Zero Access Rootkit and Trojan.Sirefef

Posted 4/8/2012 3:30 AM
#93694
User avatar

Robert Mateescu Advanced member

Date Joined Nov 2016
Total Posts: 427
Hi there,


As the Easter is coming, so does new versions of different malware. One of the most annoying is Zero Access Rootkit (you can read all about it here).

How does it manifest:
- You can locate a PING.exe CPU-draining process in your Task Manager; closing it will cause your Firewall to report port scans from multiple random IPs and the internet connection is lost; the "port scans" can be a "standalone" symptom too.
- Browser redirects.
- Windows Firewall Service and Base Filtering Engine are not shown in the services list.
- When trying to start Windows Firewall or Windows Defender you get a 0x80070424 error.
- Your AV detect parts of the Zero Access Rootkit but is unable to remove/completely remove it.


Removal guide:

- NO restarts between steps, NO reg cleaners!
- boot in Safe Mode with Networking.
- Download all tools and run them in this exact order.
- ATF Cleaner (to delete any malware from temp files, also decrease the time needed for other scans).
- MBAM and run a full C:\ drive scan.
- TDSSKiller (as 0 Access and TDL Alureon are similar)
- [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe ]Combofix[/url] (reboot now).
Note: Other 0 Access removal tool as are attached to this email, but they are all x86 only and not very effective (at least for the cases I have encountered).


[green]After removal[/green], it is possible that you'll lose your internet connectivity whilst in Normal mode.

- for the "The RPC Server is unavailable" error, check this post.

- for the ""Limited or No Connectivity" status run netsh winsock reset and netsh int ip reset c:\resetlog.txt commands and the above, if the error persists.

Note: you can use the "winsockfix" tool from the "Zero Access.zip" goodies bag.


In order to have a working Firewall, you need to enable the Base Filtering Engine as shown in this guide.

If the services refuse to start after reboot, check for dependency causes. If a Step 5 error message is shown, try this Microsoft Fixit tool.

Finally, uninstall and reinstall your Antivirus application.

Best wishes and a heartily Happy Easter!
Robert Mateescu
Senior Support Technician EN
[url]support@bullguard.com[/url]
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security

You have a BullGuard related problem? Contact our Support team directly via Live Chat for immediate assistance: http://www.bullguard.com/support.aspx!
Posted 4/13/2012 11:24 PM
#93703
User avatar

nsm0220 Member

Date Joined Nov 2016
Total Posts: 9
btw hitman pro and dr web cure it can kill the Zero Access Rootkit
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 9, 2016, 6:26 PM (GMT +1)
There are a total of 61,163 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 3 reply posts.

Who's online

This forum has 37,969 registered members. Please welcome our newest member, Heisenberg.
There are currently no users on-line.