Due to popular demand to comply with official policy on the non usage of tools such as hitman pro and tdss killer, I am releasing the guide for manual removal of the sirefef Trojan. Please note that this has been tested by me only on 32 bit systems and not on 64 bit systems.
The entries created by a zeroaccess infection are given below .The zeroccess configures a service as an autostart (Highlighted)which can be used to target it like a regular virus, instead of the kernel mode rootkit it is. The next step is determining the infected driver and finding a replacement. This can be sone by using a scanning tool such as GMER and TDSSKILLER (Please do not use these tools to remove the virus as it is against policy). Once the infected driver is determined we can replace it using a clean copy from either another location within the PC or elsewhere.
1: Delete the service from the list at HKLM\SYSTEM\ControlSet001\Services\
2: Delete the process file located at the %systemroot%( its usually numbered and the process can be viewed easily.)
3: Delete the file and it autstart from HKU\SID\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Where SID can be \S-1-5-21-2025429265-839522115-682003330-1003 or similar.
Delete the file listed in the autostart given above : its usually in the %appdata% folder and will need to be deleted forcefully.
Restart the computer and perform a full scan, you should be clean of zeroacces
Regshot 1.8.2
Comments:
Datetime:2011/10/30 17:57:17 , 2011/10/30 17:59:49
Computer:TAU-863929E6041 , TAU-863929E6041
Username:test , test
---------------------------------Keys added:5----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803
HKLM\SYSTEM\CurrentControlSet\Services\c697803
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell
----------------------------------Values added:14----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2: 4E 00 31 00 00 00 00 00 5E 3F A2 56 13 00 52 65 63 65 6E 74 00 00 38 00 03 00 04 00 EF BE 5E 3F 0B 52 5E 3F 39 87 14 00 22 00 52 00 65 00 63 00 65 00 6E 00 74 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 31 32 36 39 31 00 16 00 00 00
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\Documents and Settings\test\Local Settings\Application Data\0c697803\X"
The entries created by a zeroaccess infection are given below .The zeroccess configures a service as an autostart (Highlighted)which can be used to target it like a regular virus, instead of the kernel mode rootkit it is. The next step is determining the infected driver and finding a replacement. This can be sone by using a scanning tool such as GMER and TDSSKILLER (Please do not use these tools to remove the virus as it is against policy). Once the infected driver is determined we can replace it using a clean copy from either another location within the PC or elsewhere.
1: Delete the service from the list at HKLM\SYSTEM\ControlSet001\Services\
2: Delete the process file located at the %systemroot%( its usually numbered and the process can be viewed easily.)
3: Delete the file and it autstart from HKU\SID\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Where SID can be \S-1-5-21-2025429265-839522115-682003330-1003 or similar.
Delete the file listed in the autostart given above : its usually in the %appdata% folder and will need to be deleted forcefully.
Restart the computer and perform a full scan, you should be clean of zeroacces
Regshot 1.8.2
Comments:
Datetime:2011/10/30 17:57:17 , 2011/10/30 17:59:49
Computer:TAU-863929E6041 , TAU-863929E6041
Username:test , test
---------------------------------Keys added:5----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803
HKLM\SYSTEM\CurrentControlSet\Services\c697803
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell
----------------------------------Values added:14----------------------------------
HKLM\SYSTEM\ControlSet001\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\c697803\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2: 4E 00 31 00 00 00 00 00 5E 3F A2 56 13 00 52 65 63 65 6E 74 00 00 38 00 03 00 04 00 EF BE 5E 3F 0B 52 5E 3F 39 87 14 00 22 00 52 00 65 00 63 00 65 00 6E 00 74 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 31 32 36 39 31 00 16 00 00 00
HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\Documents and Settings\test\Local Settings\Application Data\0c697803\X"
No comments:
Post a Comment