New ZeroAccess Rootkit Type

I have discovered a new strain of ZeroAccess
These locations/methods are specific to this new version, basic malware removal steps should be followed. Figured I would notify you guys to add to your methods if you so wish to do.

I have been getting hammered by these cases at work, spent a good 18 hours tracking it down through the registry and OS.

Feel free to use this info or delete it, just trying to help...

Symptoms:
Extremely slow internet. Netstat will continuously populate more and more connections active.
svchost.exe spiking to 100% CPU usage and 200MB of memory used.


Locations:
C:\Program Files (x86)\Google\Desktop\Install\
--You will find a file path with a random named entry, followed by 3 blank folder names, and then a folder called "..."
Once you hit the "..." it fails to read the source file and cannot proceed. All attempts to try and set file permissions, delete, rename, etc fail to complete. Explorer.exe will actually restart when you try to delete it.

ie.
C:\Program Files (x86)\Google\Desktop\Install\{fbeba05-hag65-hg76809-}\BLANK\BLANK\...\


C:\Users\%PROFILE%\Appdata\Local\Google\Desktop\Install\
--This directory is similiar, but you can change the file permissions and take ownership easily enough to delete the entrys.

Registry -

**I forgot my notes/logs at work and the VPN is down, if this thread isn't deleted, I will further add these entrys.



Further Notes:
Roguekiller will not remove these entrys.
TDSS Killer finds nothing
SFC Finds no integrity Checks
Tweaking.com finds no issues
MalwareBytes finds very few entrys
Super Anti-Spyware finds no entrys
Symantec Endpoint Protection will find and delete, but it is re-created every 5 minutes

Tried various other tools to no avail, searching through the registry gives alot of errors due to invalid characters, which means you are unable to view that registry entry for it.

The only tool I was able to successfully remove this rootkit with so far is SpyBot S&D

Using the "Startup Tools" I was able to locate the hidden tasks listed there and disable them.

From there, I did a Deep Root Scan and was able to detect the "Hidden APV" tagged registry entrys and delete them as well.





Hope this helps you guys, I will provide further notes as I continue troubleshooting these issues.

 

Not sure I would be able to use the kernel mode guide you just posted at work...

But that Dr. Web Anti-Virus seems to be exactly the one I have been seeing lately.

I tried googling around for it, but could not find anything than "Run ComboFix or try an SFC"

I will definetly try that out tomorow, got 2 more cases I have to follow up with before vacation haha

Kinda makes me feel a little silly for even making this shoddy post when it seems ya guys already knew everything about it