Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


ZeroAccess Infection

  • Please log in to reply
2 replies to this topic

#1 tonybaloney33


  • Members
  • 32 posts
  • Local time:11:33 AM

Posted 31 March 2012 - 08:26 PM

Note: I am running Windows XP SP3

Yesterday, I started getting a warning message from Microsoft Security Essentials that my computer was at risk. I would click the “Clean Computer” button and it would go away. Then I started getting pop-ups telling me that my system was under attack (not sure of the exact phrasing). These would not go away, although I was still able to use my system and the internet.

I tried to run MalwareBytes under these conditions, which was unsuccessful. So I rebooted in Safe Mode, uninstalled MalwareBytes and ran mbam-clean, and then reinstalled MalwareBytes and ran a quick scan which found several things which I removed.

Then I rebooted in safe mode, ran Rkill, then updated MalwareBytes and ran a full scan, which found a few more things. Then I rebooted and then did another full scan which came back clean. The infection had hidden most of my files, so I used the unhide program to correct this.

I thought the issue was resolved, but I started getting redirects when clicking on Google search results, and I started getting the same warning message from Microsoft Security Essentials that my computer was at risk. Again, I would click the “Clean Computer” button and it would go away. A quick scan with MSE turned up nothing, but a full MSE scan turned up several things, mainly a Trojan Win32/Sirefef, which I understand is a ZeroAccess rootkit.

It removed these infections and the system seemed to be working fine, but when I would connect to the internet I started getting the MSE pop-ups again for the same ZeroAccess stuff. This would happen like clockwork every 15 minutes as long as I was connected to the internet. If I wasn’t connected to the internet then everything was seemingly fine.

MSE and Malwarebytes scans came back clean, except for when I was connected to the internet I would still get those MSE pop-ups, at which point I would clean my computer. The source of these infections was listed in MSE as Trojan:Win32/Sirefef.AC and Trojan:Win32/Sirefef.AH

Again, these two infections would come back every 15 minutes as long as I was online. The source file was different each time, but was always located in the c:\windows\system32\ folder

I tried Kaspersky TDSSKiller, but it didn’t find anything. Even though my computer seemed to be functioning normally aside from the frequent MSE warnings, I was getting frustrated at the thought of a lurking infection. So I decided to backup my files and run ComboFix.

ComboFix found the ZeroAccess rootkit and claimed to remove it. My system restarted just fine, but now I couldn’t connect to the internet, which seems to be pretty common after running ComboFix. After trying a variety of unsuccessful solutions to regain connectivity, I decided to run ComboFix again to make sure it had gotten the ZeroAccess. Apparently it hadn’t completely removed the infection the first time, as it found the ZeroAccess again.

When I rebooted I was still not able to get an internet connection despite trying a variety of solutions, so I ran ComboFix for a third time. It found the ZeroAccess infection again, but when I rebooted again I had the same connectivity issues, leading me to be believe the ZeroAccess infection was still present.

As noted above, my only clue that the infection was present was the MSE warnings which would come only when I was connected to the internet. Since ComboFix knocked-out my internet connection I am not longer getting these warnings. Everything except the internet connection seems to be working fine, but I am concerned that the ZeroAccess infection is still present and will come back when I get the internet connection working again.

If it is helpful I can post logs of any of the above-mentioned scans. Any help you can provide is greatly appreciated!

BC AdBot (Login to Remove)


#2 Broni


    The Coolest BC Computer

  • BC Advisor
  • 42,769 posts
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:33 AM

Posted 31 March 2012 - 08:52 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE


#3 tonybaloney33

  • Topic Starter

  • Members
  • 32 posts
  • Local time:11:33 AM

Posted 01 April 2012 - 10:59 AM

I have completed the steps in the Guide and posted a new topic in Malware Removal: http://www.bleepingcomputer.com/forums/topic448415.html


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users