Three times in as many weeks I have been hit by a ZeroAccess virus, identified by MalwareBytes as Rootkit.0Access, while surfing the web. In all cases I was visiting well-known legitimate sites that were flagged by McAfee SiteAdvisor as safe and I have used in the past without problem. I'm pretty sure the first two attacks both came from either Kryptonsite.com or KSitetv.com and the third I am almost certain was from Accuweather.com (it was either that or LinkedIn, which were the only two I visited in that instance). Or at least, they occurred while I was viewing those sites. I'm very security-concious and didn't think I could be any more careful with my surfing!
McAfee SecurityCenter didn't seem to detect the downloads, although it's firewall blocked the virus from connecting to the internet as an unknown program. What happened in all cases was:
While viewing a website, McAfee firewall popped up a message that an unknown program wanted internet access - "Fyoesbiso32" the first two times and "liquid7674137" the third time.
At the same time, a window claiming to be an Adobe update with a progress bar appeared, and Windows User Access Control asked me for permission to run it.
I didn't give permission for either and instead powered down the PC and rebooted. Following the reboot, a quick scan with MalwareBytes found and deleted the following files:
First two times:
In all cases, I took no chances and restored a complete Acronis disk image from before the virus hit, booting from the Acronis CD to do so. Subsequent full scans with McAfee, MalwareBytes, TDSSKiller, HitMan Pro and McAfee Rootkit Remover (updated to the latest definitions beforehand where appropriate) all came up clean. Then, a few days later, it happens again while innocently surfing the web.
I'm a bit concerned about the fact that this has happened to me three times recently - could my PC be compromised in some way that is causing this to happen? Why doesn't McAfee detect these files and prevent them from downloading and running?
Does anyone know where this ZeroAccess virus is coming from and why it is suddenly hitting me so frequently - could it be adverts hosted by these sites? Or is the Adobe update genuine but somehow infected?
Is there anything else I can do to prevent Rootkit.0Access / ZeroAccess from downloading and running in the first place?
Any advice on this nastly little piece of malware would be very much appreciated!
Windows 7 Ultimate SP1 64bit
McAfee SecurityCenter 11.0 Build 11.0.678 (real-time scanning of all files and auto update on)
McAfee VirusScan 15.0 Build 15.0.302
McAfee Personal Firewall 12.0 Build 12.0.355
McAfee SiteAdvisor 3.4 build 126.96.36.199 (with the browser plugin running in Internet Explorer 9)
Malwarebytes Anti-Malware 188.8.131.520 (free version, non-resident, only used for "second opinion" scans)