OT- ZeroAccess rootkit trojan: Anyone with experience/advice on removing?
Mods, feel free to delete if you like ... but I recalled how knowledgeable many people were on this board during last year's MGoBlog malware mess, so I'm hoping to tap into MGoBlog's collective wisdom here...
So my home laptop has picked up the ZeroAccess rootkit trojan, which I've read is a nasty little bugger to remove. Feeling like an idiot, because I clicked on the trojan -- what pretended to be an Adobe Flash update -- even when part of my interior B.S. detector KNEW it was phony. Stupid is as stupid does... argh.
I need to get rid of this thing ASAP. Here's the rundown ... I'd appreciate any help/advice anyone can offer (my machine is a Gateway, running Vista and McAfee):
* Soon after making the fateful click on the trojan, I started getting numerous McAfee trojan removal popups (sometimes as often as every few seconds) saying something like "Trojan detected/removed, no further action required." Under "more," it listed ZeroAccess as the culprit.
* I ran a full McAfee scan, which detected & quarantined 2 items
* Then I downloaded and ran the McAfee rootkit remover -- it found nothing
* Then I downloaded Malwarebytes, ran the quick scan, which detected and removed two items, and then rebooted
* Alas, after reboot I still kept getting the same McAfee trojan popups. However, the rest of the machine seemed to be running normally -- I'm not getting redirected to any crazy websites, etc. But I'm keeping the laptop off for now as a precaution.
What should I do next? My computer skills are limited to the basics, although I can follow directions OK. I'm fairly certain I haven't eliminated this bugger, and want to make sure my computer's clean before getting back online and doing anything like paying bills, etc.
* I dug up some very thorough Zeroaccess/Sirefef rootkit removal guides, like this one. (e.g., run a Kapersky rescue disk reboot, then run a bunch of malware scanners like Rkill, Malwarebytes, and Emsisoft Emergency Kit, and then follow a few more steps at the end to remove any residual damage from the rootkit -- check DNS settings, HOSTs file, and run the Tweaking.com Windows Repair tool.)
It looks tedious and time-consuming to this layman, but I'm willing to do it, if it means I'll have a clean machine at the end. But how confident can I be that I've removed the rootkit completely?
* Another option I've read about is doing a system restore, via the Command prompt. (i.e., rstrui.exe) But doesn't a rootkit have the ability to survive that?
* That leads me to wonder if the only way I can truly be sure I've got a clean computer is to wipe/reformat my hard drive and reinstall the factory settings from the Gateway recovery partition. (The partition allows me to reformat and reinstall factory settings/programs without original disks, right? I'm not even sure the laptop came with any disks, and if it did, hell if know where they are, since I bought the thing 4-5 years ago...)
How much of a pain will this be? If I back up non-execute/system files (personal files, docs, photos, music, etc that I want to keep) onto disks/external drives before I do the reformat/reinstall, could those still be infected w/the rootkit when I copy them back onto the (presumably) clean computer? Or does a rootkit just mess around with system/.exe type files?
Again, I appreciate any help anyone on the board can offer!
I'd second the malwarebytes/combofix route. While "ghetto" in appearance as someone mentioned, combofix is an extremely effective tool. MB run in safe mode w/ networking (for definition update) can be useful if you follow it up with normal mode scans. I've found it usually works best to tackle these problems with a nice arsenal of tools at your disposal. Most of the aformentioned programs will work well for you. The only resource limiting you is time, and how much you're willing to dedicate to the task.
I'll also third/fourth/fifth the notion of getting rid of McAfee and using Microsoft Security Essentials. It's lightweight and unobtrusive, sort the far end of the pendulum swing from MS's User Account Control
That's the real issue for me, I think -- how much time do I want to devote to this, and what's the best use of my resources (time & money) to resolve the problem? I can see using one of these tech support forums to attempt a thorough clean-up, but that can take a while. Wiping/reformatting and starting fresh would give me more piece of mind knowing the rootkit is truly gone, but even that sounds a little daunting. A new laptop would be the quick and easy way, but I'm not sure I want to spend the money right now.
First World Problems, right? :-)
I used to fix mine, but I don't really remember how to, there are message boards that can help you step by step, I used forospyware.com but is in spanish.
There are tools like antimalwarebytes wich help a lot and some other that gives you the root directory, I remember one called bazooka, but it was when I had a pentium 4 computer with Windows xp so maybe that's too old now, you had to write down the directions and restart the computer in safe mode, then erase those files and directories, some needed additional software like killbox to be able to delate the files. Some other software like edowe (I think it was called that) was usefull to scan the computer and get the logs, people in those message boards read the logs and tell you what to erase or so, but after half a day I was able to remove red sheriff, a really nasty spyware very hard to remove as far as I know, perhaps backing up everything and reinstalling windows would be easier.
Download a USB Virus scanner such as Kaspersky to a USB drive, off another computer. Then boot up in safe mode, run the scanner, and hope that the virus is removed.
Talk about nuking above, but that's a last resort option in my opinion.
Also, this laptop is an utter piece of junk, the fan is actually blaring right now and making some irritating noise. I heard the ultrabooks are pretty nice, but they're pretty expensive compared to the other laptops I'm looking at in Newegg. It's about the same age as the OP's laptop, so I could use a new laptop that actually runs videos and surfs the internet without freezing!