A friend, running XP SP3, clicked on a link in an e-mail from a "friend" and now has infected his computer with, "Trojan.RootKit.ZAccess."
I tried several things while at his keyboard, but nothing reported the trojan and anything I tried to install to find it was not allowed to run. I used the
AVG emergency boot disk, based a linux distribution, and it did not fine the trojan.
Finally, I took the drive out of his case, put it in a external USB case and plugged it into my Slackware Linux box. I ran ClamAV on it and it reported the Trojan.RootKit.ZAccess as mentioned above. I've found the infected file and all references to it, BUT even in Linux I cannot delete anything from the drive. Doesn't manner if I on as root or user. It won't even let me change the permissions.
Any ideas would be greatly appreciated (other than reformatting the drive).

Is it possible that the drive is mounted read only? Or that the file you are trying to delete has its attributes set to read only?

Regards,

Fordeck

Thanks for the "wake up call."
I blame the decaf.

Blame that friend for not securing his computer, not for sending the email. If his computer is infected, the virus will email itself to all his contact list without him knowing about it

Thanks. He has been so informed.

After Googling that rootkit, I have found that it happens to be a variant of the Agent.nsf Trojan, am I right? Definitely sounds like the email from a "friend" had to have really been an email from the Trojan itself as it resided on the friend's computer. To me, that sounds like the Trojan is trying to play botnet on your friend. The only way to stop the spread of the Trojan, unfortunately, is to format your friend's hard drive.

Fortunately, you can easily do this from a Linux Live CD, specifically an Ubuntu, Fedora, Debian, or Mint (or anything with a desktop environment that can run GParted) one. If the Live CD has GParted (which I'm sure Ubuntu does) then try the following:

Launch GParted (System -> Admin -> GParted on Ubuntu or anything GNOME-based). When GParted launches, select the drive to partition, but instead of partitioning it, select "Create partition table" from the Device menu. This will completely erase anything on the drive. After this, then you can create a new partition (ext4 is a good file system to use) that takes up the entire disk, and apply the changes. Then, use the Live CD's installer to install Linux to the drive.

But please, teach your friend how to use Linux if he doesn't know. If he learns all the open source alternatives to proprietary apps, that's great. If not, and he's more comfortable with Windows XP, then he can easily reinstall it (provided he has the XP CD).

Definitely wrong.
Also wrong, it will erase nothing but the partition table. Also, I would consider this a malicious advice without pointing out to make a backup of valuable/important data first.
Windows XP will not run on ext4.
What is the point with this? The owner of the computer is using Windows XP, not Linux. So what use has it to install Linux first (are you again trying to force people to Linux?) and after that reinstall XP? It would be a better advice to install XP, and let him use dual-boot or Virtualbox to get comfortable with Linux, without taking away the environment he is used to. You also seem to forget that their are still applications that have no compatible FOSS counterpart and will even not run with wine. People who have the need to use them have no benefit from running a Linux only machine.
I wonder why you still don't get that forcing people to FOSS is not the appropriate way.

I agree that the nuke and boot approach to handling a virus or trojan is excessive. Typically malwarebytes does a very good job of removing these types of infections. One needs to download it using a clean system and put it on a memory stick under a non assuming name, copy it to the target system and run it under an assumed name. If this fails, there are other programs that can be effective such as hijack-this, but dangerous to use unless you know what you are doing.

If you need or would like help with Windows malware, I highly recommend this other forum. Some of the most knowledgeable experts in Windows malware that I have seen hang out there.

What's wrong with suggesting him to use Linux? At least show him a live CD, it can't hurt anything.

First time i installed Linux in a PC was because I was enough pissed off to nuke and boot xp away... because of Virus and Malware... never turned back...

Nothing is wrong with suggesting Linux. As I said, I would recommend to use dual-boot or Virtualbox, before nuking the Windows and take his used environment away from the owner of the PC. Of course a Live-CD will also work.
But that wasn't that what Kenny said, he didn't want to suggest Linux, he wanted the OP to erase the whole drive and just install Linux on a PC that even isn't his own:That is in no way suggesting, that is forcing. And as I said before, a bad advice without mentioning to make a backup because of the complete data loss that is caused by this action.
Or in short: Suggestion is OK, forcing is not.

The best way to deal with a broken XP installation is to delete the OS, reformat the hard drive to ext3/4, and install a Linux distribution.

At least, that's what I keep trying to tell my wife for this computer.