Solved

ZeroAccess Sirefef Infection

Posted on 2012-03-24
6
1,474 Views
Last Modified: 2013-11-22
Hello,

I have a customer's computer in the shop that has an infection.  I have been unable to remove part of the infection and I am looking for some assistance.  Avast finds 2 infections, one is C:\Windows\assembly\GAC_32\desktop.ini and the other is C:\Windows\assembly\GAC_64\desktop.ini.  They are both infected with a variation of Sirefef.  I cannot repair, remove, or quarantine them.  Access is denied.

I have ran TDSSKiller which finds nothing.  Also ran Malwarebytes.  Any suggestions?
0
Comment
Question by:Scott Thompson
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 37761264
I recommend doing a full reinstall.  When viruses infect machines, they frequently damage system files so that even if you disable the virus, the computer will have ongoing problems until it is reinstalled.  Make sure to back up the current contents of the hard drive before reintsalling (you can use external usb hard drives and an acronis true image boot disk to do this).
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37761276
Take few minutes to thoroughly read this Experts Exchange article written by Younghv, one of the EE community's very best malware/virus removal experts:

Stop the Bleeding: First Aid for Malware!

The bottom line is that you can always do a full wipe & reload if necessary, but in the vast majority of cases it can be avoided.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 37761353
I do agree that I definitely want to avoid reload.  I have worked on removing infections for 4 years now, and 99% of the time you can avoid reloading.  The other 1% is the system is far too gone, or you just don't find an answer.  I actually figured out that recently there is an infection going around (rootkit, use TDSSKiller), which infects the MBR and makes the computer BSOD with STOP 7B (0x0000007B).  Normally, that is a hard drive issue, but it turns out you just need to recreate the MBR and it will boot into Windows, (or slave the drive and scan with TDSSKiller).

Is there a way to manually delete these infected files in the Assembly directory?  I don't actually SEE the files, but I'm not too familiar with what the Assembly directory does, or how it works.

I will try to use RogueKiller in a bit and see if that makes a difference.  I have already used RKill on it.

The weird thing is that I was browsing, and found that ASWmbr is a scanner that will generally repair/fix a lot of rootkit infections.  The scanner finds the infected files, but I can't click on the FIX button.

Any suggestions?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Accepted Solution

by:
Scott Thompson earned 0 total points
ID: 37761421
Okay, now I feel stupid!

I figured out how to take care of this issue!

This takes some command line work, so I'm going to post the solution step by step for anyone looking for this.

HOW TO REMOVE infected files C:\Windows\assembly\GAC_32\desktop.ini and C:\Windows\assembly\GAC_64\desktop.ini

1.  Boot into Windows, into an account with Administrator privileges.

2.  Open Command Prompt by Run As Administrator.

3.  Go to C:\Windows\assembly\GAC_32 folder

4.  Type dir /ah to verify desktop.ini is located in the folder.

5.  First we need to get permissions to the file.  Type CACLS desktop.ini /e /p (account name):f
Example: cacls desktop.ini /e /p Jean:f

6.  You now have permissions to access the file.  Now let us make the file accessible.  Type attrib -s -h desktop.ini.  This will unhide the file and clears the system file attribute.

7.  From here, you can run Avast! Free Antivirus to move the file to quarantine, or simply type del desktop.ini.  I prefer to have Avast! move it to quarantine as to have a backup for any further issues.

8.  Repeat steps 3-7 for C:\Windows\assembly\GAC_64\desktop.ini.

I hope this helps people!

I will mark this as the solution once I verify there are no further issues on the machine.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37763872
For future reference, if your ultimate goal was to delete those two specific files it may be a bit easier to boot into an alternate operating system environment like the Parted Magic LiveCD. It's a freeware Linux-based environment that is designed to help you add, delete, and manipulate hard drive partitions, but you can also utilize it to delete files & folders:

http://partedmagic.com/doku.php

And for those of us who may need it, here is a short Parted Magic tutorial in PDF format:

http://www.jhhcvandermeijs.nl/linksandreviews/partitions.pdf
0
 
LVL 8

Author Closing Comment

by:Scott Thompson
ID: 37786171
Take that infection! :P
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question