I work for a security company and was working on one of our customers computer when I stumbled upon this interesting malware. I was remotely connected to a Windows 7 64-bit machine with 4GB of RAM. While I was running the removal process, I found and removed all known variants of zeroaccess and the associated run keys. After I was done, I ran Hitman Pro to see if there was anything left. I got quite an interesting list. The ZeroAccess has been removed and is no longer present in the computer, and the recycle bin has ceased to become corrupted. Not really looking for a removal guide, just input from other technicians. From what I can tell about the machine there are no longer any malicious processes running, and the computer is now running normally. However the antivirus software that we provide was freaking out and quarantining tons of other stuff as well. It quarantined and removed their printer drivers, started quarantining some updates for programs such as bing desktop and the google updater. Not really looking for a removal guide, just input from other techs.
Our software also ended up quaranting the legitimate dllhost.exe out of the %systemroot% directory. Luckily it restored with no issues... That could have been messy.
I did run the repairs associated with ZeroAccess (i.e. permissions, WMI, reset winsock) and they all went through successfully. Everything is looking like the machine should be clean but it is still showing those files as infected, and the AV on the computer is still spazzing about stuff it shouldn't worry about.
I'm not used to the forums here so if I am posting in the wrong area please forgive me and send me to the right place, I am just looking for some outside input.
Also I do not have access to the machine, and these were pulled from my notes.
These are the files that were detected as malicious by hitman pro and how it rated them.
Edited by T3chN0manc3r, 21 October 2013 - 10:42 PM.