Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess variants


  • Please log in to reply
3 replies to this topic

#1 fishmong3r

fishmong3r

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 03 August 2012 - 10:59 AM

Dear All,
All the machines I will write about are running Symantec Endpoint Protection 11.0.7000.975.
So. I'm maging a couple of machines, mainly workstations running the above security tool. I can see every day a couple new zeroaccess infections like:
Trojan.Zeroaccess
Trojan.Zeroaccess!inf
Trojan.Zeroaccess.B
etc.

Regarding the symptoms I can distinguish three different variations:
1.
'C:\Windows\System32\services.exe' is not infected. Usually the below files have been reported:
C:\Windows\Installer\*randomcharacters*\n
C:\Windows\Installer\*randomcharacters*\@
C:\Windows\Installer\*randomcharacters*\L\00000004.@
C:\Windows\Installer\*randomcharacters*\\U\80000032.@
C:\Users\*username*\AppData\Local\*randomcharacters*\n
C:\Users\*username*\AppData\Local\*randomcharacters*\@
etc.
This version can be cleaned by SEP without any issue. Remnant folders can be deleted manually.

2.
All, or some of the above files have been reported, plus 'C:\Windows\System32\services.exe'.
In this specific case I can't delete 'services.exe' as it's a core system file and in case I try to kill the process Windows crashes.
What I can do is to simply rename it, for example to 'q.exe'. In this case I'm able to choose the option in SEP to 'Permanently Delete' that 'q.exe'. It offers to kill the process. At this point windows immediately reboots with error message like: 'Windows encountered a critical error...'. On the boot system repair starts, and restores 'services.exe'. After logon I can delete 'q.exe', restored 'services.exe' is obviously ok. After deleting all the remnants, no tool can find any further infection.

3.
This seems the very same like the second one, except that I'm unable to even rename 'services.exe'. It says something like I have no permission.
I'm stuck with this one. I could easily fix it locally, but I have to take care of these machines remotely.

Common things:
Only SEP can see the infected files, but can't remove them.

Tools I've ran to clean up but failed:
Hitman
Spybot
Malwarebytes Antimalware
TDSSKiller
RootKit Buster
Symantec's FixZeroaccess

Tools I've tried to unlock/rename/remove 'services.exe':
OTL - Could remove every other file, except 'services.exe' (Prepared custom script as per SystemLook's output, also tried scan)
Unlocker
MoveOnBoot
FileAssasin

So my question is: Are there any solution where I don't need to involve the user too much, and can be carried out remotely. So no flash drive tools / manual system repair initiations / etc.?
Also it will be hard to get log files from any tools, or at least will take a while, as half of these issues have been resolved, half have been re-imaged.
Your help is much appreciated.

Best Regards,
fishmong3r

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 AM

Posted 03 August 2012 - 11:06 AM

Hello, what is now needed is a deeper look to find what is protecting it.

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 fishmong3r

fishmong3r
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 03 August 2012 - 12:33 PM

Thank you for your response.
I'm talking about 50 machines, and as I said these are different variants. Which one would you like me to choose?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:42 AM

Posted 03 August 2012 - 02:14 PM

Add that note to the topic and Start at the Main or first machine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users