In fact, it practically removed every trace of ZeroAccess minus 2-3 dormant files. What really impressed me was that it was able to delete the heart of ZeroAccess, the $NtUninstallKBXXXXX$ folder.
I am posting my results from the scans and information I was able to gather.
I used a dropper from early March which fakes sys32 .DLLs using the Company Name: Iomega.
More details about this specific variant here in a previous post of mine.
__________________________________________________________________________________
After injection, I verify that I will be redirected to abnow after searching for anything in Google.
In this example, I wanted to try to get to the MajorGeeks website via Google.
I am being redirected to abnow.
Start looking for bad service and netsvcs data value using Autoruns.
Results in the screen to the right:Excerpt from yorkyt.exe.log
2012-03-15 17:16:39: Bad Service: system32\csctl50.dll
2012-03-15 17:16:39: Found Service: Packet
2012-03-15 17:16:39: Display Name: AFGMp50
2012-03-15 17:16:39: Description: New service would allow parents to control their children's online activity.
2012-03-15 17:16:39: ServiceDLL: %systemroot%\system32\csctl50.dll
2012-03-15 17:16:39: MD5: B89CFBE8CB247B57D8C10ADAA66B462B (VT)
__________________________________________________________________________________
Start disinfection using yorkyt.exe
Yes, reboot
The tool does not actually delete the service. Instead, it "breaks" the service by changing the ServiceDll value of the service into a .DLL that does not exist.
This prevents the service from being able to run or start again.
For example, the tool changed the ServiceDll value of Packet to csctl50.dll.bad when it was previously csctl50.dll. See Below:
After the 2nd reboot
Finished! Now let's verify.
No longer getting redirected :-)
__________________________________________________________________________________
 |
| MBAM |
Files Detected: 3
C:\WINDOWS\system32\csctl50.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
__________________________________________________________________________________
 |
| MGtools |
"C:\Documents and Settings\thisisu\Local Settings\Application Data\"
02E7ABF0 Mar 15 2012 "02e7abf0" -> Empty folder
__________________________________________________________________________________
 |
| OTL |
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\csctl50.dll.bad -- (Packet)
NetSvcs: Packet - %systemroot%\system32\csctl50.dll.bad File not found
Does not hurt to leave these broken entries, but I would recommend actually deleting both the non-functioning service and NetSvcs data value.
__________________________________________________________________________________
Misc notes:
The entire contents of the folder were removed by Panda Security's Yorkyt.exe. Impressive!
I have seen fix zero access from symantec removing the oak or iomega dll files(latest variant) on many computers.Latest TDSSkiller version has started detecting the service as Backdoor.Multi.ZAccess.gen.
ReplyDeleteI have not tested this tool.Deleting hidden partitions is indeed looks impressive.Thanks for the update