ZeroAccess Sirefef Infection

Hello,

I have a customer's computer in the shop that has an infection.  I have been unable to remove part of the infection and I am looking for some assistance.  Avast finds 2 infections, one is C:\Windows\assembly\GAC_32\desktop.ini and the other is C:\Windows\assembly\GAC_64\desktop.ini.  They are both infected with a variation of Sirefef.  I cannot repair, remove, or quarantine them.  Access is denied.

I have ran TDSSKiller which finds nothing.  Also ran Malwarebytes.  Any suggestions?
LVL 8
Scott ThompsonComputer Technician / OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dave4dlCommented:
I recommend doing a full reinstall.  When viruses infect machines, they frequently damage system files so that even if you disable the virus, the computer will have ongoing problems until it is reinstalled.  Make sure to back up the current contents of the hard drive before reintsalling (you can use external usb hard drives and an acronis true image boot disk to do this).
0
Run5kCommented:
Take few minutes to thoroughly read this Experts Exchange article written by Younghv, one of the EE community's very best malware/virus removal experts:

Stop the Bleeding: First Aid for Malware!

The bottom line is that you can always do a full wipe & reload if necessary, but in the vast majority of cases it can be avoided.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
I do agree that I definitely want to avoid reload.  I have worked on removing infections for 4 years now, and 99% of the time you can avoid reloading.  The other 1% is the system is far too gone, or you just don't find an answer.  I actually figured out that recently there is an infection going around (rootkit, use TDSSKiller), which infects the MBR and makes the computer BSOD with STOP 7B (0x0000007B).  Normally, that is a hard drive issue, but it turns out you just need to recreate the MBR and it will boot into Windows, (or slave the drive and scan with TDSSKiller).

Is there a way to manually delete these infected files in the Assembly directory?  I don't actually SEE the files, but I'm not too familiar with what the Assembly directory does, or how it works.

I will try to use RogueKiller in a bit and see if that makes a difference.  I have already used RKill on it.

The weird thing is that I was browsing, and found that ASWmbr is a scanner that will generally repair/fix a lot of rootkit infections.  The scanner finds the infected files, but I can't click on the FIX button.

Any suggestions?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Scott ThompsonComputer Technician / OwnerAuthor Commented:
Okay, now I feel stupid!

I figured out how to take care of this issue!

This takes some command line work, so I'm going to post the solution step by step for anyone looking for this.

HOW TO REMOVE infected files C:\Windows\assembly\GAC_32\desktop.ini and C:\Windows\assembly\GAC_64\desktop.ini

1.  Boot into Windows, into an account with Administrator privileges.

2.  Open Command Prompt by Run As Administrator.

3.  Go to C:\Windows\assembly\GAC_32 folder

4.  Type dir /ah to verify desktop.ini is located in the folder.

5.  First we need to get permissions to the file.  Type CACLS desktop.ini /e /p (account name):f
Example: cacls desktop.ini /e /p Jean:f

6.  You now have permissions to access the file.  Now let us make the file accessible.  Type attrib -s -h desktop.ini.  This will unhide the file and clears the system file attribute.

7.  From here, you can run Avast! Free Antivirus to move the file to quarantine, or simply type del desktop.ini.  I prefer to have Avast! move it to quarantine as to have a backup for any further issues.

8.  Repeat steps 3-7 for C:\Windows\assembly\GAC_64\desktop.ini.

I hope this helps people!

I will mark this as the solution once I verify there are no further issues on the machine.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Run5kCommented:
For future reference, if your ultimate goal was to delete those two specific files it may be a bit easier to boot into an alternate operating system environment like the Parted Magic LiveCD. It's a freeware Linux-based environment that is designed to help you add, delete, and manipulate hard drive partitions, but you can also utilize it to delete files & folders:

http://partedmagic.com/doku.php

And for those of us who may need it, here is a short Parted Magic tutorial in PDF format:

http://www.jhhcvandermeijs.nl/linksandreviews/partitions.pdf
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Take that infection! :P
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.