Virus:W32/ZeroAccess

Manual Repair

Caution: Manual repair is a risky process; it is recommended only for advanced users.

The following manual removal instructions apply to Windows 7 systems with a service.exe file infected by Trojan.patched.sirefef.[variant], and with F-Secure Internet Security 2012 (FSIS 2012) installed.

• Turn off real-time scanning to prevent interference with the removal process.
• Boot to safe mode
• search for the backup copy of services.exe; this copy will usually be:
  • C:\Windows\Winsxs\[directory path]\services.exe
• Go to C:\windows\system32\ folder and rename the infected copy of the services.exe file to 'services.exe.vir' (use cmd.exe if necessary)
• Copy the backup services.exe file from the Winsxs folder to C:\Windows\system32\
• After reboot, open the FSIS 2012 product and uncheck the "scan only known file types" setting under manual scanning.
• Next, run a full system scan. The product should detect items in the following locations:
  • C:\Users\[user]\appdata\local\{[numbers]}\n
  • C:\Windows\Installer\{ [numbers]}\n
  • C:\Windows\Assembly\gac\desktop.ini OR \gac_32\desktop.ini
• The product should then prompt for reboot to remove one of the n files listed above. Note: if the n files are not detected by the product:
  • Please send a copy to the Submit A Sample (SAS) for a Labs Analyst to create the necessary detection.
  • Then boot to Safe Mode to manually locate the n files at the locations listed above. Rename the files to "n.vir", then restart in normal mode and delete the entire folder with those files.
  • If any file is locked by services.exe, first fix services.exe as above.
• After reboot, manually delete all remaining traces of the malware by deleting the {[numbers]} folders
• Finally, re-enable real-time scanning, reboot and run another full scan.

Notes

Many users will also find files in the Java cache being detected for Blackhole exploits; this is the most commonly dropped on the computer on visits to compromised/malicious sites silently serving the exploits. The detected files may be removed.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

• Check for the latest database updates

  First check if your F-Secure security program is using the latest updates, then try scanning the file again.

• Submit a sample

  After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

  Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

• Exclude a file from further scanning

  If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

  Note: You need administrative rights to change the settings.