Hi. It's some time since I've had to delve into cleaning an infection. Your assistance would be appreciated.
I am dealing with a legacy WinXP Pro SP3 system that has caught a partial infection of Trojan.ZeroAccess at the user level. WinXP has the latest updates installed. SAV v10.1 has the latest virus definitions installed. It also has the latest version of ZoneAlarm Free running on the PC. The partial infection appears to be the latest variant as documented by SophosLabs on July 31 2013 on "nakedsecurity.sophos.com".
When I logged in to the affected user, SAV identified Trojan.ZeroAccess and quarantined / cleaned the infection several times. I take this to be the trojan trying repeatedly to install itself. I downloaded the "Fix ZeroAccess" tool (FixTool 1.0.1) from the Symantec website and ran it from an admin user. FixTool reported "No Infection Found". However, logging in as the affected user again triggered SAV to quarantine / clean Trojan.ZeroAccess.
I removed the (dropper ?) files and folders from C:\Documents and Settings\username\Local Settings\Application Data\Google\Desktop\Install\{....}\...\. Folder names were U and L. Program names were "@" and "GoogleUpdate.exe". I removed these files and folders via a Linux boot as they were not accessible from within Windows (ACLs had been changed to lock out admin users). I did not find the trojan files in the "Program Files" folder as suggested in the Sophos report. When attempting to uninstall Google Earth (the only real Google product on the PC), the uninstall box included unprintable characters, so I cancelled the uninstall and removed as much as possible manually (assuming that the uninstall had been compromised).
Windows Security Centre on the PC reports that there is no firewall running (but ZoneAlarm is running and allows me to stop all internet traffic and appears to trap other outgoing requests). It also reports no antivirus protection running (but SAV is running and appears to have blocked the ZeroAccess installs and can still run system scans etc). I take these issues to be damage done by the ZeroAccess dropper in advance of the full installation attempts.
A full system scan with SAV from an admin logon did not identify the partial infection or the existence of the dropper files and folders. If you can point me to documentation regarding the full manual removal of this infection this would be helpful as I am sure there remain artifacts from the infection. If you require further information, I would be pleased to provide it.
I hope the above information allows you to improve the ZeroAccess Fix Tool to also deal with the latest variant
Thanks for any assistance.