Over the past four days I, on and off, had to look at my kids computer. The basic symptoms were “every time I search for something in Google I get redirected to another site” and then it moved on to “the internet is not working…at all“. When I first looked at it I noticed a strange looking executable named “2398764521:2143489.exe” or something like that in the process explorer. The colon is a clear sign this is not a normal process. I then searched the Windows registry and under services found the EXE under a folder named “2728” – once again…strange. I attempted a few things first, removing the entries, rebooting, and seeing if the EXE would disappear. I searched all start up areas in the system and registry and cleaned them out…nothing seemed to work. I then did the same process in Safe mode – to no avail the virus was still there after a standard launch.
I then searched and searched and finally found this article. The symptoms were identical, was this the ZeroAccess virus? I downloaded the tool, TDSS killer, to see if it could remove the virus. I had to download it on another computer as the kids computer could not access the internet with any of the three installed browsers. I then copied the tool over to a USB stick and renamed it to a “.com” file as directed in the article.
The tool found three variations of ZeroAccess on the computer and cleaned them up. I was shocked how easy the tool was to use and it looks like everything is fine now. I just had to blog about this and share the experience.