Well, I have a story for you folks, but allow me to warn you of important matters, as I did for the previous topic.

Do not attempt to research things mentioned in this post. Bad things can happen. Things dealt with include a rootkit that will kill legitimate security programs and make them non-accessible. In other words, if you get it, you're next to screwed. Don't risk it. Also, one measure I've taken is not to be done without knowing more than basic computer stuff - don't try what I did yourself unless you know exactly what you're doing.

Now, with that out of the way, I can begin this here thing.

So, it's Tuesday night. I'm walking out of the college building just after my Intro to Programming and Logic class. When I get to my car, I find a note. "Austin, I wanted to ask you if you could do a factory reset type deal on my laptop." Below the message were contact details. "Thanks amigo" and a signature followed that. Arriving home, I text the number with a question, and promptly receive a response. No recovery disk, it appeared. But I wasn't discouraged - there's more than one way to fix something that sounded as bad as something apparently needing a factory restore would sound. Fast forward to today, Thursday. She catches me in the parking area and hands over the laptop, and then explains the problem. Things close as soon as they're opened. This didn't sound good to me. In fact, it sounded bad.

When I got home, I was determined to get this done in a timely manner, so I went inside and got straight to work on her laptop. I even accidentally left my poor coat in the car. Immediately I notice a program called "Security Protection" open itself up. "Oh great, a fake anti-virus," I thought. About 10 minutes of manual registry edits and file deletions later, it's gone. Turns it wasn't one of those evil ones that refuses to stay deleted with the aid of other things - it was actually relatively unprotected, save for a file association change. However, the problems did not stop by simply getting rid of that. To see if I was done, I opened Internet Explorer. It took its sweet time loading, I noted. I was almost certain that there would be browser hijackers still lurking, and right I was. I searched for Google on Bing, and got redirected instead to another search engine that searched for Google for me. So, yeah, there was still trouble. I wasn't sure where to go next at this point - it could be literally anything doing this. I looked up the fake AV I removed to see if it commonly came alongside other things. Apparently, it did in most cases, so I snagged a program meant to kill the stuff that came with it. Turns out that in this particular instance, that specific thing was not the problem - it was already dealt with. There was a worse problem at hand. So far, I've cleaned up the fake AV and exe file association, but there was still a browser redirect issue. I can't leave it at that. No way.

I asked a good friend of mine over AIM, Nite Shadow, if he had any idea where to go from there, since I know he has experience with this stuff as well. That time he had to deal with what I was just trying to get rid of, he ended up having to format. My next idea was to run the cleaning disc I had made for my computer some time before. Upon trying to scan, after a few files, the program died, and was made non-accessable. "Rootkits," I thought. It had to be rootkits. Darn evil ones, too. I grabbed a process killer for known malware processes and ran it after booting her laptop into Safe Mode. Then I ran a scan with a re-installed MBAM. I picked full scan, and it died super dead soon after starting. Then, I reinstalled it again, and tried the "quick scan." It didn't die this time, and it gave me rather valuable information. Looking up the name the AV referred to it as, I found out that I was dealing with a ZeroAccess rootkit. For lack of will to type the entire technical explanation, here's the simple version: It uses really nasty methods prevent any kind of security software from starting again - it detects when a piece of it that it lays out is detected by anything other than itself, and kills the thing that detects it and associated processes, and then prevents that from starting again. I had only one option left at this point, and that option was ComboFix. It was what I used to fix my dad's beyond-recovery desktop PC, and it did its job well those two years ago. It was made specially for this kind of issue. Upon running it and letting it do its thing, it pops up a window telling me that it was a particularly difficult infection, and that I should run it again if not all was fixed afterwords. Well, I let it do its thing. Turns out that ZeroAccess was injecting itself into many critical Windows processes and drivers. Luckily the person had a System Restore point before all this had happened, and ComboFix pulled non-infected replacements from there to fix all that was infected. A little while later, all was well. I restarted the computer again, and then opened Internet Explorer to check to see if the redirection issue was gone. It was at this point that I noticed that things were going way faster, and I figured that this was a good sign. I searched for Google from Bing again, and this time it took me straight to Google with no sign of hesitation or struggle. I searched for Bing from Google and it took me back to Bing with no sign of trouble. I repeated this a good few times, and did other searches too. As far as I can tell, as is well now. All that is left is to contact the owner.

Long story short: I hate rootkits.
---
Edited by: Miles, Nov 4th, 2011 @ 12:26 am

That sounds like some pretty nasty stuff. Good thing you were able to fix it for her.

i always just reformat in the presence of malware... ultimately takes up less time 99% of the time anyway lol