trojan.zeroaccess always there

Damascus · ‎01-12-2011

NIS 2012 keeps finding the trojan.zeroaccess virus and tells me it's fixed and to reboot my computer. Whenever I do that, it tells me it's found the same virus and it's fixed and to reboot my computer. A complete scan found the bad file in C:\windows\assembly\gac\desktop.ini and continues to find it there every time I scan. First, I can't find such a subdirectory; my c:\windows\assembly folder only has one empty subfolder, called "download." I have hidden files and system files set to not be hidden, so I'm confused as to where this is. Second, how can I stop it from returning every time I turn on my computer? I ran the NPE, but it found nothing except some startup files that I know to be okay.

Quads · ‎07-21-2008

ANY other user other than the thread starter is not to use any instructions, scripts or proceedures, The work though in cleaning a system is individual and only for that system due to a number of factors.

Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
If I ask a Question just answer it, don't run anything unless it states.
Major steps used:

1. Find

2. Break

3. Destroy

4. Cleanup (including system as a whole)

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

What is your Operating System and is it 32 bit or 64 bit??

Quads

IanTheGreat · ‎07-01-2012

Have you deleted your restore points ???

Only The Strong Survive , By Being Wise With No Compromise

Quads · ‎07-21-2008

IanTheGreat wrote:
Have you deleted your restore points ???

OK guys we have a user that has no idea about how zeroaccess works and how it can effect Windows or netsvcs etc.

So don't follow info like this, there is a time and place for System Restore, sometimes after the removal.

Quads

Quads · ‎07-21-2008

Oh hahahaha I get more abuse, the user must be angry that he has been told system restore doesn't work with zeroaccess variants and doesn't like it.

I have notified the people that create our tools of the newest change with zeroaccess that does show.

I infect my system with the likes of zeroaccess all the time so I know what changes and what works or doesn't.

Quads

Damascus · ‎01-12-2011

Thannk you Quads. I'm running Windows XP SP3, 32-bit.

Quads · ‎07-21-2008

Do you have a Black CD for Burning??

Quads

Damascus · ‎01-12-2011

Don't know what "black" CD means. I have blank CDs, if that's what you meant to type. I will also be away from this computer until Tuesday, so take your time. And thanks again for the assistance.

Damascus · ‎01-12-2011

Forgot to tell you what I already tried. I booted Ubuntu as my O/S and found the GAC subfolder and desktop.ini file. I deleted it and rebooted with no issues. When I reboot again, the problem returns, as if the virus is hidden and creating the bad desktop.ini over and over.