Zeroaccess is a nightmare. It creates a hidden partition to run components from, deletes the BITS and Windows Update services, infects system restore and then removes the system restore interface from Windows. It locks you out of various sections of your file system it has decided to secrete backup copies of itself into. (C:\Windows\Temp, C:\Windows\System32\Config\Systemprofile and so forth.)Anyone who's an IT admin needs to read this. It's a bit hyperventilating, but there's a detailed description of the removal process. Unfortunately, the process looks like it will take around an hour per Windows computer, and looks to be entirely manual (i.e. not scriptable).
Zeroaccess knows all the standard tricks; it hides itself from Trend Micro's virus scanner Housecall, kills industrial-strength bleach Combofix (attempting to run this tool will freeze the system), resists cleaning by SurfRight's Hitman Pro, Symantec's resident AV and so forth. If you delete the hidden partition after booting from a Linux Live CD, chances are you didn't get every last remnant of the thing and it will be back in due time. It also prevents remote support app Teamviewer from starting properly with Windows.
If any residue of the rootkit lingers, or if Sirefef and/or its downloaded friends remain, they will all download and reinstall one another and we get to play whack-a-malware one more time. Bonus points were awarded for exploiting known Windows 7 vulnerabilities to infect every other machine on the network; that was a nice touch that really made my Friday.
I'm not sure what to say to those of you who are not IT admins. You're very likely vulnerable as well; you may even have been infected. I'd say that you should run Combofix - if it locks your system up, then you should do items 2-11 on the list, which won't be any fun.
I'd also recommend that you turn off Java in your browser, but likely most of the ubercool new "Cloud" services (Webex, Dropbox, maybe backup services) will all break. I don't think that I have a good answer for what you should do - as I've said before, we may simply have lost the malware war.
What I will say is that if Combofix makes your system hang then you are infected. DO NOT USE ONLINE BANKING UNDER ANY CIRCUMSTANCES IF THIS IS TRUE.
If you want to do online banking, my recommendation is to follow these steps:
- Get an old PC with a (hard wired) Ethernet 10 Base-T interface. You should be able to pick one up for small money on eBay, and may have one hanging around your house.
- Load Linux on it. There are a bunch of distros out there; I run Ubuntu but a lot of folks don't like the new versions. Pick one that is pretty minimalistic - all you need is web browser access. This will be free.
- unetbootin will make a USB thumbdrive bootable. Copy your Linux distro image to that, and boot your new/old computer from that. Follow the steps to install. Ubuntu is easy, but so are some others.
- Install Firefox on the Linux box. It's modern, it's kept up to date very well, and it will be supported by your bank.
- IMPORTANT: Turn Java OFF in Firefox.
- IMPORTANT: ONLY do your online banking from this computer. Do not EVER do online banking from another computer.
- Do not EVER do online banking from your smart phone. Ever. Don't make me want to change my tone.
The malware is very, very good, and online banking passwords are one of their top targets. The malware authors are successful enough at getting these passwords that they are better funded than the antivirus companies. Linux is not targeted as often, but it is targeted - this is why you should only use the Linux computer for banking, and nothing else.
I guess that this is a way of saying that we're in Condition Orange. Sadly, I don't think that will change anytime soon.
UPDATE 4 September 2012 16:21: Just a clarification, most users will NOT want to try to use Combofix to clean your system - Combofix is notoriously hard to use. Rather, it's a diagnostic tool - if you run it and your system hangs, this identifies that you're infected. Note that if you try to do a lot with Combofix and you don't know what you're doing, you might brick your computer.
And in any case, I recommend a dedicated computer for doing online banking. Linux will give you the lowest cost, and the smallest target (I don't think I've heard of a banking trojan targeting Linux).
But I don't like online banking. Ees Online Bank. Ees not safe. And really really really don't ever use your phone to bank. Really.