Posted on 2012-08-29
I have a client that somehow got this virus on there computer. I will detail the steps in what I have done to get to the point I'm at right now. With the virus on the machine before I did anything to the system. I was not able to access the internet and when tried to boot the system up in normal mode before the icons came on the screen the system would reboot instantly. I can get the system in safe mode but no internet access.
The steps I have done. Ran combofix in safe mode but it locked up while deleting files. Tried to run it again and it keeps coming up with the message rootkit.zeroaccess it gets about stage 48 and that's it no further. Couldn't run malwarebytes are superantispyware. Ran Tddskiller and it detected the rootkit.boot.sst.b upon reading several webpages about the virus I decided to try the gpart method to get rid of the partition I was able to remove a 7mb partition off the harddrive and now I can get the system in normal mode but still have no internet access. I have tried winsock fix, I have tried a dns flush, When I do an ipconfig /release it will release the ip address when I try to renew the ip address I get the message cannot connect to the RPC server. Ran malwarebytes in normal mode with updated rule set and it cameback as no threats were found.
I'm running combofix now in safe mode with networking support I have completly removed webroot secure anywhere which failed at detecting and removing this virus. If combofix completes this time I'll be able to upload a log file. Everytime I run combofix it keeps saying that a rootkit.zeroaccess has been found and needs to reboot my machine currently 20 minutes in and it is a step 19. Any suggestions on what I can do to get rid of this virus and get the internet working again. Also I would perfer a method that does not involve formatting and reinstalling since the clients computer I'm working on it has software on it that currently they cannot find the cds for and it would cost a lot of money to update to the latest version and they won't send them a cd are send them the exe file because the software is EOL.
Thank you for any help in getting this resolved.