Posted 31 March 2012 - 08:26 PM
Note: I am running Windows XP SP3
Yesterday, I started getting a warning message from Microsoft Security Essentials that my computer was at risk. I would click the “Clean Computer” button and it would go away. Then I started getting pop-ups telling me that my system was under attack (not sure of the exact phrasing). These would not go away, although I was still able to use my system and the internet.
I tried to run MalwareBytes under these conditions, which was unsuccessful. So I rebooted in Safe Mode, uninstalled MalwareBytes and ran mbam-clean, and then reinstalled MalwareBytes and ran a quick scan which found several things which I removed.
Then I rebooted in safe mode, ran Rkill, then updated MalwareBytes and ran a full scan, which found a few more things. Then I rebooted and then did another full scan which came back clean. The infection had hidden most of my files, so I used the unhide program to correct this.
I thought the issue was resolved, but I started getting redirects when clicking on Google search results, and I started getting the same warning message from Microsoft Security Essentials that my computer was at risk. Again, I would click the “Clean Computer” button and it would go away. A quick scan with MSE turned up nothing, but a full MSE scan turned up several things, mainly a Trojan Win32/Sirefef, which I understand is a ZeroAccess rootkit.
It removed these infections and the system seemed to be working fine, but when I would connect to the internet I started getting the MSE pop-ups again for the same ZeroAccess stuff. This would happen like clockwork every 15 minutes as long as I was connected to the internet. If I wasn’t connected to the internet then everything was seemingly fine.
MSE and Malwarebytes scans came back clean, except for when I was connected to the internet I would still get those MSE pop-ups, at which point I would clean my computer. The source of these infections was listed in MSE as Trojan:Win32/Sirefef.AC and Trojan:Win32/Sirefef.AH
Again, these two infections would come back every 15 minutes as long as I was online. The source file was different each time, but was always located in the c:\windows\system32\ folder
I tried Kaspersky TDSSKiller, but it didn’t find anything. Even though my computer seemed to be functioning normally aside from the frequent MSE warnings, I was getting frustrated at the thought of a lurking infection. So I decided to backup my files and run ComboFix.
ComboFix found the ZeroAccess rootkit and claimed to remove it. My system restarted just fine, but now I couldn’t connect to the internet, which seems to be pretty common after running ComboFix. After trying a variety of unsuccessful solutions to regain connectivity, I decided to run ComboFix again to make sure it had gotten the ZeroAccess. Apparently it hadn’t completely removed the infection the first time, as it found the ZeroAccess again.
When I rebooted I was still not able to get an internet connection despite trying a variety of solutions, so I ran ComboFix for a third time. It found the ZeroAccess infection again, but when I rebooted again I had the same connectivity issues, leading me to be believe the ZeroAccess infection was still present.
As noted above, my only clue that the infection was present was the MSE warnings which would come only when I was connected to the internet. Since ComboFix knocked-out my internet connection I am not longer getting these warnings. Everything except the internet connection seems to be working fine, but I am concerned that the ZeroAccess infection is still present and will come back when I get the internet connection working again.
If it is helpful I can post logs of any of the above-mentioned scans. Any help you can provide is greatly appreciated!