My friends computer was acting weired, and we found that its infected with Zero access rootkit “g” varient. TDSSKiller detected the infection and for some reason it couldnt remove it. other tools/ scanning programs will get terminated once it starts the scan. not able to run aswMBR.exe or other zero access removal tools, any idea how to remove it completely?
Taskmanager reveals a process 123456465:132131354.exe and is running under system account. we found a servce under HKLM\SYSTEM\CCS\services which point to same exe file. eventhough we deleted that service and the image file, it gets recreated on the next reboot cycle.
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
zero access rootkit modifies the ACL and scanning tools/ antivirus fails to get permissions to remove the infections. so here is the work around that you can try
for Xp systems
Run subinACL. This will modify the registry permissions and Acces Control List.
Thanks iyogisoultions for the reply. it worked for me. i was able to kill the process and TDSS removed it for me. but after the removal. i tried to repair the windows network stack and resulted in no internet. winsock2 got damaged. i had to reinstall winsocks to get internet back.