This post is split up in a few sections. It’s mostly my notes on dealing with rootkit zero access (a.k.a – rootkit.zeroacess, w32/Sirefef or Max++)
Methods of Infection for Rootkit Zero Access (max++)
- Outdated Java (this seems to be the #1 way)
- .exe’s that have random porn type names. They are made to look like videos. For example – filename.avi.exe
- game cracks and serial number generators (that are actually rootkit zeroaccess installers)
- Outdated Adobe Reader (acrobat)
- Windows updates not being installed
- Using only definition based anti-virus
- drops usermode malware into “$windir\assembly”
- autorun key is set here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
- x64 modules are injected into services.exe
- removing any of the x64 max++ modules will result in a bsod if the above registry key still exists
How to remove rootkit zero access (what’s worked for me).
- Kaspersky Rescue Disk (make sure you update the databases). I scan the entire hard drive because rootkit zero access has popped up in unusual locations. For example it’s now residing here: C:\WINDOWS\$NtUninstallKBxxxxx$ (the x’s are random nunbers). KRD will delete the rootkit or disinfect it.
- Combofix. Sometime it works. I’ve had to run it twice.
- Using Specific Rootkit Zero Access removal tools:
– VBA32 Removal Tool – http://anti-virus.by/en/download_arkit_beta.php
– Symantec’s FixZeroaccess – http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
– Kaspersky’s TDSSKiller – http://support.kaspersky.com/downloads/utils/tdsskiller.exe
– Webroot ZeroAccess Removal – http://anywhere.webrootcloudav.com/antizeroaccess.exe
– Eset’s Sirefef Removal (a.k.a – zeroacess) http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe
I’ll update this post with more notes later.
update – 1.9.12
I’ve been dealing with rootkit zeroaccess everyday now. Rootkit Zeroaccess inserts itself into the TCP/IP stack and it’s extremely tough to get rid of. The TCP/IP stack is usually corrupted and needs to be repaired/reinstalled.
Here’s what’s working for me this week.
- Scan the entire hard drive via the Kaspersky Rescue Disk. Try to disinfect files, if disinfection isn’t possible then delete.
- Download Combofix from another computer onto a USB stick.
- Rename Combofix to some random name.
- Reboot the infected computer into Windows.
- Disable the Antivirus (for Combofix).
- Unplug the network adapter or shut off the wireless.
- Run Combofix.
- Run Combofix a second time.
- At this point the rootkit should be gone.
- Run a Malwarebytes scan to clear up any remnants.