I’ve treated four or five machines in the last week for this nasty new infection: mostly XP machines, but Vista and Win7 are susceptible as well. It has similar symptoms as other rootkits: preventing your antivirus software from running, redirecting your web search results, etc., but this one is a little nastier. It doesn’t just disable your software, it mangles the executable file so the antivirus needs to be removed and reinstalled after the infection is dealt with. In some extreme cases, I’ve seen this rootkit destroy the Windows TCP stack, requiring a repair install of the operating system to regain network functionality.
I’ve succeeded in removing the Zero.Access with a few different methods depending on the availability of tools and the overall functionality of the victim operating system. My preferred approach is to remove the hard drive and scan it on another machine, thus insuring that the scan won’t be interrupted by the rootkit itself. If that’s not a possibility, it can also be treated by booting into Safe Mode with Command Prompt and running the system’s virus scanner or ComboFix via command line. ESET also has a stand-alone removal tool for this infection, though I haven’t tried it yet. If you think you may have contracted Zero.Access, check out the link below, it has some good instructions for diagnosing your own system.