Zbot, rootkit, Cryptowall 3.0 and other infections on a single Windows 7 PC. I was extremely lucky that this PC was on a separate network with no network drives back to the main network.
I had a client call up saying his computer was doing weird things. – First sign this is going to be fun.
Tried remotely cleaning up malware with MBAM, ADW Cleaner Combofix and MSE. MSE successfully detected the malware, but was unable to stop or remove it completely. During these scans (normal for Combofix, but not for MBAM) I was getting disconnected and then needed to go out to see another client.
Attended site and found the computer had completely frozen. Hard reboot and booted back in. I tried MBAM again, but that was taking forever. Tried NPE (Norton Power Eraser), but that failed to reboot successfully and forced a startup repair for some reason. I ended up using this again successfully, but it still didn’t clean up the infections fully.
I ran TDSS Killer as I noted that MSE showed a rootkit/bootkit infection. This successfully removed that malware, however the Zbot virus was still causing havoc. I note that C:\users\username\appdata\roaming was full of randomly named folders (over 20 0000 of them). As he was also infected with the new CryptoWall 3.0 as noted by notepad, IE and Photo Viewer on how to pay, as well as “DecryptYourFiles” files in lots of different folders under his profile. I decided it was best to remove the rootkit and then blow away his profile.
I used a local admin account, opened regedit, found the profilelist and deleted his profile. Under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList (As shown on http://superuser.com/questions/512484/how-do-i-force-windows-7-to-create-a-new-domain-profile-with-same-name-as-an-exi)
Then proceeded to use command line to remove his entire use folder C:\users\username. I had to do it this way as doing it through explorer was painfully slow and errored out several times.
rmdir C:\users\user /q /s
I then logged back in as him after successfully rebooting several times into the local admin account and running antimalware programs which came up clean. Them proceeded to set his profile up again (printer, email, shortcuts etc).