Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Trojan.Zeroaccess problem

Created: 01 Nov 2011 • Updated: 02 Nov 2011 | 16 comments
This issue has been solved. See solution.

We had a Pc experiencing some very slow internet issues along with some very slow printing issues.

I checked the SEP logs and found it had detected "Trojan.Zeroaccess" but it didn't appear to have done anything with it; it wasn't quarantined, cleaned or deleted, even though I couldn't find the suspect file (1005222551:1753552324.exe).

I also noticed the Anti-Virus / Anti-spyware protection was "off"; the Proactive Threat protection was "off"; the email scanner and Outlook scanners were disabled too. I wasn't able to fix any of those problems. My definitions were also about a week out of date.

Another thing I noticed was our 'firewall' logs was showing this Pc trying to go out to several servers on the internet utilizing port 21810; fortunately being blocked from using that port.

I decided to do a complete uninstall and re-install of the software, using cleanwipe, assuming a clean install would load, scan and detect any issues and fix my problem.

Now SEP 11 will not install; Symantec Updater installs but the actual software doesn't get installed. I ran the Power Eraser and it found a file and removed it; it appears to have stopped trying to access the web through port 21810 but I still can't install SEP (won't install).

The Trojan.Zeroaccess appears to have shut down my original installation of SEP and now won't let me re-install it.

Any suggestions as to what to do next?

SEPM - 11.06100.645

SEP - 11.0.6005.562

Windows XPpro SP3

 

TIA,

Brad

Comments 16 CommentsJump to latest comment

Swapnil khare's picture

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

above is the write up and below is the tool which you can down load and run

http://security.symantec.com/nbrt/npe.aspx?lcid=1033

also in sep scan log check if there is any other brother virus on this machine which is not removed .

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

bfordz's picture

Thanks for the quick reply; I've got the write up and I've downloaded the "symantec power eraser".

The power eraser has removed the trojan the best I can tell with the exception I "can't" reinstall SEP or I should say it "won't" / doesn't install. The Pc seems to be running better plus I don't see this client Pc trying to access random IP's/servers thru port 21810 any more.

I can push the install files out from SEPM and it says it completes but when I go out to the client, SEP is not installed. Microsoft Security is telling me I don't have any Anti-Virus installed.

Live update gets installed (per add/remove programs) but Symantec Endpoint Protection does NOT.

Is the Norton Power Eraser going to work any differently or better; wouldn't it be the same thing as Symantec Power Eraser?

Chetan Savade's picture

Hi,

Scan you system by mapping drives from remote SEP machine.(should have latest definitions)

Also you can create SERT disk to scan your system.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US
 
I hope you are using latest cleanwipe version. I think latest version is 6.3 
 
Also check SEP_Inst logs, you will find under %temp% directory.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

bfordz's picture

Chetan,

Sorry to have to say I am not using the latest version of cleanwipe...v3; sorry!

I don't remember, where can I get the latest version? Since using SEP I haven't had this type of an issue, so when something does happen I'm not expecting such problems.

I'm working on creating a SERT disc with the latest definitions; never needed it until now.

I have yet to look at the logs but will be doing so this morning.

Brad

Mithun Sanghavi's picture

Hello,

In your case, you can surely SERT Tool. A "Thumbs Up" to Chetan's Comment.

Symantec does have definitions which protect against Trojan.Zeroaccess.  Details on this threat can be found at http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

If you believe you have discovered a new, undetected variant, please do submit the suspicious files to Security Response as described above and contact Technical Support.  Until new deinitions are available, the steps in the following article will help:

Best practices for troubleshooting viruses on a network

Article: TECH122466 | Created: 2010-01-15 | Updated: 2011-08-02 |

Article URL http://www.symantec.com/docs/TECH122466

If any file is not detected as threat and other Av's are detecting as threat you can open a Support case after submitting the file with the Tracking Number.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Vikram Kumar-SAV to SEP's picture

Cleanwipe will not help over here

Install and run Norton Power Eraser and scan using first option that reboots and scans for rootkit.

http://security.symantec.com/nbrt/npe.aspx?

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Swapnil khare's picture

I agree with Vikram as posted by me earlier Norton Power eraser will scan and look for rootkits if any

 

for re install of Sep on this mahine is would suggest you to follow manual removal instead of Cleanwipe http://www.symantec.com/business/support/index?page=content&id=TECH102261

and then install sep

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

bfordz's picture

"Cleanwipe will not help over here";  I'm not sure what you mean by that?

I used the Symantec Power Eraser earlier; it found and fixed a file on the computer, which at that point made it run better and it "stopped" trying to go out to the internet on port 21810.

Is the "Norton" Power Eraser different and/or better?

Should I still download and run the "Norton"power eraser?

I did create and run a SERT along with current definitions (dated 11/01/2011); it found and fixed "Trojan.Zeroaccess" (again).

Can I assume the "trojan.zeroaccess" is gone and should I follow the "manual removal" of SEP before trying to re-install it?

I also have a copy of the SEP_Inst log if it would do any good; I have no clue how to read what it's telling me.

 

Brad

Swapnil khare's picture

Hello Brad ,

Please upload install logs

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

bfordz's picture

Here's a copy of the SEP install log.

AttachmentSize
SEP_INST.odt 279.8 KB
Swapnil khare's picture

Log analysis

Error 1321.The Installer has insufficient privileges to modify the file C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe.

MSI (s) (10:FC) [20:42:05:515]: User policy value 'DisableRollback' is 0

MSI (s) (10:FC) [20:42:05:515]: Machine policy value 'DisableRollback' is 0

Action ended 20:42:05: InstallFinalize. Return value 3.

MSI (s) (10:FC) [20:42:05:546]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=1063363882,LangId=1033,Platform=0,ScriptType=2,ScriptMajorVersion=21,ScriptMinorVersion=4,ScriptAttributes=1)

MSI (s) (10:FC) [20:42:05:546]: Executing op:  

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

Swapnil khare's picture

Solution

 

On the machine in question,
  • Delete the following folders,

C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec

  • Reboot the machine and try to install the Symantec Endpoint Protection client.
  • Installation should be successful without any errors

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

Swapnil khare's picture

Once above is done then follow below :-

make sure to delete pending file key and image file key  from registry location as below

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager  in the right pane Pending file rename key delete it

for image file as below

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Delete the entire Image file execution option .

 

Make sure to back up reg before making changes

and then install sep should work all the best

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

SOLUTION
bfordz's picture

Swapnil,

I did as you suggested in the last two posts;

I deleted the Symantec files / folders you suggested

Then SEP installed without issues and I did the requested reboot (per SEPM), I then deleted the "image file execution option" in the registry; I didn't find the "pending file key" to delete.

 

THANK YOU ALL for you replies and assistance, it has been greatly appreciated.

SEP is installed and updated to the current definitions and the Pc client is running well and NOT trying to go out to the internet on it's own.

Brad

Machine Translation's picture

问题

我们有一台个人电脑,遇到一些互联网很慢问题以及一些打印非常慢的问题。

已检查 SEP 日志,并发现它已经检测到"Trojan.Zeroaccess",但似乎并没有做什么 ;它没有被隔离、 清除或删除,我找不到那个可疑文件 (1005222551:1753552324.exe)。

我也注意到防病毒/防间谍软件保护是"关闭";主动威胁保护是"关闭";电子邮件扫描程序和 Outlook 扫描仪已被禁用。我不能够解决这些问题。我的病毒定义已过期大约一周。

我注意到的另一件事是我们 '防火墙' 日志显示这台电脑,在互联网上利用端口 21810 尝试连接几个服务器;幸运的是被阻止使用该端口。

我决定完全卸载并重新安装软件,使用 cleanwipe,假设会加载一个干净的安装,扫描和检测任何问题并修复我的问题。

现在是 SEP 11没有被安装 ;赛门铁克更新程序安装,但实际的软件没有被安装。我运行电源橡皮擦,它找到一个文件并删除它;它似乎已停止试图通过端口 21810 访问 web,但仍然无法安装 SEP (不安装)。

Trojan.Zeroaccess 似乎已关闭SEP的 原始安装,现在不让我重新安装它。

任何建议,接下来做什么?

SEPM-11.06100.645

9 月-11.0.6005.562

Windows XPpro SP3

TIA,
布拉德

 

解决方案

在出问题的计算机上
•删除以下文件夹,
C:\Program Files\Symantec
C:\Program Files\Common Files\Symantec shared
C:\Documents 和 Settings\All Users\Application Data\Symantec

•重启机器,并尝试安装赛门铁克端点保护客户端。
•安装应该可以成功没有任何错误
一旦以上完成然后跟随下面:-

请确保要删除挂起的密钥文件和图像文件密钥从下面的注册表位置

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager  位于挂起的文件重命名密钥的右窗格中,请将其删除

图像文件,如下所示

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

删除整个图像文件执行选项。

请确保在进行更改之前备份注册表

然后安装 sep 应该没有问题了

Machine Translation Tester.

Swapnil khare's picture

hello Brad ,

nice to hear your issue is fixed

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.