05-13-2012 12:27 PM
I hope I didn't discover this invaluable resource too late. I was recently infected with some version of the ZeroAccess or Sirefef Rootkit and have spent the last day or so trying to find a solution. My Norton Security Suite 5.0 through Comcast informed me that manual removal was required of afd.sys.vir (Trojan.Zeroaccess!inf2).
I'm running XP Media Center 2002 w/SP3. I just installed the Norton software when Microsoft Security Essentials alerted me to the infection, about the time I started to lose control of my browsers. It quarantined two instances each of Sirefef.P, Sirefef.AH, and Sirefef.AC.
After doing insufficient research, the first thing I did was run the ESET Sirefef Remover. That seemed to take care of most of the browser behavior. But Norton, which I then installed, was still detecting it, and GMER was showing a lot of SSDT activity. So parts of it seem to still be there.
I ran NPE, which detected nothing, as well as the FixZeroAccess program from Norton. Upon restart, it did detect an infection, but my computer froze as I was re-enabling System Restore, and before I could tell the removal tool to fix it. After reboot, I tried the remover again, and this time it ended up finding no infection. I haven't made any additional changes to the system since this happened. I did run TDSSKiller, and it found nothing.
On a side note, I have downloaded a few free or demo malware scanners to see what they could find. The SpyHunter Demo finds infections by Lop.com and Alexa which Norton, Hitman, and Malwarebytes do not - of course it doesn't allow me to fix them until I buy the full version.
If anyone could walk me through the best way to try to clean my computer, I would greatly appreciate it. And if someone could offer an explanation for why SpyHunter is the only software I've tried that has picked up these other infections, I would be grateful for that as well.
05-13-2012 12:43 PM
May be the AntiZeroAccess tool from Webroot AV and HitManPro can help you:
05-13-2012 06:57 PM
Haven't tried AntiZeroAccess yet, since I saw advice in this forum not to run anything until you figure out what you're dealing with.
HitManPro only turned up tracking cookies -- quite suspicious it seems to me. I'm guessing the infection is managing to hide evidence of its existence from just about everything.
05-13-2012 07:54 PM
I've recently realized this, though nothing I'd read before I discovered this forum indicated that I was at risk of messing things up more, or that I needed supervision. I should have been more careful though.
What do I do at this point? Try a bootable cd? Your counsel is urgently needed.
05-13-2012 09:26 PM
Actually that is clever, Norton is not your main AV, you have just installed it, your Main AV is MSE, this is not the forum for MSE and all the other programs.