Removing the ZeroAccess rootkit virus

Over the past four days I, on and off, had to look at my kids computer. The basic symptoms were “every time I search for something in Google I get redirected to another site” and then it moved on to “the internet is not working…at all“. When I first looked at it I noticed a strange looking executable named “2398764521:2143489.exe” or something like that in the process explorer. The colon is a clear sign this is not a normal process. I then searched the Windows registry and under services found the EXE under a folder named “2728″ – once again…strange. I attempted a few things first, removing the entries, rebooting, and seeing if the EXE would disappear. I searched all start up areas in the system and registry and cleaned them out…nothing seemed to work. I then did the same process in Safe mode – to no avail the virus was still there after a standard launch.

I then searched and searched and finally found this article. The symptoms were identical, was this the ZeroAccess virus? I downloaded the tool, TDSS killer, to see if it could remove the virus. I had to download it on another computer as the kids computer could not access the internet with any of the three installed browsers. I then copied the tool over to a USB stick and renamed it to a “.com” file as directed in the article.

The tool found three variations of ZeroAccess on the computer and cleaned them up. I was shocked how easy the tool was to use and it looks like everything is fine now. I just had to blog about this and share the experience.

Short URL: http://bit.ly/YhGgKB

2 thoughts on “Removing the ZeroAccess rootkit virus

  1. I too have found four rootkit problems on this pc. I used to have a slave hard drive in the pc which suddenly stopped working and every time on boot up I had to press the F1 key to boot into windows. It told me in the boot up that the pc had a slave hard drive failure. I think that the rootkit virus has damaged the hard drive,is this correct?.
    Do let me know asap.

Leave a Reply