ZeroAccess rootkit shows as a process in Windows XP task manager that is a series of numbers with a colon in the middle, e.g. 1784223:3221239.exe, which cannot be killed.

ESET have a tool that detects and kills the process - requires a reboot.
Kaspersky have the TDSSKiller tool that detects the infection as Sirefef trojan.
MBAM and MSSE are halted when attempting to run a scan.
The trojan/rootkit is active whenever networking is active.
It continues to re-infect via driver files.

To clean the infection use a boot disk such as Parted Magic that contains Clamav - update the clamav pattern files then run a command such as:

 clamscan -r -i /medica/sda1/

(-r = recursive, -i = show infected only)
Delete or overwrite the files as required.

11 Nov 2011 / admin