• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1479
  • Last Modified:

ZeroAccess Sirefef Infection

Hello,

I have a customer's computer in the shop that has an infection.  I have been unable to remove part of the infection and I am looking for some assistance.  Avast finds 2 infections, one is C:\Windows\assembly\GAC_32\desktop.ini and the other is C:\Windows\assembly\GAC_64\desktop.ini.  They are both infected with a variation of Sirefef.  I cannot repair, remove, or quarantine them.  Access is denied.

I have ran TDSSKiller which finds nothing.  Also ran Malwarebytes.  Any suggestions?
0
Scott Thompson
Asked:
Scott Thompson
  • 3
  • 2
1 Solution
 
dave4dlCommented:
I recommend doing a full reinstall.  When viruses infect machines, they frequently damage system files so that even if you disable the virus, the computer will have ongoing problems until it is reinstalled.  Make sure to back up the current contents of the hard drive before reintsalling (you can use external usb hard drives and an acronis true image boot disk to do this).
0
 
Run5kCommented:
Take few minutes to thoroughly read this Experts Exchange article written by Younghv, one of the EE community's very best malware/virus removal experts:

Stop the Bleeding: First Aid for Malware!

The bottom line is that you can always do a full wipe & reload if necessary, but in the vast majority of cases it can be avoided.
0
 
Scott ThompsonAuthor Commented:
I do agree that I definitely want to avoid reload.  I have worked on removing infections for 4 years now, and 99% of the time you can avoid reloading.  The other 1% is the system is far too gone, or you just don't find an answer.  I actually figured out that recently there is an infection going around (rootkit, use TDSSKiller), which infects the MBR and makes the computer BSOD with STOP 7B (0x0000007B).  Normally, that is a hard drive issue, but it turns out you just need to recreate the MBR and it will boot into Windows, (or slave the drive and scan with TDSSKiller).

Is there a way to manually delete these infected files in the Assembly directory?  I don't actually SEE the files, but I'm not too familiar with what the Assembly directory does, or how it works.

I will try to use RogueKiller in a bit and see if that makes a difference.  I have already used RKill on it.

The weird thing is that I was browsing, and found that ASWmbr is a scanner that will generally repair/fix a lot of rootkit infections.  The scanner finds the infected files, but I can't click on the FIX button.

Any suggestions?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
Scott ThompsonAuthor Commented:
Okay, now I feel stupid!

I figured out how to take care of this issue!

This takes some command line work, so I'm going to post the solution step by step for anyone looking for this.

HOW TO REMOVE infected files C:\Windows\assembly\GAC_32\desktop.ini and C:\Windows\assembly\GAC_64\desktop.ini

1.  Boot into Windows, into an account with Administrator privileges.

2.  Open Command Prompt by Run As Administrator.

3.  Go to C:\Windows\assembly\GAC_32 folder

4.  Type dir /ah to verify desktop.ini is located in the folder.

5.  First we need to get permissions to the file.  Type CACLS desktop.ini /e /p (account name):f
Example: cacls desktop.ini /e /p Jean:f

6.  You now have permissions to access the file.  Now let us make the file accessible.  Type attrib -s -h desktop.ini.  This will unhide the file and clears the system file attribute.

7.  From here, you can run Avast! Free Antivirus to move the file to quarantine, or simply type del desktop.ini.  I prefer to have Avast! move it to quarantine as to have a backup for any further issues.

8.  Repeat steps 3-7 for C:\Windows\assembly\GAC_64\desktop.ini.

I hope this helps people!

I will mark this as the solution once I verify there are no further issues on the machine.
0
 
Run5kCommented:
For future reference, if your ultimate goal was to delete those two specific files it may be a bit easier to boot into an alternate operating system environment like the Parted Magic LiveCD. It's a freeware Linux-based environment that is designed to help you add, delete, and manipulate hard drive partitions, but you can also utilize it to delete files & folders:

http://partedmagic.com/doku.php

And for those of us who may need it, here is a short Parted Magic tutorial in PDF format:

http://www.jhhcvandermeijs.nl/linksandreviews/partitions.pdf
0
 
Scott ThompsonAuthor Commented:
Take that infection! :P
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now