Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
My neighbor's PC is infected with ZeroAccess rootkit, probably a very recent variant. I'm guessing his visiting mother-in-law downloaded and installed something to infect the system. I had installed Microsoft Security Essentials for him back in June, and it should have been automatically updating itself, but it wasn't able to prevent the infection.
I initially tried Malwarebytes and ComboFix while running in safe mode, but those were unsuccessful in removing the infection. In fact, the rootkit was able to disable Malwarebytes shortly after it was installed, even while in safe mode, preventing it from being run a second time (I could always run it immediately after installation, but not a second time, so online updates were impossible, I had to do an offline manual update). If you are familiar with how deeply this rootkit infects multiple system files this should not be a surprise.
After a little further research on this rootkit, I'm considering the following for the next step:
Any suggestion on which of those three is the most likely to be successful? This is by far the nastiest infection I've ever seen, and proving to be surprisingly difficult to remove. It's so good at avoiding detection and preventing removal that I'm thinking anything that requires Windows to be running (meaning 1 and 3) might not be able to remove it. But I don't know if Kaspersky Rescue Disk 10 can remove the ZeroAccess rootkit.
I've read that when a system is infected with the ZeroAccess rootkit, System Restore cannot be used to rollback the system to its pre-infection state. I don't know if it's because the rootkit hooks into the drivers and detects the restore, or because the rootkit just prevents System Restore from working.
It's been a few weeks since I had that one in my shop, IIRC I ran Kaspersky TDSSKiller, reboot, then combofix, then malwarebytes. Also IIRC after the cleanup you'll no longer have internet/network access due to the removed infected DLL, at which point you need a Windows installation CD (not a mfg recovery CD) and run "sfc/scannow" to replace all missing/altered system files. I may have also ran the Kaspersky rescue disk but I can't recall, I find it works very well on a number of infections, you just have to fix the damage done by the infection afterwards.
It turns out that ComboFix actually did clean everything off the system, it was just that so many things were broken that I thought the system was still infected. Windows Update, MS Security Essentials, and System Restore are all non-functional. I believe most of the damage is from ACLs being placed on files. I'm going to fix the ACLs (possibly using a tool called D7 that seems to have a lot of uses in cleaning up damage caused by malware) and if I can get System Restore to work, consider restoring the system to a date before the problems started (and cross my fingers that the system really was clean on that date).
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
