Trojan ZeroAccess in desktop.ini and services.exe - restart loop

Norton Security | Norton Internet Security
1

Dell Vostro 470 Win7 Pro  64bit

 

Persistent Norton Unresolved Security Risks desktop.ini (Trojan.Zeroaccess) desktop.ini (Trojan.Gen.2) services.exe (Trojan.Zeroaccess!inf4)  ..  manual removal required.  Put into a restart loop by tool.

 

No success with documented removal procedures. Reading the post ZeroAccess and Gen 2 Infection -- Help .. looks like the way forward.

 

Any assistance most welcome.

 

 

2

Dell Vostro 470 Win7 Pro  64bit

 

Persistent Norton Unresolved Security Risks desktop.ini (Trojan.Zeroaccess) desktop.ini (Trojan.Gen.2) services.exe (Trojan.Zeroaccess!inf4)  ..  manual removal required.  Put into a restart loop by tool.

 

No success with documented removal procedures. Reading the post ZeroAccess and Gen 2 Infection -- Help .. looks like the way forward.

 

Any assistance most welcome.

 

 

3

Thanks for the response. I have only used Symantec Security Response Trojan.Zeroaccess Removal Tool ( Removal Information ) procedure downloaded from the Symantec site - running FixZeroAccess.exe. It stated that there was nothing to fix. NRT = Norton Removal Tools (?)

 

I am using Norton 360. The Security History states "Services.exe (Trojan.Zeroaccess!inf4) detected by Virus scanner and Auto-Protect - Manual Removal Required - Review risk details on Symantec website.  -  c:\windows\system32\services.exe".

 

Also "(Trojan.Zeroaccess) detected by Auto-Protect  -  Restart Required,

You must restart your computer.,c:\windows\assembly\gac_32\desktop.ini"

 

 

4

When I ran Norton Power Eraser I get this message after reboot

 

Norton 360 20.2.0.19
Error: 5013, 3
Windows 7 Professional
7601.17944.amd64fre.win7sp1_gdr.120830-0333
Norton Autofix Results: 1 item(s)
Product Service Dependency :: Failed

 

.. get into a reboot loop.

5

Thanks for advising which tool you were using.

Can you confirm you have not seen anything about "Base Filtering Engine"

If not then hang in and I hope someone will suggest a way forward

6

Thanks again.

 

I haven't seen anything in my computer logs / error messages that mention BFE .. but I have prowled around the communities searching for 5013,3 error issues, so I can see knowledge articles on this . Are these issues related ? Is my machine vulnerable to intrusion at present ?

 

 

7

Reviewing the SERVICES, I do NOT have a BASE FILTERING ENGINE service. I do on my other Win 7 laptop. Has this service been renamed/deleted ?

8

I dont know but it may be worth following the Symantec guidance on installing the same. You can always deactivate the service if need be but equally this may resolve your issue.

9

Warning before rhings go bad

 

You may want to go to a protected malware removal board as the user helping you is not a malware removalists.  especally with the last comment  :smileyvery-happy:

 

"I dont know but it may be worth following the Symantec guidance on installing the same. You can always deactivate the service if need be but equally this may resolve your issue."  

 

I have dealr with systems having this and more problems that have to be broken down and fixed correctly with logs fixes and pinpointing.

 

Just a warning.

 

Quads

10

Quads,

 

Appreciate advice. I have posted on BleepingComputer - I am realising that this problem is nasty ( esp. on Christmas - nice present ) as it has corrupted a number of functions which has put Norton 360 in a spin.

 

I have followed Symantec 'advice' but clearly this is not straightforward.

 

Thanks again

11

Here is an idea of what is or can be involved  http://community.norton.com/t5/Norton-360/Error-quot-5013-3-quot-and-trojan-patchep-sys/m-p/757594/highlight/true#M75042

 

You will notice the user used NPE and replaced the filter engine service.  CRASH as it is done wrong.   I dod break down and fix the system.

 

But for your thread another user got to your thread first, but seeing how it is going I decided to give the warning, enough is enough. before things can get worse..

 

You may have 2 variants on your system and whatever else,   (not the worst I have come across,  RenegadePrue had more).

 

Good Luck

 

Quads

 

12

Your Thread  http://www.bleepingcomputer.com/forums/topic479653.html

 

The person helping you is a trained malware removalist,  and has already logged to show zeroaccess and the in use patched services.exe.

 

Quads

13

Quads,

 

BTW How did you find my bleepingcomputer thread ?

 

Tim

14

I am with Bleeping to and with my PC ability it is not that hard.

 

Quads

15

OK - I'll work with them. Am on holidays so I have to shut down for a few days.

 

Thanks for your guidance.

16

No Problem

 

Quads

17

Quads,

 

Just to let you know I am back to 'normal' after a bit of wrestling - as you can see on my BleepingComputer blog entry.

 

Wondering what you think of the Anti-RootKit beta from MalwareBytes ?

 

Tim

18

Not to be used for the heck of it,

 

a) it is a beta product.

b) there is a reason why Malwarebytes (MBAM) can't do what the MBAR (anti-rootkit) can do, MBAM is less dangerous,  Tools that are stand alone tools like MBAR, TDSSkiller, NPE, Combofix, etc. have more hanger with them and the system used on.

 

Quads