Mods, feel free to delete if you like ... but I recalled how knowledgeable many people were on this board during last year's MGoBlog malware mess, so I'm hoping to tap into MGoBlog's collective wisdom here...
So my home laptop has picked up the ZeroAccess rootkit trojan, which I've read is a nasty little bugger to remove. Feeling like an idiot, because I clicked on the trojan -- what pretended to be an Adobe Flash update -- even when part of my interior B.S. detector KNEW it was phony. Stupid is as stupid does... argh.
I need to get rid of this thing ASAP. Here's the rundown ... I'd appreciate any help/advice anyone can offer (my machine is a Gateway, running Vista and McAfee):
* Soon after making the fateful click on the trojan, I started getting numerous McAfee trojan removal popups (sometimes as often as every few seconds) saying something like "Trojan detected/removed, no further action required." Under "more," it listed ZeroAccess as the culprit.
* I ran a full McAfee scan, which detected & quarantined 2 items
* Then I downloaded and ran the McAfee rootkit remover -- it found nothing
* Then I downloaded Malwarebytes, ran the quick scan, which detected and removed two items, and then rebooted
* Alas, after reboot I still kept getting the same McAfee trojan popups. However, the rest of the machine seemed to be running normally -- I'm not getting redirected to any crazy websites, etc. But I'm keeping the laptop off for now as a precaution.
What should I do next? My computer skills are limited to the basics, although I can follow directions OK. I'm fairly certain I haven't eliminated this bugger, and want to make sure my computer's clean before getting back online and doing anything like paying bills, etc.
* I dug up some very thorough Zeroaccess/Sirefef rootkit removal guides, like this one. (e.g., run a Kapersky rescue disk reboot, then run a bunch of malware scanners like Rkill, Malwarebytes, and Emsisoft Emergency Kit, and then follow a few more steps at the end to remove any residual damage from the rootkit -- check DNS settings, HOSTs file, and run the Tweaking.com Windows Repair tool.)
It looks tedious and time-consuming to this layman, but I'm willing to do it, if it means I'll have a clean machine at the end. But how confident can I be that I've removed the rootkit completely?
* Another option I've read about is doing a system restore, via the Command prompt. (i.e., rstrui.exe) But doesn't a rootkit have the ability to survive that?
* That leads me to wonder if the only way I can truly be sure I've got a clean computer is to wipe/reformat my hard drive and reinstall the factory settings from the Gateway recovery partition. (The partition allows me to reformat and reinstall factory settings/programs without original disks, right? I'm not even sure the laptop came with any disks, and if it did, hell if know where they are, since I bought the thing 4-5 years ago...)
How much of a pain will this be? If I back up non-execute/system files (personal files, docs, photos, music, etc that I want to keep) onto disks/external drives before I do the reformat/reinstall, could those still be infected w/the rootkit when I copy them back onto the (presumably) clean computer? Or does a rootkit just mess around with system/.exe type files?
Again, I appreciate any help anyone on the board can offer!
