February 10, 2012 - ZeroAccess Rootkit - Spells Serious Trouble
 
This is a timeline journal of my dealing with the ZeroAccess Rootkit.  As I progress on my findings I will post new information.  The standard malware removal tools, while the pc was infected, was ineffective at removing the infection.   This included MalwareBytes, Kaspersky's TDSSKiller, Hitman Pro, PrevX, and Norton 360.  Only good old fashion detective work was effective.

February 11, 2012 Update

ZeroAccess rootkit removal successful.  No reinstallation of Windows needed!  Posted below are the screen prints of what I found and cleaned up.  Once I got rid of usr11g.dll and kbfiltr.dll (fake Oak Technology Sound Drivers), and the globalroot paths to svchost, HitmanPro started working (and identified the files I isolated as bad, MalwareBytes ran, and found more registry traces, and Norton 360 woke up from its slumber and decided to start working again.

Click the image for a more readable screenshot.  

NOTE: This may be a blended threat as this customer was a flamboyant web surfer.  Also I noted Autoruns only worked when launched from the Hiren Boot CD, it would not load if the program autoruns.exe was installed to the hard drive.

Autoruns Exposure of zeroaccess rootkit

Once I disabled the suspicious appearing services running active in memory, HitmanPro began working.  Note I had to disable the services from Autoruns which I launched from the Hiren BootCD (under its boot environment):

trojan Sirefef.BV

More interesting findings:

vaiomediaplatform rootkit

Norton 360 woke up and gave this message.  The ZeroAccess rootkit cleaner from Norton took care of this.  As a precaution, you might want to boot off your Hiren BootCD and replace i8042prt.sys and netbt.sys with known clean copies.

Norton 360 Ntos

It would be a good idea to turn off your pc every night and each morning for the next week do a full scan with Norton, Malwarebytes (don't forget to update the signature files each day), Kaspersky's TDSSKiller, and HitmanPro.  At least for the next week so in case new areas of infestation are detected it can be cleaned up.


February 10, 2012

Here's the email I wrote to my customer, whose Windows XP Pro sp3 PC got the ZeroAccess Rootkit.

Joe:

I worked on it until midnight last night.  It has the ZeroAccess root kit, which is one of the most advanced malware rootkits in existence.  The primary infection mechanism is unpatched Java, which you had, also unpatched adobe reader exploits can launch this.

Not only did Norton 360 miss stopping it - at least it identified it, but several ZeroAccess malware removal tools missed the mark and was unable to stop it.  Those which couldn't remove it were:

(Tests run February 9, 2012)
Norton's own ZeroAccess removal Program.
McAfee ZeroAccess removal Program
Webroot's ZeroAccess/Max++ removal program
Kaspersky's TDSS Killer


The rootkit successfully suppressed (and eventually shut down) Norton 360 you had on your pc.   We'll probably have to reinstall or repair Norton 360.  MalwareBytes and HitmanPro 3.6 would start but would not initialize.

The special "boot from cd" rescue kits - Kaspersky - failed

Portable Antivirus Solutions: Dr. Web Cure It - failed

The cloud based Prevx, rated as some of the best preventative and proactive antimalware product - failed to identify the infected device drivers (when run from a Hiren Boot CD with an active Network Connection.

Only one product sucessfully identified the two infected driver files - that's after I manually searched and did my own quantitative comparisons - and I found the infected Redbook.sys.  That was AVG's Linux based bootable Rescue CD.  Kaspersky's rescue CD should have found it, because like AVG, it's also Linux based and not affected by any of ZeroAccess' circumvention (because it depends on a Windows Operating System.

Another suggested solution - Combofix, would not launch, the rootkit evidently has anti tampering in place to prevent tools like Combo Fix from working its diagnosis and cleanup.

Sunbelt Software's Vipre Live Rescue disinfection program also identified the two infected files, when run under a Hiren Boot CD.

I'm not out of the woods yet; I have to bring your pc back up to see if all the services work in an orderly fashion, and if I can run Malwarebytes.  I ran out of time this morning and I will be resuming this evening.  Malwarebytes has one of the better registry cleanup of collateral damage of all the anti-malware products.

If possible I'm trying to salvage what's on your hard drive without reloading windows.  At this point I'm hopeful.

I also removed Java's Runtime JRE files, I'm guessing you probably won't miss it.  This is not to be confused with Javascript.  For all my customers I recommend removing Java because it is exploited on a regular basis.

The only reason to keep Java is if you have some proprietary web based program - say a program or game interface that's web based, and it requires Java.

You can go to add-remove programs look for: JAVA (TM) 6 (Update XX), where XX can be 1 through 30

or

JAVA (TM) 5 or earlier

You are mainly a candidate of infection if you use the PC.  If you have a server which nobody interacts with directly on the Keyboard/Mouse then it is generally safe to leave Java installed, however it wouldn't be a bad idea to remove it.


Note: This is not an endorsement or recommendation of any product, don't throw out your current antivirus or anti-malware solution because it fails tests here. A majority of antivirus/antimalware products failed to do their job on your PC, so as a whole the anti-virus/anti-malware industry is not doing so well right now.

 Thanks for visiting.  PCNS Home Page

 This page optimized for smart phone displays.