Zeroaccess variants

Archive
1

Dear All,

To be honest all the machines I will write about are running Symantec Endpoint Protection 11.0.7000.975, I coulnd't find a proper forum for my questions. Also at the first place I'm here cause Quads just rocks. So if you could just help me it would me much appreciated.

So. I'm maging a couple of machines, mainly workstations running the above security tool. I can see every day a couple new zeroaccess infections like:

Trojan.Zeroaccess

Trojan.Zeroaccess!inf

Trojan.Zeroaccess.B

etc.

 

Regarding the symptoms I can distinguish three different variations:

1.

'C:\Windows\System32\services.exe' is not infected. Usually the below files have been reported:

’C:\Windows\Installer\*randomcharacters*\n’

’C:\Windows\Installer\*randomcharacters*\@’

’C:\Windows\Installer\*randomcharacters*\L\00000004.@’

’C:\Windows\Installer\*randomcharacters*\\U\80000032.@’

’C:\Users\*username*\AppData\Local\*randomcharacters*\n’

C:\Users\*username*\AppData\Local\*randomcharacters*\@’

etc.

This version can be cleaned by SEP without any issue. Remnant folders can be deleted manually.

 

2.

All, or some of the above files have been reported, plus 'C:\Windows\System32\services.exe'.

In this specific case I can't delete 'services.exe' as it's a core system file and in case I try to kill the process Windows crashes.

What I can do is to simply rename it, for example to 'q.exe'. In this case I'm able to choose the option in SEP to 'Permanently Delete' that 'q.exe'. It offers to kill the process. At this point windows immediately reboots with error message like: 'Windows encountered a critical error...'. On the boot system repair starts, and restores 'services.exe'. After logon I can delete 'q.exe', restored 'services.exe' is obviously ok. After deleting all the remnants, no tool can find any further infection.

 

3.

This seems the very same like the second one, except that I'm unable to even rename 'services.exe'. It says something like I have no permission.

I'm stuck with this one. I could easily fix it locally, but I have to take care of these machines remotely.

 

Common things:

Only SEP can see the infected files, but can't remove them.

 

Tools I've ran to clean up but failed:

Hitman

Spybot

Malwarebytes Antimalware

TDSSKiller

RootKit Buster

Symantec's FixZeroaccess 

 

Tools I've tried to unlock/rename/remove 'services.exe':

OTL - Could remove every other file, except 'services.exe' (Prepared custom script as per SystemLook's output, also tried scan)

Unlocker

MoveOnBoot

FileAssasin

 

So my question is: Are there any solution where I don't need to involve the user too much, and can be carried out remotely. So no flash drive tools / manual system repair initiations / etc.?

Also it will be hard to get log files from any tools, or at least will take a while, as half of these issues have been resolved, half have been re-imaged.

Your help is much appreciated.

 

Best Regards,

fishmong3r