You mean it found these again
========== FILES ==========
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
========== REGISTRY ==========
I know there should have been a second locat, second set of files we moved but you couldn't find it under a username.
Quads
Yes, It moved those files again. Is there some other way we can find where it is hiding? I checked in the username folders again without success.
dibrown
Zeoaccess may be altered again
Please read carefully Read all of this message first
Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix
Doiwnload the attached CFscript.txt, , For some browsers Right Click the attachment on the forum and select "Save AS" or similar to Download it. See screenshot below.
Now drag the CFScript.txt into the ComboFix.exe
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
Quads
I ran combofix with the added script. Logfile is attached. I got the same messages upon reboot as well.
dibrown
OK
Now your Zeroaccess is dead because if you still had zeroaccess running, this variantions you have bloack Combofix from running.
It could be,
a) Windows has the file(s) desktop.ini in many locations and if there is a bad version Windows will create a new copy after deletion of the bad one. SEP is somehow still detecting the new copies
b) and this happens with Norton products also, When the product detects a file it can't remove so is placed in the History - Unresolved Treats list. The product then continues to notify the user on every startup of Windows and other times.
Even if another 3rd party program is used to remove the infection, From OTL, Combofix FRST, Malwarebytes etc. The Symantec product still has the listing stuck in the unresolved threats list.
The Workaround for Norton products was to Delete items in the Qbackup folder,or Completely remove (uninstall) including all data and history. Then do a fresh install, nice and new.
In approx. 2010 products for Norton (I do not know about Corp products) Symantec in the 2010 kindly added the "Clear Entries" button in the Unresolved Threats so with a click of a mouse the listings could be removed if a 3rd party had already removed it, as Symantec could see the problem.
I have no idea the steps for the SEP products.
Quads
ok, so you think I am safe and I just have to figure out how to stop the messages from coming up? I'll research how to clear unresolved threats in SEP. Thanks for all your help.
dibrown
Especially when SEP state locations like "Unknown Storage" huh, it can't even figure itself out.
You could when you have maybe a large about of time try , it uses up to date databases back at the servers
Please read carefully and Slowly
Please scan with ESET next
I'd like us to scan your machine with ESET OnlineScan
button.
to download the ESET Smart Installer. Save it to your desktop.
icon on your desktop.
button.
and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Quads
Don't ask me how to fix the engine problem, shrug shoulders
http://www.symantec.com/connect/forums/pending-side-effects-analysis-access-denied
Quads
Moved to own thread for better exposure.
Hello,
The scan took a very log time so I had to go to sleep/work. Here is the log.
Hmmmm it shows zeroaccess still in the Memory
${Memory}a variant of Win32/Sirefef.EZ trojan
I wonder where the other half is, I have noticed your file services.exe has an MD5 of 50BEA589F7D7958BDD2528A8F69D05CC
Quads
Is there some way I can search for where it would be? Would it help to be in safe mode?
dibrown
I have found a handful of threads around over the last few days, and they are all trying to figure it out. That is zeroaccess ever changing and altering.
For instance this
C:\Windows\Installer\{8f1182c6-af1a-7035-2b12-4fc3271a0f44}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Windows\Installer\{8f1182c6-af1a-7035-2b12-4fc3271a0f44}\U\80000000.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined
C:\Windows\Installer\{8f1182c6-af1a-7035-2b12-4fc3271a0f44}\U\80000032.@ probably a variant of Win32/Sirefef.EU trojan cleaned by deleting - quarantined
C:\Windows\Installer\{8f1182c6-af1a-7035-2b12-4fc3271a0f44}\U\80000064.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.EZ trojan
Notice the similar above
They have tried alsorts so far to find it, They even used a program to try and force the 2 files
File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\assembly\gac_32\desktop.ini", destinationFile = "(null)", replaceWithDummy = 0
RemoveFile: ZwDeleteFile failed: status = c0000034
MoveFileOnReboot: sourceFile = "\??\c:\windows\assembly\gac_64\desktop.ini", destinationFile = "(null)", replaceWithDummy = 0
RemoveFile: ZwDeleteFile failed: status = c0000034
yup
they are still there ... persistent little buggers -.-
Ones over the last few days have or appear to have the services.exe showing as common.
But the file is needed by Windows you can't just delete it.
Quads
Bummer, so you think I need to just wait it out until somebody figures out where this zeroaccess is hiding?
dibrown
I have asked others for any data, or a dropper, that does this so I can infect my system with it, then I can go about pulling apart the infection on my system
I have also given them the noticed MD5 to look for.
My MD5 is 5F1B6A9C35D3D5CA72D6D6FDEF9747D6, it is legit, and signed
Quads
Just so you Know having the PC / Windows the way it is, is still better then removing something unsure about and then finding Windows won't boot after. Although annoying.
On my other group. After reading my zeroaccess post there on how it still holds in the memory with desktop.ini and the MD5 one of the other guys read it, and then found the same problem and MD5 on a MajorGeeks malware removal thread
Then also on Bleeping Computers Malware Removal forum and the Malwarebytes Removal forum. (3 non english boards as well) so we are not alone for the moment.
Quads
Click the Scan All Users checkbox.
Change file age to 60 days
under 
Copy and paste what is below between the lines
msconfig
activex
drivers32
netsvcs
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
services.exe
tdx.sys
afd.sys
cdrom.sys
i8042prt.sys
netbt.sys
redbook.sys
mrxsmb.sys
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
Press the 
An OTL.txt will be created.
Quads
Here is the latest OTL log with your custom scan options.
dibrown
I just noticed there was a second log file created last time.
dibrown
You only have one good copy of services.exe, sooooo
Can you find manually the services.exe located here C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
Quads
