Fix for Trojan.Zeroaccess.B & Trojan.gen.2

Perform the below mentioned steps in order to remove Trojan.Zeroaccess and its variants  if the fix tool does not work.

 

As you all must be aware if the computer is infected with Trojan.Zeroaccess we can check by trying to reset the winsock in command prompt. It seems that services.exe is getting infected, so the best thing that we can do over here is to try to replace the services.exe with a good one. The infected services.exe will be located in C:\windows\system32 and we can replace it by copying services.exe. To  fix the issue we need  to manually replace the file “services.exe” from c:\WINDOWS\winsxs folder (In Windows Vista and 7) . i386 folder(In Windows XP)

 

 

Before we replace the c:\WINDOWS\system32\services.exe we need to remove some other related infected files also. (Trojan.gen.2 files) For that follow this steps first.

 

  1. Open My Computer / Computer.
  2. Please select the Tools menu and click Folder Options.
  3. After the new window appears select the View tab.
  4. Put a checkmark in the checkbox labeled Display the contents of system folders.
  5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  8. After this please press the Apply button and then the OK

 

Now you can see all the Hidden Files and Folders inside the computer. Now go to the location C:\Windows\Installer

Now you can see one Hidden Folder with a Random name. Eg : {6256380b-62e6-5202-0783-ddab7c41e598}

Open this folder then you can see the following files. U , L , @ Etc

 The name {6256380b-62e6-5202-0783-ddab7c41e598} will not be a fixed one. This name will be different in all the computer.  Inside ‘C:\Windows\Installer\ there will be lots of folders with this type random names. The infected folder will be a Hidden folder. To see that hidden folder we need to Enable the Hidden files first. To enable to hidden file follow the above steps.

Delete the following files

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\U\00000008.@’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\U\80000032.@’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\U\80000064.@’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\U’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\L\00000004.@’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\L\1afb2d56′.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\L\201d3dde’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\L’.

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\@

‘C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}\U’

 

Delete as much as Files you can. You will not be able to delete some  files like  @ and the Folder U. Rename this files with a name 1 or 123.

 

Now go to the location  C:\Users\{Your User Name}\AppData\Local\{6256380b-62e6-5202-0783-ddab7c41e598} and delete as much as files you can. In this folder also You will not be able to delete some  files like  @ and the Folder U. Rename this files with a name 1 or 123.

 

After this restart the computer. After a restart go to the following  location and delete all the files and folders inside that.

C:\Windows\Installer\{6256380b-62e6-5202-0783-ddab7c41e598}

C:\Users\{Your User Name}\AppData\Local\{6256380b-62e6-5202-0783-ddab7c41e598}

 

Restart the computer once again. By deleting all this files the issue with the Trojan.gen.2 will be fixed for a while. To fix all the issues we need to replace one critical Windows file also.

It is c:\WINDOWS\system32\services.exe.

 

To  fix the issue we need  to manually replace the file “services.exe” from c:\WINDOWS\winsxs folder (In Windows Vista and 7) . i386 folder(In Windows XP)

 

How to manually replace the file ?

  •  Boot the computer in Safe Mode With Networking or Recovery Console.
  •  Search the file “services.exe” file in “c:\Windows\winsxs” folder and copy the file to “c:\”.
  • Open the folder “c:\windows\system32″ rename the file “services.exe” as “123.com”

  • Launch the cmd prompt with administrator rights and navigate to home drive “c:\”
  • Type the following cmd “copy    c:\services.exe    c:\windows\system32″ and you should get a message “1 file copied”.

  • Restart the computer in normal mode.Delete the file “123.com” from system32.

Note: Normally services.exe should be 321 KB. It is not necessary. Incase of you are facing any issues to rename the Services.exe restart the computer once again in Safe mode and try to rename it with out opening any applications and files.

Note : If this One is not working we need to replace the Services.exe file from the Recovery Console.

 

 

To check the presence of  Trojan.Zeroaccess you have to do one thing.

In Windows XP
———————-

Click on the start meanu and press on Run.
Inside the Run window type CMD and press on Okay.
In the black Command Window type
NETSH WINSOCK RESET and hit on enter.

If you get a message
Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.” then you are safe.
If not your computer is infected. The only solution to fix it is a Fresh Installation.

In Windows Vista and Windows 7
————————————–…

Click on the Start Menu and in the Search box type CMD
At the top you can see a CMD file. Just right click on that file and select Run as

Administrator.

In the black Command Window type
NETSH WINSOCK RESET and hit on enter.

If you get a message
“Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.” then you are safe.

If not your computer is infected. In windows Vista and Windows 7 a successful system restore will fix the issue. Try a system restore to a good point.

After a successful system restore try to do the same step again. If you got the message “Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.” your computer is safe and secure.

 

Kuttus

Kuttus is an IT professional and a part time blogger. He has started the 123seminarsonly to write his findings gained in daily work life. Kuttus writes articles which are mostly related to technology and Virus Removal. He has been interested in virus and Malware removal. He is working as a remote virus removal technician from the last 7 year.

More Posts - Website

5 comments to Fix for Trojan.Zeroaccess.B & Trojan.gen.2

  • Nathanaêl

    Hello

    I have similar problems, I tchecked the tuto the only thing is that my hidden folder in installer are a little different they is two hidden folder, in one of those two folder there is another two folder : named U and L and there is also a system file called @ but it is not a folder, in the U folder I have these file : 00000004@ 1ko and 201d3dde 1koin the U folder there is 000000cb@ and 00000004@ the other hidden folder is called $PatchCache$ and ther is nine folder in it but it doesn’t look like the one you mentioned. I think I have virus in these folder U and L just maybe they are other virus, should I erase those file and rename the file @ ? thanks for any feed back

    • admin

      Hi Nathanaêl,

      I am sorry to say it seems your computer is or was infected…. I will assist you to make sure there is no more problems remain on your computer.

      To check the presence of Trojan.Zeroaccess you have to do one thing.

      In Windows XP
      ———————-

      Click on the start meanu and press on Run.
      Inside the Run window type CMD and press on Okay.
      In the black Command Window type
      NETSH WINSOCK RESET and hit on enter.

      If you get a message
      “Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.” then you are safe.
      If not your computer is infected.

      In Windows Vista and Windows 7
      ————————————–…

      Click on the Start Menu and in the Search box type CMD
      At the top you can see a CMD file. Just right click on that file and select Run as

      Administrator.

      In the black Command Window type
      NETSH WINSOCK RESET and hit on enter.

      If you get a message
      “Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.” then you are safe.

      If not your computer is infected.

      Please check it and revert back…

  • Brad Gunson

    I can’t find services.exe in winsxs or i386?

    • admin

      Do you search for this file in your computer? Even after a search if you are not able to find it we need to transfer this file from another computer.

      Are you using Window XP, Windows Vista or Windows 7? Check if it is a 64bit or 32 bit…..

      We need to transfer the same services.exe file from another computer from from a Windows CD…

      Please let me know the details. Don’t do anything else now….

  • […] Every one Please check for one more infection on your computer…..Trojan.Zeroaccess.B & Trojan.gen.2 […]