Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Partial Trojan.ZeroAccess Infection Not Cleaned by FixTool

Created: 04 Aug 2013 | 2 comments

Hi.  It's some time since I've had to delve into cleaning an infection.  Your assistance would be appreciated.

I am dealing with a legacy WinXP Pro SP3 system that has caught a partial infection of Trojan.ZeroAccess at the user level. WinXP has the latest updates installed. SAV v10.1 has the latest virus definitions installed. It also has the latest version of ZoneAlarm Free running on the PC.  The partial infection appears to be the latest variant as documented by SophosLabs on July 31 2013 on "nakedsecurity.sophos.com".

When I logged in to the affected user, SAV identified Trojan.ZeroAccess and quarantined / cleaned the infection several times. I take this to be the trojan trying repeatedly to install itself. I downloaded the "Fix ZeroAccess" tool (FixTool 1.0.1) from the Symantec website and ran it from an admin user.  FixTool reported "No Infection Found". However, logging in as the affected user again triggered SAV to quarantine / clean Trojan.ZeroAccess. 

I removed the (dropper ?) files and folders from C:\Documents and Settings\username\Local Settings\Application Data\Google\Desktop\Install\{....}\...\. Folder names were U and L. Program names were "@" and "GoogleUpdate.exe". I removed these files and folders via a Linux boot as they were not accessible from within Windows (ACLs had been changed to lock out admin users). I did not find the trojan files in the "Program Files" folder as suggested in the Sophos report. When attempting to uninstall Google Earth (the only real Google product on the PC), the uninstall box included unprintable characters, so I cancelled the uninstall and removed as much as possible manually (assuming that the uninstall had been compromised).

Windows Security Centre on the PC reports that there is no firewall running (but ZoneAlarm is running and allows me to stop all internet traffic and appears to trap other outgoing requests). It also reports no antivirus protection running (but SAV is running and appears to have blocked the ZeroAccess installs and can still run system scans etc). I take these issues to be damage done by the ZeroAccess dropper in advance of the full installation attempts.

A full system scan with SAV from an admin logon did not identify the partial infection or the existence of the dropper files and folders. If you can point me to documentation regarding the full manual removal of this infection this would be helpful as I am sure there remain artifacts from the infection. If you require further information, I would be pleased to provide it.

I hope the above information allows you to improve the ZeroAccess Fix Tool to also deal with the latest variant

Thanks for any assistance.

Operating Systems:

Comments 2 CommentsJump to latest comment

.Brian's picture

Is the tool you tried?

https://www.symantec.com/security_response/writeup...

Have you tried running a full scan in safe mode?

Symantec removal writeup is here:

https://www.symantec.com/security_response/writeup...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BeeMac's picture

Hi Brian81.  Thanks for your reply.  The FixTool that I tried is the one that you linked to above.

I tried running a full scan in safe mode.  It found nothing which does not surprise me.  The full scan in normal mode found nothing and I have since removed what I believe to be the only copy of the dropper files.

I re-read the removal writeup and ran Norton Power Eraser.  This identified a few things which it didn't like and I removed those.

Windows Security Centre still tells me that I have no firewall or antivirus running, while these are both still running and appear to be active.  I am unsure how to fix this problem apart from removing and reinstalling these applications in the hope that the notifications will disappear.

So far I am unable to identify any files that have been damaged.