Note that one of the traits of this variation is that whenever I try to run a .exe program, a dialog box appears asking which program I would like to open the .exe program with. (It treats these programs like files) I am able to fix this much of the problem by taking a clean EXE.reg from a DVD to the desktop and merging.
Merged EXE.reg file. Ran Full Scan on Norton AntiVirus. It found a misleading application and several viruses, including FakeAVCloud, Trojan.Gen.2 (I think) and Trojan.Backdoor. Those were removed, but Trojan.ZeroAccess.B could not be removed. Setup an internet connection to get advice. Downloaded Norton Power Eraser to the computer and ran it. I clicked Accept, Scan, and Include Rootkit Scan, in that order, the latter most requiring a restart. However, upon reboot Windows failed to startup and had to go to Startup Repair. Startup Repair used System restore to fix the machine, but once it finished rebooting, the virus was restored. Internet connection settings were lost and EXE.reg was not on the desktop.
Was able to run some of the .exe programs, but not all of them, for some odd reason. Fake AV software "Win 7 Security 2012" is appearing with pop-ups. Notifications of ping.exe using up a lot of CPU resources appeared twice during this next attempt. Was able to open Norton AntiVirus, but it had to be updated. Setup an internet connection again and updated Norton. Ran Full Scan again. Malware found is mostly the same. Trojan.ZeroAccess.B still persists. Ran NPE again. (Which was still among the downloaded files, odd considering other downloads were missing.) Again clicked Accept, Scan, and Include Rootkit Scan. This time the restart was successful. The NPE found three malicious files, including consrv.dll. (I would look in the log to get their exact filenames, but the damn thing writes them as .xml files and the data is hard to read.) The computer restarted again, but went back to the Startup Repair screen. This time it had to go through the same repair process twice. Upon successful restart, Internet connection settings are saved, and the Fake AntiVirus and ping.exe notifications are gone. However, all .exe files bring up the "Open With" dialog box again. Merged the EXE.reg file again. Opened and updated Norton. Ran Full Scan. Mostly same viruses again, including Trojan.ZeroAccess.B. Shutdown for now
Used another computer to search for possible solutions. Came across this: http://www.precisesecurity.com/trojan/trojan-zeroaccess-b
Booted up the laptop, had to go through the same Startup Repair process once again. Merged EXE.reg again. Following the instructions, opened and updated Norton. This time I shutdown without scanning, then booted into Safe Mode with Networking. Everything started fine. Opened up Norton and ran a full scan. Mostly the same risks again, though this time three Heuristic Viruses were also found, two of which were partially infected .cab files, a Data1 and one other. (can't recall name). Deleted both of the infected files, leaving only Zeroaccess.B. Opened NPE again, clicked Accept, Scan, and this time Exclude Rootkit Scan. Nothing was found after the scan, however. Tried again with Include Rootkit Scan, thinking Safe Mode might make it work. The laptop restarted, only to once again enter Startup Repair, forcing me to use System Restore's data to reset it again. Shut down after successful boot.
Sought help at the same information source. (That's me in the comments, right there) Taking the advice, repeated the same steps in attempt 3 until opening NPE, at which point I waited for it to update, but it never happened. Clicked Accept, Scan, Exclude Rootkit Scan. Nothing was found. Downloaded TDSSkiller onto the laptop. Ran and scanned twice, once as is and once all parameters checked. Both times nothing was found. Laptop is currently sleeping.
As you can see, this rootkit is extremely resilient. I am here because I need expert help eliminating this bug. Any help is deeply appreciated.
Edited by LavosKiller, 13 January 2012 - 01:53 PM.