Video Screencast Help

Trojan.Zeroaccess problem

Created: 01 Nov 2011 • Updated: 02 Nov 2011 | 16 comments
This issue has been solved. See solution.

We had a Pc experiencing some very slow internet issues along with some very slow printing issues.

I checked the SEP logs and found it had detected "Trojan.Zeroaccess" but it didn't appear to have done anything with it; it wasn't quarantined, cleaned or deleted, even though I couldn't find the suspect file (1005222551:1753552324.exe).

I also noticed the Anti-Virus / Anti-spyware protection was "off"; the Proactive Threat protection was "off"; the email scanner and Outlook scanners were disabled too. I wasn't able to fix any of those problems. My definitions were also about a week out of date.

Another thing I noticed was our 'firewall' logs was showing this Pc trying to go out to several servers on the internet utilizing port 21810; fortunately being blocked from using that port.

I decided to do a complete uninstall and re-install of the software, using cleanwipe, assuming a clean install would load, scan and detect any issues and fix my problem.

Now SEP 11 will not install; Symantec Updater installs but the actual software doesn't get installed. I ran the Power Eraser and it found a file and removed it; it appears to have stopped trying to access the web through port 21810 but I still can't install SEP (won't install).

The Trojan.Zeroaccess appears to have shut down my original installation of SEP and now won't let me re-install it.

Any suggestions as to what to do next?

SEPM - 11.06100.645

SEP - 11.0.6005.562

Windows XPpro SP3



Comments 16 CommentsJump to latest comment

Swapnil khare's picture

above is the write up and below is the tool which you can down load and run

also in sep scan log check if there is any other brother virus on this machine which is not removed .

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

bfordz's picture

Thanks for the quick reply; I've got the write up and I've downloaded the "symantec power eraser".

The power eraser has removed the trojan the best I can tell with the exception I "can't" reinstall SEP or I should say it "won't" / doesn't install. The Pc seems to be running better plus I don't see this client Pc trying to access random IP's/servers thru port 21810 any more.

I can push the install files out from SEPM and it says it completes but when I go out to the client, SEP is not installed. Microsoft Security is telling me I don't have any Anti-Virus installed.

Live update gets installed (per add/remove programs) but Symantec Endpoint Protection does NOT.

Is the Norton Power Eraser going to work any differently or better; wouldn't it be the same thing as Symantec Power Eraser?

Chetan Savade's picture


Scan you system by mapping drives from remote SEP machine.(should have latest definitions)

Also you can create SERT disk to scan your system.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
I hope you are using latest cleanwipe version. I think latest version is 6.3 
Also check SEP_Inst logs, you will find under %temp% directory.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

bfordz's picture


Sorry to have to say I am not using the latest version of cleanwipe...v3; sorry!

I don't remember, where can I get the latest version? Since using SEP I haven't had this type of an issue, so when something does happen I'm not expecting such problems.

I'm working on creating a SERT disc with the latest definitions; never needed it until now.

I have yet to look at the logs but will be doing so this morning.


Mithun Sanghavi's picture


In your case, you can surely SERT Tool. A "Thumbs Up" to Chetan's Comment.

Symantec does have definitions which protect against Trojan.Zeroaccess.  Details on this threat can be found at

If you believe you have discovered a new, undetected variant, please do submit the suspicious files to Security Response as described above and contact Technical Support.  Until new deinitions are available, the steps in the following article will help:

Best practices for troubleshooting viruses on a network

Article: TECH122466 | Created: 2010-01-15 | Updated: 2011-08-02 |

Article URL

If any file is not detected as threat and other Av's are detecting as threat you can open a Support case after submitting the file with the Tracking Number.

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Vikram Kumar-SAV to SEP's picture

Cleanwipe will not help over here

Install and run Norton Power Eraser and scan using first option that reboots and scans for rootkit.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Swapnil khare's picture

I agree with Vikram as posted by me earlier Norton Power eraser will scan and look for rootkits if any

for re install of Sep on this mahine is would suggest you to follow manual removal instead of Cleanwipe

and then install sep

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

bfordz's picture

"Cleanwipe will not help over here";  I'm not sure what you mean by that?

I used the Symantec Power Eraser earlier; it found and fixed a file on the computer, which at that point made it run better and it "stopped" trying to go out to the internet on port 21810.

Is the "Norton" Power Eraser different and/or better?

Should I still download and run the "Norton"power eraser?

I did create and run a SERT along with current definitions (dated 11/01/2011); it found and fixed "Trojan.Zeroaccess" (again).

Can I assume the "trojan.zeroaccess" is gone and should I follow the "manual removal" of SEP before trying to re-install it?

I also have a copy of the SEP_Inst log if it would do any good; I have no clue how to read what it's telling me.


Swapnil khare's picture

Hello Brad ,

Please upload install logs

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

bfordz's picture

Here's a copy of the SEP install log.

SEP_INST.odt 279.8 KB
Swapnil khare's picture

Log analysis

Error 1321.The Installer has insufficient privileges to modify the file C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe.

MSI (s) (10:FC) [20:42:05:515]: User policy value 'DisableRollback' is 0

MSI (s) (10:FC) [20:42:05:515]: Machine policy value 'DisableRollback' is 0

Action ended 20:42:05: InstallFinalize. Return value 3.

MSI (s) (10:FC) [20:42:05:546]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=1063363882,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)

MSI (s) (10:FC) [20:42:05:546]: Executing op:  

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Swapnil khare's picture


On the machine in question,
  • Delete the following folders,

C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec

  • Reboot the machine and try to install the Symantec Endpoint Protection client.
  • Installation should be successful without any errors

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Swapnil khare's picture

Once above is done then follow below :-

make sure to delete pending file key and image file key  from registry location as below

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager  in the right pane Pending file rename key delete it

for image file as below

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Delete the entire Image file execution option .

Make sure to back up reg before making changes

and then install sep should work all the best

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

bfordz's picture


I did as you suggested in the last two posts;

I deleted the Symantec files / folders you suggested

Then SEP installed without issues and I did the requested reboot (per SEPM), I then deleted the "image file execution option" in the registry; I didn't find the "pending file key" to delete.

THANK YOU ALL for you replies and assistance, it has been greatly appreciated.

SEP is installed and updated to the current definitions and the Pc client is running well and NOT trying to go out to the internet on it's own.


Machine Translation's picture



已检查 SEP 日志,并发现它已经检测到"Trojan.Zeroaccess",但似乎并没有做什么 ;它没有被隔离、 清除或删除,我找不到那个可疑文件 (1005222551:1753552324.exe)。

我也注意到防病毒/防间谍软件保护是"关闭";主动威胁保护是"关闭";电子邮件扫描程序和 Outlook 扫描仪已被禁用。我不能够解决这些问题。我的病毒定义已过期大约一周。

我注意到的另一件事是我们 '防火墙' 日志显示这台电脑,在互联网上利用端口 21810 尝试连接几个服务器;幸运的是被阻止使用该端口。

我决定完全卸载并重新安装软件,使用 cleanwipe,假设会加载一个干净的安装,扫描和检测任何问题并修复我的问题。

现在是 SEP 11没有被安装 ;赛门铁克更新程序安装,但实际的软件没有被安装。我运行电源橡皮擦,它找到一个文件并删除它;它似乎已停止试图通过端口 21810 访问 web,但仍然无法安装 SEP (不安装)。

Trojan.Zeroaccess 似乎已关闭SEP的 原始安装,现在不让我重新安装它。



9 月-11.0.6005.562

Windows XPpro SP3



C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec shared
C:\Documents 和 Settings\All Users\Application Data\Symantec



HKLM\SYSTEM\CurrentControlSet\Control\Session Manager  位于挂起的文件重命名密钥的右窗格中,请将其删除


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options



然后安装 sep 应该没有问题了

Machine Translation Tester.

Swapnil khare's picture

hello Brad ,

nice to hear your issue is fixed

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.