Solved

ZeroAccess Sirefef Infection

Posted on 2012-03-24
6
1,476 Views
Last Modified: 2013-11-22
Hello,

I have a customer's computer in the shop that has an infection.  I have been unable to remove part of the infection and I am looking for some assistance.  Avast finds 2 infections, one is C:\Windows\assembly\GAC_32\desktop.ini and the other is C:\Windows\assembly\GAC_64\desktop.ini.  They are both infected with a variation of Sirefef.  I cannot repair, remove, or quarantine them.  Access is denied.

I have ran TDSSKiller which finds nothing.  Also ran Malwarebytes.  Any suggestions?
0
Comment
Question by:Scott Thompson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 37761264
I recommend doing a full reinstall.  When viruses infect machines, they frequently damage system files so that even if you disable the virus, the computer will have ongoing problems until it is reinstalled.  Make sure to back up the current contents of the hard drive before reintsalling (you can use external usb hard drives and an acronis true image boot disk to do this).
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37761276
Take few minutes to thoroughly read this Experts Exchange article written by Younghv, one of the EE community's very best malware/virus removal experts:

Stop the Bleeding: First Aid for Malware!

The bottom line is that you can always do a full wipe & reload if necessary, but in the vast majority of cases it can be avoided.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 37761353
I do agree that I definitely want to avoid reload.  I have worked on removing infections for 4 years now, and 99% of the time you can avoid reloading.  The other 1% is the system is far too gone, or you just don't find an answer.  I actually figured out that recently there is an infection going around (rootkit, use TDSSKiller), which infects the MBR and makes the computer BSOD with STOP 7B (0x0000007B).  Normally, that is a hard drive issue, but it turns out you just need to recreate the MBR and it will boot into Windows, (or slave the drive and scan with TDSSKiller).

Is there a way to manually delete these infected files in the Assembly directory?  I don't actually SEE the files, but I'm not too familiar with what the Assembly directory does, or how it works.

I will try to use RogueKiller in a bit and see if that makes a difference.  I have already used RKill on it.

The weird thing is that I was browsing, and found that ASWmbr is a scanner that will generally repair/fix a lot of rootkit infections.  The scanner finds the infected files, but I can't click on the FIX button.

Any suggestions?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Accepted Solution

by:
Scott Thompson earned 0 total points
ID: 37761421
Okay, now I feel stupid!

I figured out how to take care of this issue!

This takes some command line work, so I'm going to post the solution step by step for anyone looking for this.

HOW TO REMOVE infected files C:\Windows\assembly\GAC_32\desktop.ini and C:\Windows\assembly\GAC_64\desktop.ini

1.  Boot into Windows, into an account with Administrator privileges.

2.  Open Command Prompt by Run As Administrator.

3.  Go to C:\Windows\assembly\GAC_32 folder

4.  Type dir /ah to verify desktop.ini is located in the folder.

5.  First we need to get permissions to the file.  Type CACLS desktop.ini /e /p (account name):f
Example: cacls desktop.ini /e /p Jean:f

6.  You now have permissions to access the file.  Now let us make the file accessible.  Type attrib -s -h desktop.ini.  This will unhide the file and clears the system file attribute.

7.  From here, you can run Avast! Free Antivirus to move the file to quarantine, or simply type del desktop.ini.  I prefer to have Avast! move it to quarantine as to have a backup for any further issues.

8.  Repeat steps 3-7 for C:\Windows\assembly\GAC_64\desktop.ini.

I hope this helps people!

I will mark this as the solution once I verify there are no further issues on the machine.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37763872
For future reference, if your ultimate goal was to delete those two specific files it may be a bit easier to boot into an alternate operating system environment like the Parted Magic LiveCD. It's a freeware Linux-based environment that is designed to help you add, delete, and manipulate hard drive partitions, but you can also utilize it to delete files & folders:

http://partedmagic.com/doku.php

And for those of us who may need it, here is a short Parted Magic tutorial in PDF format:

http://www.jhhcvandermeijs.nl/linksandreviews/partitions.pdf
0
 
LVL 8

Author Closing Comment

by:Scott Thompson
ID: 37786171
Take that infection! :P
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Determining the an SCCM package name from the Package ID
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question