Skip to main content

Google redirect-Quick and dirty guide to zeroaccess removal.

 
How to determine if the infection is by the Zeroaccess/sirefef rootkit.
1: The continuous resetting of ACLs for any most regularly used malware scanners.
clip_image002
2: The Presence of this process in the infected computer  which runs off this autostart service.
clip_image003
- Once the computer is known to be infected by zeroaccess assume that it has been compromised, and more infections are present as the Trojan opens a backdoor on the infected machine. The most common FAKE AVs found so far on computers infected with zeroaccess are open cloud and guard AVguard, Wolfram etc.
Here are the activation code for most of the associated FAKEAVs which might make disinfection
Less distracting
Code for AV Guard online, guard online, cloud protection(NEW), try any of these:
9992665263
1148762586
1171249582
1186796371
1196121858
1225242171
1354156739
1579859198
1789847197
1835437232
1837663686
1961232582
Open Cloud antivirus Code:
DB038748-B4659586-4A1071AF-32E768CD-36005B1B-F4520642-3000BF2A-04FC910B
-The presence of a FAKE AV can complicate removal, as none of the approved removal tools except combofix can defy the ACL modifications of the rootkit and therefore be protected from any regular scanners.
-Removal of zeroaccess then has to be quick and dirty, and of necessity involve a broad spectrum of scanners.
The ideal method of remediation would be as follows.
*Unless specified otherwise run all of these tools simultaneously.*
Start the computer in safe mode with networking and remove the FAKEAV autostarts manually and if possible infected files manually. We need to do this so that we can concentrate completely on removing the main infection. RESTART THE COMPUTER IN NORMAL MODE, **very important**
FYI
Using GMER to determine the infected files is possible however requires a practiced hand and can often lead to errorneous conclusions, but it is still useful to identify the driver that zaccess infects, unless the options circled in red are unchecked however the malware soon shuts down GMER and disables it.
clip_image004
As of now the only unpatched tool which is able to defend itself against the sort of techniques zeroaccess employs is TDSS Killer. However do not use TDSS Killer to try and cure the zaccess  infected driver. Use it to target the service which runs as the numbered process, and to identify the infected driver.
clip_image005
Hitman pro can resist the ACL modification only once and does not survive a reboot, therefore it has to be run simultaneously. Running hitman pro gives us the chance to identify and remove autostarts and other infections which might possibly prove dangerous, it also gives us the option to try and replace the infected driver, use this  but make sure that it is not set to delete the infected file.
clip_image006
The infected driver now needs to be replaced we can use these tools by McAfee or ESET who have made standalone removal utilities for the Zeroaccess rootkit only. Manually replacing these is possible but is not advised as it may result in loss of functionality. Both utilities are excellent however the ESET utility has been observed to have a better detection and disinfection rate. Download links for these are at end.
clip_image007
clip_image008
McAfee sirefef removal tool: http://vil.nai.com/images/562354_2.zip
Eset Sirefef removal tool: http://download.eset.com/special/encyclopaedia/ESETSirefefRemover.exe
Tausif
clip_image009

Comments

  1. Using recovery console to rewrite the MBR might help as well, especially if you have a tdss Variant as well.

    ReplyDelete

Post a Comment

Popular posts from this blog

Removing corporate wireless restrictions completely : "The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."

So i was recently tasked with removing wireless restrictions from a VP's windows 7 laptop that some infrastructure company had placed while contracted with our network, since he needed to enable setting up of adhoc connections on his laptop and he always got

"The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."


A little bit of probing revealed that adhoc and peer to peer connections were blocked as evidenced by the the command 

netsh wlan show filter on an  elevated command prompt revealed that adhoc network type was blocked by group policy:

I removed the restrictions by:

1: open services.msc as administrator, scroll down to WLAN AutoConfig:

Migrating Outlook Profile to Office 365

We had a migration from Hosted Exchange to Office 365 and i was tasked with automating the local Outloook profile migration for Users:

I Created a GUI utility using powershell which would allow users to create an Office365 Profile and set it as default, I prepared PRF files for each version of office and an autodiscover.xml to be used for local autodiscover and uploaded them to a hosted site:

The PRF file to set settings for Office 365 are hard to find: i used the below entries:


;AutomaticallygeneratedPRFfilefromtheMicrosoftOfficeCustomizationandInstallationWizard;**************************************************************;Section1-ProfileDefaults;**************************************************************[General]Custom=1ProfileName=%UserName%-O365DefaultProfile=YesOverwriteProfile=YesModifyDefaultProfileIfPresent=false;**************************************************************;Section2-ServicesinProfile;**************************************************************[Service…

To Unlock Windows Update locked due to group policy.

To Unlock Windows Update locked due to group policy.




Open gpedit.msc and browse to the location /Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication Settings and double click "turn off access to all windows update features" and set it to disabled.