ZeroAccess rootkit fun - not so much.

Discussion in 'Computing and Networks' started by SgtWookie, Oct 26, 2011.

  1. SgtWookie

    Thread Starter Expert

    Jul 17, 2007
    This one's REALLY quite annoying.

    A friend called me last week, saying they were having problems with their computer (again; I'd fixed it a couple of months ago when his registry exited stage left) and asked me if I could come over Saturday and have a look at it.

    McAfee's writeup: Labs Threat Advisory-ZeroAccess.pdf
    You really should read the above, as this ZeroAccess not only kills most antivirus tools, it buries them by revoking access privileges.

    I spent the better part of Saturday trying to get his system cleaned of this thing. Didn't know what it was at first; kept getting browser redirects when trying Google searches. I'd installed AVG Free 2012 previously, but it wasn't working. Unfortunately, his CD-ROM drive wasn't functional, so my toolkit of diagnostic CD's was worthless.

    The Windows Installer was not active, and I couldn't start the task. Turned out when I tried running msiexec.exe that "Access is denied" - the rootkit had removed all access privileges after killing the process. Apparently, Microsoft Update had tried to install a replacement for a "tripwire" (think of it as a file used as "bait"), and when msiexec.exe tried to update the tripwire file (in this case it was mrxsmb.sys, as in the .pdf file - but it can be many other files). As soon as a process/program tries to access the tripwire files, the rootkit attaches an APC that causes the process/program to exit immediately - and revokes access.

    This really gets annoying as tool after tool gets killed and access removed. I couldn't even install a number of tools I normally would use since msiexec wasn't started. Tried using GMER, but didn't know about the "tripwire", so GMER got killed along with the other tools.

    It can't revoke privileges on flash drives/USB sticks nor CDs, so they are good things to have handy.

    I took the computer home with me so I could swap out the CD-rom with a working one. Finally got rid of the rootkit using the latest ComboFix; and then it's been a time putting the machine back together.

    Of course you have to reset privileges back to defaults, but this rootkit ALSO got rid of (deleted) secedit.exe, along with revoking privs; had to expand a new one but call it secedi.exe until the privs were restored.
  2. praondevou

    AAC Fanatic!

    Jul 9, 2011
    It does not seem to be exactly the same thing but "google redirects" I also had a few months ago. Really nothing helped until I found the tdsskiller.exe app from kaspersky:

    It was one of the most annoying things I ever had on my machine.
    Last edited: Oct 27, 2011
  3. Georacer


    Nov 25, 2009
    It's been a VERY long time since I had a virus in my PC, to a point that I underestimate antivirus software. I guess it's like AIDS. Awareness and conscious use of your tool is everything.
  4. strantor

    AAC Fanatic!

    Oct 3, 2010
    Also like aids, it helps if you don't slum around on the wrong side of town. I used to get into all kinds of viruses back when I had a penchant for downloading bootleg software. Now I play with electronics and its a lot harder to get aids that way.
  5. t06afre

    AAC Fanatic!

    May 11, 2009
  6. Wendy


    Mar 24, 2008
    I may be wrong, but I believe ComboFix was developed by the folks at If I'm right it is best to get it from the source.
  7. studiot

    AAC Fanatic!

    Nov 9, 2007
    The bleeping computer is the parent site for combofix.

    It is indeed a good tool, so long as you have sufficient control of the pc to run it.

    Sometimes safemode is best for this.

    I have today the unenviable task of telling an owner that his pc has pickup up the Ramnit virus, for which there is no known cure.

    The problem with this one is that it goes through your files adding a piece of code to each one, any of which can restart the virus. If you remove infected files and sufficient system files have been infected Windows becomes unworkable.

    So the only cure is a complete format and reinstallation.

    I found about four and a half thousand infected executable files in this installation.
  8. ErnieM

    AAC Fanatic!

    Apr 24, 2011
    I've got the redirect virus 2 or 3 times from work, where I download nothing if it is not off a manufacturer's site (ie, Microchip tools), and stay way away from any out of the main stream websites. I assume IT has an effective AV installed (I forget which one), but they still get in somehow.

    First time I found a link to using tdsskiller and several other apps to do the cleaning. It still works, though I update whenever I'm fixin' it again.