ZeroAccess Malware Removal prompts new D7 features!

October 13, 2011 Posted by Nick d7x (PC Technician Software), Malware Info & Alerts, Tech (for IT Pros) No Comments

D7 v4.6.4 now includes special methods related to deleting the reparse point created by this malware on the Tweaks tab > NTFS Junctions. The new function is “Destroy Junction” which will be able to delete the junction point on top of the directory where the malware hides, allowing you to then delete that directory.

Haven’t seen this malware before?

I’m talking about what some call “zeroaccess” and it can be easily identified because you will have a visible running process hides in an alternate data stream; it will look like a string of random numbers, followed by a colon, and another string of numbers. E.g. 123587654:12987432.exe

OTHER SYMPTOMS:

It IS accompanied by legitimate yet infected system drivers – the driver it infects is random.
Any app that attempts to terminate/disinfect the malware (or scan it’s registry locations) will be terminated, including D7/KillEmAll L
It also removes default ACL entriescausing several issues:

o Anti-virus software fails when it doesn’t have permission to execute!

o It seems to do this also to any app that tries to terminate/disinfect or scan it’s registry locations.

o Plus, it must do it in other areas, because after removing this malware on some systems, you won’t be able to install/uninstall apps that use the Windows installer service –

§ Msiexec will fail with error 2203.

§ Microsoft Security Essentials installation will fail with the same underlying issue, but produce error code 0x80070643.

So here’s my removal procedure for now…

Fire up D7, click the D7 menu > IFEO Modifier.

Find and select this executable in the drop down list. (e.g. 123587654:12987432.exe)
Hit the CREATE button.
Now it won’t be able to execute itself and stop you from standard removal.

DO NOT DELETE THE MALWARE YET. SIMPLY REBOOT THE PC.

(When the PC reboots you’ll note the malicious EXE is no longer running.)

Use TDSSKiller and cure anything it finds.

Alternately, there are a few specific tools for this that may be useful to add to your flash drive:

I have not yet used them, but note that neither tool does step 7 below, so don’t skip that final step!
http://anywhere.webrootcloudav.com/antizeroaccess.exe

REBOOT AGAIN.

Now would be a good time to FIXMBR. Just in case a new variant also decides to start infecting the MBR… currently this step isn’t necessary however.

Open D7, goto Tweaks tab > NTFS Junctions. Scan the Windows directory.

When found, you should see one junction probably named $NtUninstallKB32069$
Highlight the directory, click Destroy Junction. When prompted, delete the directory underneath – unless you wish to visually inspect it. Now the malware is really gone.

Follow up with the usual scans as if it were a normal infection.

Don’t forget to delete the random numbers directory containing the ADS in %windir% (e.g. 123587654)

Run the Repair Permissions function on D7’s malware or repair tab.

This fixes all of the ACL problems caused by the malware, should fix the antivirus (confirm it), and also MSSE installation or any other Installer error 2203’s that would otherwise occur.

Hopefully this will get you all fixed up and malware free.

No Comments

About Nick

Founder and Developer - After over a dozen years "in the trenches" as a computer repair technician specializing in malware removal, I came to focus on a software development hobby. Initially I created tools to assist technicians like myself with the inefficient, repetitive, and mundane tasks PC techs face daily, in order to provide a far more efficient means of getting the job done. Later came an interest in using my development skills and tech experience for prevention of malware...

ZeroAccess Malware Removal prompts new D7 features!

About Nick

Leave a ReplyCancel reply

Latest News

Subscribe to Blog via Email

FixIT Computers

Marcin from Ireland

Richard Ketchel

Vai Walker

Dustin Davis