
  3. Rename Combofix to some random name.
  4. Reboot the infected computer into Windows.
  5. Disable the Antivirus (for Combofix).
  6. Unplug the network adapter or shut off the wireless.
  7. Run Combofix.
  8. Run Combofix a second time.
  9. At this point the rootkit should be gone.
  10. Run a Malwarebytes scan to clear up any remnants.

,

37 Responses to Rootkit Zero Access Removal Notes

  1. MHazell December 28, 2011 at 5:14 pm #

    According to Java, they say that they have 7.0 out now, but when I went to upgrade my XP machine, it updated to 6.30 (from 6.29), but that was how far it wanted to go. It would not update to 7.0. Is this a sign that Oracle has stopped supporting XP, or does it mean that they are still working on the release of Java 7?

  2. Ben December 29, 2011 at 3:45 am #

    From what I can tell, 7.0 is still not in “Mainstream” it’s still being “tested” even if Update 2 has been posted.. because even going to java.com – it’s still suggesting 6.30 instead of 7

    • MHazell December 31, 2011 at 4:00 am #

      Thanks for that info.

  3. thomas December 30, 2011 at 12:49 am #

    thanks for the post Matt!

  4. Jonathan December 30, 2011 at 2:44 am #

    Java 7 has to be downloaded from http://www.oracle.com here is a direct link http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html#javasejdk

    There is a help page on http://www.java.com explaining why its not there and explaining that you can get it from http://www.oracle.com . Here is a direct link to the help page https://www.java.com/en/download/faq/java7.xml

    • MHazell December 31, 2011 at 4:02 am #

      I think I’ll wait until it goes mainstream. Besides, I have Microsoft Security Essentials along with MBAM Free.

  5. 1234shre December 30, 2011 at 5:47 am #

    Matt zero-access infection also hides in system restore a week ago i cleaned this infection on my uncles pc using tdsskiller..redbook.sys was infected…i even saw it hiding in system restore u should add the point a point to this guide:
    clear system restore.

    Its very important to do that thought i tell u..thanks! for your vids.

    • mrizos February 23, 2012 at 2:23 pm #

      thanks, I’d add that to the notes.

  6. Adam December 30, 2011 at 5:57 pm #

    If you have to run all of those tools to make sure you got it all, what’s to say you didn’t get it all even with all of those tools. At which point do you just go the safer route and reinstall windows with that type of rootkit infection?

  7. Eric5176 January 1, 2012 at 4:56 pm #

    After I clean up home customer’s pc’s from malware infections, removing Java is post cleanup step. Not everyone can do without java, but a majority of them don’t do anything that requires it.

    • estechguy January 6, 2012 at 3:35 am #

      I think it is us geeks that do use it.

  8. Adele January 5, 2012 at 12:04 pm #

    I just experienced Rootkit.ZeroAccess the other day. After several unsuccessful attempts i concluded that i I couldn’t put any more time in to trying to clean it and opted to just reinstall the OS. That’s it.

  9. Mcarthy Jamie January 5, 2012 at 4:52 pm #

    Great info!! I just used the Mcafee’s RoorkitRemover to get rid of ZeroAccess from my pc. Its simple and efficient….

  10. Dave January 5, 2012 at 8:00 pm #

    The problem I had was after you remove Zero Access it left me with a netbios over tcpip problem that I could not fix. I saw the post below about clearing the System Restore and wished I had done that, it may have restored the connection.

  11. Anonymous January 9, 2012 at 6:35 pm #

    updated this post to my latest removal technique

    • Bubba January 12, 2012 at 2:37 am #

      matt when will you do part 2 of your NIS 2012.

      • malwarekilla January 12, 2012 at 2:33 pm #

        Depends on when these calls slow down. Either tonight or Saturday. It’s going to be short. Just covering insight.

      • Anonymous January 12, 2012 at 2:34 pm #

        Depends on when these calls slow down. Either tonight or Saturday. It’s going to be short. Just covering insight.

  12. ZOU January 9, 2012 at 10:33 pm #

    Can TCP/IP be fixed utilizing fix.exe or is it to be re-installed manually via command prompt?

  13. ZOU January 10, 2012 at 6:19 am #

    I have another question. What are your options if you damage critical OS files during removal of this type of malware?

    • Anonymous January 10, 2012 at 3:34 pm #

      I have copies of each OS. I can replace corrupt/deleted OS files via mounting the clients drive using a USB enclosure (dropping the files in the correct dirs).

  14. john January 12, 2012 at 3:43 pm #

    Suit filed against Symantec, claiming it sells Scareware http://www.thewindowsclub.com/suit-filed-symantec-claiming-sells-scareware

  15. john January 12, 2012 at 4:33 pm #

    Indian military computers hacked, Symantec source code leaked http://www.techspot.com/news/46990-indian-military-computers-hacked-symantec-source-code-leaked.html

  16. ZOU January 18, 2012 at 2:58 am #

    Man, that rootkit is turning out to be a real pain in the pants huh?

  17. WBY January 21, 2012 at 3:31 pm #

    Very good info, very close to what I’ve previously been doing, but something changed this week which dropped my success level from 90% to 20%. Obviously the zeroaccess people have updated something and I hope you will be posting a new update. I’ll be checking every day for it. Thanks!

  18. Cathie January 22, 2012 at 2:38 pm #

    This is great. We’ve been doing something similar but sometimes can’t get Combofix to run.

    • WBY January 22, 2012 at 3:34 pm #

      Recently Microsoft created and updated a new version of “Offline Defender” which looks like Microsoft Security Essentials. You can download both the 32bit and 64bit versions from their website. When you click on the file it will ask you if you want to burn it to a CD, USB, etc. making them bootable devices. I have had some success with this on PC’s which will not connect to the Internet. Boot to the CD, and run UPDATE. In many cases it will actually connect, update itself, then you can run a quick or full scan. I usually start with the quick scan because the full scan can run several hours. If it detects anything during the scan a small yellow triangle will appear and let you know that it has found infections, and to wait until the scan is complete to view the details and remove them. Dr.Web has a similar file you can download to create a bootable CD with, but I haven’t tried that one yet to see if it will connect to the internet in cases where safe mode w/networking won’t. Hope that helps.

      • Cathie January 22, 2012 at 8:55 pm #

        I did try Dr. Web Cureit with a bootable cd once, but it didn’t work well. I think it hung. I had better luck doing it with a UBCD disk that had Dr. Web Cureit on it. I used that for curing the Virut virus a couple years back. It “cured” instead of deleted infected system files.

        I’m trying a Kapersky Boot disk right now, but it hasn’t caught anything yet. Thanks so much for your response.

        • WBY February 6, 2012 at 1:03 pm #

          Did you ever get it fixed? We received a flood of infected PC’s and the fastest turnaround was format/re-install. With 17 computers on the bench it was becoming too time consuming to spend hours and hours on each machine. Surprisingly, the calls stopped coming in about a week later, and we didn’t run into it again until late last week.

  19. 12345shre January 23, 2012 at 10:27 am #

    http://forum.avadas.de/threads/2994-avast

    avast 7 release roadmap

    if u use chrome u can translate the language to english using the plugin…on visiting thes ite u would automatically be prompted to translate in english.

  20. albert February 18, 2012 at 11:27 pm #

    It worked for us. Thanks a lot !!!

    • mrizos February 23, 2012 at 2:24 pm #

      Sure, my pleasure!

  21. Kosch February 23, 2012 at 4:49 am #

    does help! Thank you alot! Was infected nearby 4 weeks, while I discovered Zero Access, 10 days before, I was not able to reinstall the system, cuz of study projects and deadlines. After alot try-outs in different ways, ur guide gives me the chance, to finish my projects and re-installing with time and planned!

    a big fat +1 for ya, dude!

    • mrizos February 23, 2012 at 2:24 pm #

      Thanks so much Kosch!

  22. Fadingaqueous April 20, 2012 at 3:51 pm #

    Have you tried anything that ESET had to offer? Im going to try it, but concerned even though MANY sites have told me that it is safe and efficient. Any opinions?

Leave a Reply