Rootkit Zero Access Removal Notes

This post is split up in a few sections.  It’s mostly my notes on dealing with rootkit zero access (a.k.a – rootkit.zeroacess, w32/Sirefef or Max++)

Methods of Infection for Rootkit Zero Access (max++)

  • Outdated Java (this seems to be the #1 way)
  • .exe’s that have random porn type names.  They are made to look like videos.  For example – filename.avi.exe
  • game cracks and serial number generators (that are actually rootkit zeroaccess installers)
  • Outdated Adobe Reader (acrobat)
  • Windows updates not being installed
  • Using only definition based anti-virus
X64 Notes
  • drops usermode malware into “$windir\assembly”
  • autorun key is set here:  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
  • x64 modules are injected into services.exe
  • removing any of the x64 max++ modules will result in a bsod if the above registry key still exists

How to remove rootkit zero access (what’s worked for me).

  1. Kaspersky Rescue Disk (make sure you update the databases).  I scan the entire hard drive because rootkit zero access has popped up in unusual locations.  For example it’s now residing here: C:\WINDOWS\$NtUninstallKBxxxxx$  (the x’s are random nunbers).  KRD will delete the rootkit or disinfect it.
  2. Combofix.  Sometime it works.  I’ve had to run it twice.
  3. Using Specific Rootkit Zero Access removal tools:
    – VBA32 Removal Tool – http://anti-virus.by/en/download_arkit_beta.php
    – Symantec’s FixZeroaccess – http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
    – Kaspersky’s TDSSKiller – http://support.kaspersky.com/downloads/utils/tdsskiller.exe
    – Webroot ZeroAccess Removal – http://anywhere.webrootcloudav.com/antizeroaccess.exe
    – Eset’s Sirefef Removal (a.k.a – zeroacess) http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe


I’ll update this post with more notes later.

update – 1.9.12

I’ve been dealing with rootkit zeroaccess everyday now.  Rootkit Zeroaccess inserts itself into the TCP/IP stack and it’s extremely tough to get rid of.  The TCP/IP stack is usually corrupted and needs to be repaired/reinstalled.

Here’s what’s working for me this week.

  1. Scan the entire hard drive via the Kaspersky Rescue Disk.  Try to disinfect files, if disinfection isn’t possible then delete.
  2. Download Combofix from another computer onto a USB stick.  
  3. Rename Combofix to some random name.
  4. Reboot the infected computer into Windows.
  5. Disable the Antivirus (for Combofix).
  6. Unplug the network adapter or shut off the wireless.
  7. Run Combofix.
  8. Run Combofix a second time.
  9. At this point the rootkit should be gone.
  10. Run a Malwarebytes scan to clear up any remnants.

,