Skip to main content

Google redirect - Removing Zeroaccess manually and without any tools.(except to scan)

Due to popular demand to comply with official policy on the non usage of tools such as hitman pro and tdss killer, I am releasing the guide for manual removal of the sirefef Trojan. Please note that this has been tested by me only on 32 bit systems and not on 64 bit systems.
The entries created by a zeroaccess infection are given below .The zeroccess configures a service as an autostart (Highlighted)which can be used to target it like a regular virus, instead of the kernel mode rootkit it is. The next step is determining the infected driver and finding a replacement. This can be sone by using a scanning tool such as GMER and TDSSKILLER (Please do not use these tools to remove the virus as it is against policy). Once the infected driver is determined we can replace it using a clean copy from either another location within the PC or elsewhere.
1: Delete the service from the list at HKLM\SYSTEM\ControlSet001\Services\
2: Delete the process file located at the %systemroot%( its usually numbered and the process can be viewed easily.)
3: Delete the file and it autstart from HKU\SID\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Where SID can be \S-1-5-21-2025429265-839522115-682003330-1003 or similar.
Delete the file listed in the autostart given above : its usually in the %appdata% folder and will need to be deleted forcefully.
Restart the computer and perform a full scan, you should be clean of zeroacces
Regshot 1.8.2
Comments:
Datetime:2011/10/30 17:57:17 , 2011/10/30 17:59:49
Computer:TAU-863929E6041 , TAU-863929E6041
Username:test , test
---------------------------------Keys added:5----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803
HKLM\SYSTEM\CurrentControlSet\Services\c697803
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell
----------------------------------Values added:14----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2: 4E 00 31 00 00 00 00 00 5E 3F A2 56 13 00 52 65 63 65 6E 74 00 00 38 00 03 00 04 00 EF BE 5E 3F 0B 52 5E 3F 39 87 14 00 22 00 52 00 65 00 63 00 65 00 6E 00 74 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 31 32 36 39 31 00 16 00 00 00
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\Documents and Settings\test\Local Settings\Application Data\0c697803\X"

Comments

Popular posts from this blog

Removing corporate wireless restrictions completely : "The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."

So i was recently tasked with removing wireless restrictions from a VP's windows 7 laptop that some infrastructure company had placed while contracted with our network, since he needed to enable setting up of adhoc connections on his laptop and he always got

"The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."


A little bit of probing revealed that adhoc and peer to peer connections were blocked as evidenced by the the command 

netsh wlan show filter on an  elevated command prompt revealed that adhoc network type was blocked by group policy:

I removed the restrictions by:

1: open services.msc as administrator, scroll down to WLAN AutoConfig:

To Unlock Windows Update locked due to group policy.

To Unlock Windows Update locked due to group policy.




Open gpedit.msc and browse to the location /Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication Settings and double click "turn off access to all windows update features" and set it to disabled.

Migrating Outlook Profile to Office 365

We had a migration from Hosted Exchange to Office 365 and i was tasked with automating the local Outloook profile migration for Users:

I Created a GUI utility using powershell which would allow users to create an Office365 Profile and set it as default, I prepared PRF files for each version of office and an autodiscover.xml to be used for local autodiscover and uploaded them to a hosted site:

The PRF file to set settings for Office 365 are hard to find: i used the below entries:


;AutomaticallygeneratedPRFfilefromtheMicrosoftOfficeCustomizationandInstallationWizard;**************************************************************;Section1-ProfileDefaults;**************************************************************[General]Custom=1ProfileName=%UserName%-O365DefaultProfile=YesOverwriteProfile=YesModifyDefaultProfileIfPresent=false;**************************************************************;Section2-ServicesinProfile;**************************************************************[Service…