Running WindowsXP SP3, IE 8, (free)AVAST! 6.0.1367
About a week, ago, I was surfing the web and inadvertantly hit a mouse button and a new browser window opened to some alien antivirus purchase site. Closed that window and continued surfing without incident. Not sure what the cursor had been over or what the new page site was called since I was not interested in either. Next reboot, however, a window opened on my desktop telling me I had several infections and should buy their software to remove. I believe that window was titled "WinXP Home Security 2012". Again, not interested in unknown antivirus and thinking it was just fake, I closed the window. Then found that fake window pop'd up when I tried to do MOST anything but I COULD get into a few things. I BELIEVE at that point, I was able to bring up msconfig and Avast but saw no unrecognised startup or malware detection. (This may have been later, though, after the following steps.)
I ADDED the drive to a clean machine having the same software in order to find the unwanted startup file. No luck. Ran Avast to scan the entire drive. This may have been the first or second attempt but, in any case, no detections. Still on the clean machine, I "googled" the name from the fake window and found it was, indeed, a scam and a link to MS Knowledgebase which detailed similar characteristics and suggested deleting Registry entries for class .exe and one whose name appeared in that entry. The Registry hives for the infected system did have the entries whereas the clean machines Registry did not so I deleted those two keys and unloaded the hives.
Putting the drive back on the original machine, I BELIEVE things all appeared normal except I still got a "nag" about security and Windows Update. Scanning the drive, again, Avast detected ONE file in Docs&Settings which I moved to the Chest. Upon reboot, the nag's still showed so, using the location of that single file detected, I saw more with the same date and was about to quarantine them also but Avast caught each as soon as the cursor was on it. (GREAT pre-emption)
Since Avast now told me what to look for, Google and this forum have given me knowledge I wish I'd had last week. This Win32:ZAccess-EF
is much worse than a simple scam. It has only been partially corrected as the security/win update problems still exist. For several days Avast scans detected nothing. Today, though, a couple more files got caught and quarantined.
I DO have a restore point about a week prior to the infection if that would suffice to clear my system. Otherwise, awaiting your advise. Thank you. |