4 Replies Latest reply on Aug 8, 2012 2:51 PM by paullotion

    ZeroAccess Trojan refuses to leave. HELP

      I've tried everything, from McAfee's stinger and rootkit remover, to Malwarebyte's Anti-Malware, to Hitman Pro and nothing seems to be working.

      This all started a few days ago when i got hit by Live Security Platinum. I knew it was a scam so i used the stinger to get rid of it. Now i only have 2

      trojans left (According to Hitman Pro). There is a tracking cookie. But, anyway, the first trojan is within my system32, its called services.exe. Its protected by the Windows File Protection, therefore, Hitman Pro says it is unable to replace it, or do anything with it. The other is assembly\GAC_32\Desktop.ini Hitman Pro says that it will be deleted when i restart the desktop, and i've tried that multiple times as well. Both of these keep popping up on my Hitman's scan. And now a tracking cookie is showing up as well. Someone please help. I have Windows 7, 64 bit.

        • 1. Re: ZeroAccess Trojan refuses to leave. HELP

          I just tried Malwarebytes Anti-Malware's chameleon and  it tells me nothing is wrong, as in there is no virus. Hitman Pro, however, keeps telling me that 2 of them are still there (the 2 aforementioned ones). And whilst this is going on, Mcafee keeps telling me taht there has been a trojan found and to restart the desktop so that they can kill it. Help soon. Please.

          • 2. Re: ZeroAccess Trojan refuses to leave. HELP
            sol

            Please make sure you cleaned all your cacee files.. cookies, temps, internet temps

             

            One thng i noticed will all my zero access is a folder created under the Windows\installer which is also located under the User profile\app data. The folder names can be random and the font used is different then what is used with the other windows\installer folder names. remove any suspicious looking folders like this  ( always make a back-up first)

             

            Similar to this foldfer name  - it can start with a letter as well.. this is the first number one i found as the others had started with the letter C  {6656b880-b899-5422-f6d7-e212845d7584}

             

            The font tends to be smaller than the others

            • 3. Re: ZeroAccess Trojan refuses to leave. HELP
              sol

              oh dang  i got caught be the date thingy again...  SMH (shakin my head)

              • 4. Re: ZeroAccess Trojan refuses to leave. HELP

                Hello

                 

                Hitman pro will not delete services.exe, it`s a Windows core file. It can try to disinfect, otherwise you`ll need a clean copy of services.exe, which you should be able to locate within the dllcache, which is also found in system32 folder. Have the services.exe file found(if any) in dllcache checked at virustotal: or you could send the infected services.exe file to the lab and they should be able to furnish you with an extra.dat to disinfect the infected services.exe.