Zeroaccess variants to be removed

August 3, 2012 at 08:52:32
Specs: Windows 7
Dear All,
All the machines I will write about are running Symantec Endpoint Protection 11.0.7000.975.
So. I'm maging a couple of machines, mainly workstations running the above security tool. I can see every day a couple new zeroaccess infections like:

Regarding the symptoms I can distinguish three different variations:
'C:\Windows\System32\services.exe' is not infected. Usually the below files have been reported:
This version can be cleaned by SEP without any issue. Remnant folders can be deleted manually.

All, or some of the above files have been reported, plus 'C:\Windows\System32\services.exe'.
In this specific case I can't delete 'services.exe' as it's a core system file and in case I try to kill the process Windows crashes.
What I can do is to simply rename it, for example to 'q.exe'. In this case I'm able to choose the option in SEP to 'Permanently Delete' that 'q.exe'. It offers to kill the process. At this point windows immediately reboots with error message like: 'Windows encountered a critical error...'. On the boot system repair starts, and restores 'services.exe'. After logon I can delete 'q.exe', restored 'services.exe' is obviously ok. After deleting all the remnants, no tool can find any further infection.

This seems the very same like the second one, except that I'm unable to even rename 'services.exe'. It says something like I have no permission.
I'm stuck with this one. I could easily fix it locally, but I have to take care of these machines remotely.

Common things:
Only SEP can see the infected files, but can't remove them.

Tools I've ran to clean up but failed:
Malwarebytes Antimalware
RootKit Buster
Symantec's FixZeroaccess

Tools I've tried to unlock/rename/remove 'services.exe':
OTL - Could remove every other file, except 'services.exe' (Prepared custom script as per SystemLook's output, also tried scan)

So my question is: Are there any solution where I don't need to involve the user too much, and can be carried out remotely. So no flash drive tools / manual system repair initiations / etc.?
Also it will be hard to get log files from any tools, or at least will take a while, as half of these issues have been resolved, half have been re-imaged.
Your help is much appreciated.

Best Regards,

See More: Zeroaccess variants to be removed

Report •

August 4, 2012 at 09:29:44
I would try anti malware from, combofix or hijack this. If you run hijack this, post the log here.

How do you know when a politician is lying? His mouth is moving.

Report •

August 4, 2012 at 13:34:12
"Tools I've ran to clean up but failed:
Malwarebytes Antimalware

Report •

August 5, 2012 at 05:35:40
What about the other two that I mentioned???

How do you know when a politician is lying? His mouth is moving.

Report •

Related Solutions

August 6, 2012 at 08:22:56
Hello, Try running scans with the Power Eraser and SERT utility. You can find more information in the following thread -

Report •

Ask Question