Hoping someone can help.  I keep getting messages similar to this: 

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Windows\Installer\{a54b25a2-2196-0a20-fab7-cb13bc4924cd}\U\80000032.@
Location: Quarantine
Computer:
User: SYSTEM
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, May 30, 2012 10:30:19 PM

I have tried a full scan with Symantic antivirus as well as the downloadable rootkit tool from nortan, but I keep getting the same messages every time I restart.  Any ideas?

What is your Windows, including 32 or 64 bit??

Quads

I have windows 7 64bit

I get a new set of messages about Trojan.Gen.2 and Hacktool.Rootkit around every 5 minutes.  At the same time Malwarebites blocks something trying to access outside IP addresses.

Malwarebytes Realtime and Norton together is a NO.

Quads

ok, I stopped malewarebytes but I am still recieving the massages from symantec.  Thank you for replying Quads.  I just read a post that you helped another user with a similar issue.  I'm afraid to try running the things you suggested though because of all the warnings.

dibrown

C:\Users\t[username]\AppData\Local\{[Numbers]}

C:\WINDOWS\Installer\{[Numbers]}

The numbers are the same for both locations, Norton has detected one   I need the username one is under.

Quads

my user name is David.  I can't seem to find the numbers file in the directory you mentioned.  Is it hidden somehow?  Thanks.

dibrown

Is your system set to show hidden files and folders etc.??

It may be under / in someone elses user account.

Quads

I can't find it in any user account.  I only have my own, Default and Public.  I verified that hidden files and folders are visible.  I tried typing it directly into explorers toolbar and it was not found.

Download OTL   hxxp://oldtimer.geekstogo.com/OTL.exe   (change the hxxp to http) save it to your Desktop.

Thank you for your reply.  I have run OTL with the script.  The output is attached.  After my computer rebooted Symantic Endpoint Protection restarted and the messages popped up again.  Should I disable SEP again?  Should I disable it for 30 minutes before I run OTL?

dibrown

SEP, should or would probably now pick up on the files in the moved location instead.

Whick should be fixed by disabling SEP for whatever (say 30mins)  start OTL again and this time click the Black "CleanUP" Button.

Quads

I just noticed that the content of the messages has changed.  Now there are two different ones:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Zeroaccess
File: C:\Windows\assembly\GAC_32\Desktop.ini
Location: C:\Windows\assembly\GAC_32
Computer: DAVID-PC
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, May 31, 2012 12:13:57 AM

and 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Windows\assembly\GAC_64\Desktop.ini
Location: C:\Windows\assembly\GAC_64
Computer: DAVID-PC
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, May 31, 2012 12:13:57 AM

Does this new information change anything or should I still leave SEP off for 30 minutes and then run a clean up?  Am I at risk of the trojan downloading other nasty things if I leave the protection off?  

dibrown

OK

Cool, I have broken Zeroaccess so now the leftovers appear

Like your first run with OTL, but run this script attached

Quads

Thanks.  Glad we're making progress .  I ran the new script with SEP disabled.  Upon reboot I got the same messages:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Gen.2
File: C:\Windows\assembly\GAC_64\Desktop.ini
Location: C:\Windows\assembly\GAC_64
Computer: DAVID-PC
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, May 31, 2012 12:35:42 AM

and 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Zeroaccess
File: C:\Windows\assembly\GAC_32\Desktop.ini
Location: C:\Windows\assembly\GAC_32
Computer: DAVID-PC
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, May 31, 2012 12:35:43 AM

There are two more that come up several seconds later that say the same thing, but the location is listed as "Unknown Storage."  I only get these 4 messages when I boot up, they no longer recur every 5 minutes.  I've attached the log file from the script.

It may now be because the threat listing are now stuck in the unresolved threats list, which I know how to fix with Norton Products,  But not Symantec SEP (Corp) products.

You can now use the black cleanup button

Quads

ok, I used the cleanup button.  I still got the 4 SEP popups when the computer restarted.  There is no log to post this time.  I guess the cleanup got rid of all the OTL leftovers?  Is there a way for us to check whether the files came back again or if it is just stuck like you suggested?

dibrown

Malwarebytes, doing a manual update of the definitions (update tab) then running a Full scan should detect those 2 files if they exist.

Otherwise we will have to use some power

Quads

Quads

I updated and ran malwarebytes without finding any threats.  However, I still recieved the Auto-protect messages upon reboot so I ran the 2nd OLT script again.  The log file again says that the two files were successfully moved.  Does that mean that there's something that got missed that is creating those files every time I boot the computer?  I really appreciate all your help on this.

dibrown