Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Zeroaccess!inf infestation help

Created: 02 Aug 2012 | 10 comments

One of the computers on our network, running an updated version of Endpoint Protection for Small Business, contracted the ZeroAccess!inf Trojan, and none of the removal/remediation solutions I've tried have worked so far.  Computer is running Win7--32bit, is off the network (both by choice and by the virus' actions) and shows only two files as infected:  tdx.sys and afd.sys, both in the \windir\system32\drivers directory.

I tried Power Eraser (it ran but didn't find anything to remediate) and the FixZeroAccess.exe tool (it starts, gets through EULA acceptance, but when you click proceed, Windows indicates that it has stopped working), to no avail.  What can I try next?  (I've read quite a bit of documentation and online help, but the concensus seems to be that each one of these infestations is unique and requires some more technical ability than I have.)

Comments 10 CommentsJump to latest comment

Thomas K's picture

Have you tried the Trojan.Zeroaccess removal tool?

This tool is designed to remove the infections of Trojan.Zeroaccess and Trojan.Zeroaccess.B.

http://www.symantec.com/security_response/writeup....

Steelerman37's picture

Yes, that's the tool that starts then is terminated.  I copied it into the C: root, ran the tool via CMD and it terminates after the EULA has been accepted, and the "Proceed" button has been pushed.  Tried three times before I gave up.  Also, the Power Eraser Tool can't do a scan since the computer is off the network.  (The Scan option is apperently dependent on network connectivity, which is unavailable due to the Trojan effecting the network drivers.)

Steelerman37's picture

Would love to use that tool, only SEP 12 users are no longer able to download it from fileconnect.  If I were SEP11, I'd be able to, but subscribing to a newer version of Endpoint Protection makes the SERT tool unavailable for download.  Counter-intuitive, but the way Symantec decided to proceed.

Thomas K's picture

The Norton Bootable is the consumer equivalent. Give it a try, and let us know the outcome.

Steelerman37's picture

Tried, but the download (and subsequent boot process) requires either an ISP or store-purchased Product Key.  Since mine is through the Small Business Edition, my serial numbers don't work.  I've read about SEP 12 users getting access to SERT (and FileConnect), but haven't seen how I'm supposed to open a case in that situation.  Any other ideas?

Can_A's picture

Hello Steelerman37,

Try a scan in Safe Mode and chec if that works.

--Cheers--

Fabiano.Pessoa's picture
  1. Insira o disco no drive de CD / DVD
     
  2. cd %System%\drivers [SYS FILES] cd% System% \ drivers [SYS]
  • expand [CD/DVD DRIVE]:\Windows\[DETECTED FILE NAME].[dl or sy]_ expandir [CD / DVD DRIVE]:. \ Windows \ [NOME arquivo detectado] [dl ou sy] _

    For example: Por exemplo:
    cd c:\windows\system32\drivers cd c: \ windows \ system32 \ drivers
    expand d:\Windows\serial.sy_ expand d: \ Windows \ serial.sy_

  1. For users with a recovery partition Para os usuários com uma partição de recuperação
    Refer to your computer manufacturer's documentation for the location of the backup system files Consulte a documentação do fabricante do computador para a localização dos arquivos de sistema de backup
     
  2. cd %System%\drivers [SYS FILES] cd% System% \ drivers [SYS]
  • expand [DRIVE LETTER]:\[SYSTEM FILES FOLDER]\[DETECTED FILE NAME].[dl or sy]_ expandir [letra da unidade]:. \ [SYSTEM pasta de arquivos] \ [nome arquivo detectado] [dl ou sy] _

    For example: Por exemplo:
    cd c:\windows\system32\drivers cd c: \ windows \ system32 \ drivers
    expand f:\Windows\serial.sy_ expandir f: \ Windows \ serial.sy_
     

  1. Repeat the above step for each SYS or DLL file affected. Repita o passo acima para cada arquivo SYS ou DLL afetados.
  2. Close the Command Prompt window. Feche a janela do Prompt de Comando.
  3. Click Restart on the System Recovery Options menu. Clique em Reiniciar no menu Opções de Recuperação do Sistema. The computer will now restart. O computador irá reiniciar.

Fabiano Pessoa

Systems Analyst - Forensic Expert

.Brian's picture

Have you tried in safe mode?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.