As the Easter is coming, so does new versions of different malware. One of the most annoying is Zero Access Rootkit (you can read all about it here).
How does it manifest: - You can locate a PING.exe CPU-draining process in your Task Manager; closing it will cause your Firewall to report port scans from multiple random IPs and the internet connection is lost; the "port scans" can be a "standalone" symptom too. - Browser redirects. - Windows Firewall Service and Base Filtering Engine are not shown in the services list. - When trying to start Windows Firewall or Windows Defender you get a 0x80070424 error. - Your AV detect parts of the Zero Access Rootkit but is unable to remove/completely remove it.
- NO restarts between steps, NO reg cleaners! - boot in Safe Mode with Networking. - Download all tools and run them in this exact order. - ATF Cleaner (to delete any malware from temp files, also decrease the time needed for other scans). - MBAM and run a full C:\ drive scan. - TDSSKiller (as 0 Access and TDL Alureon are similar) - Combofix (reboot now). Note: Other 0 Access removal tool as are attached to this email, but they are all x86 only and not very effective (at least for the cases I have encountered).
After removal, it is possible that you'll lose your internet connectivity whilst in Normal mode.
- for the "The RPC Server is unavailable" error, check this post.
- for the ""Limited or No Connectivity" status run netsh winsock reset and netsh int ip reset c:\resetlog.txt commands and the above, if the error persists.
Note: you can use the "winsockfix" tool from the "Zero Access.zip" goodies bag.
In order to have a working Firewall, you need to enable the Base Filtering Engine as shown in this guide.
If the services refuse to start after reboot, check for dependency causes. If a Step 5 error message is shown, try this Microsoft Fixit tool.
Finally, uninstall and reinstall your Antivirus application.
Best wishes and a heartily Happy Easter!
Post Edited (Andreea-Luciana Ostache) : 9/14/2012 12:36:29 PM GMT