Posted 03 August 2012 - 10:59 AM
All the machines I will write about are running Symantec Endpoint Protection 11.0.7000.975.
So. I'm maging a couple of machines, mainly workstations running the above security tool. I can see every day a couple new zeroaccess infections like:
Regarding the symptoms I can distinguish three different variations:
'C:\Windows\System32\services.exe' is not infected. Usually the below files have been reported:
This version can be cleaned by SEP without any issue. Remnant folders can be deleted manually.
All, or some of the above files have been reported, plus 'C:\Windows\System32\services.exe'.
In this specific case I can't delete 'services.exe' as it's a core system file and in case I try to kill the process Windows crashes.
What I can do is to simply rename it, for example to 'q.exe'. In this case I'm able to choose the option in SEP to 'Permanently Delete' that 'q.exe'. It offers to kill the process. At this point windows immediately reboots with error message like: 'Windows encountered a critical error...'. On the boot system repair starts, and restores 'services.exe'. After logon I can delete 'q.exe', restored 'services.exe' is obviously ok. After deleting all the remnants, no tool can find any further infection.
This seems the very same like the second one, except that I'm unable to even rename 'services.exe'. It says something like I have no permission.
I'm stuck with this one. I could easily fix it locally, but I have to take care of these machines remotely.
Only SEP can see the infected files, but can't remove them.
Tools I've ran to clean up but failed:
Tools I've tried to unlock/rename/remove 'services.exe':
OTL - Could remove every other file, except 'services.exe' (Prepared custom script as per SystemLook's output, also tried scan)
So my question is: Are there any solution where I don't need to involve the user too much, and can be carried out remotely. So no flash drive tools / manual system repair initiations / etc.?
Also it will be hard to get log files from any tools, or at least will take a while, as half of these issues have been resolved, half have been re-imaged.
Your help is much appreciated.