Solved

ZeroAccess Sirefef Infection

Posted on 2012-03-24
6
1,470 Views
Last Modified: 2013-11-22
Hello,

I have a customer's computer in the shop that has an infection.  I have been unable to remove part of the infection and I am looking for some assistance.  Avast finds 2 infections, one is C:\Windows\assembly\GAC_32\desktop.ini and the other is C:\Windows\assembly\GAC_64\desktop.ini.  They are both infected with a variation of Sirefef.  I cannot repair, remove, or quarantine them.  Access is denied.

I have ran TDSSKiller which finds nothing.  Also ran Malwarebytes.  Any suggestions?
0
Comment
Question by:Scott Thompson
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:dave4dl
ID: 37761264
I recommend doing a full reinstall.  When viruses infect machines, they frequently damage system files so that even if you disable the virus, the computer will have ongoing problems until it is reinstalled.  Make sure to back up the current contents of the hard drive before reintsalling (you can use external usb hard drives and an acronis true image boot disk to do this).
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37761276
Take few minutes to thoroughly read this Experts Exchange article written by Younghv, one of the EE community's very best malware/virus removal experts:

Stop the Bleeding: First Aid for Malware!

The bottom line is that you can always do a full wipe & reload if necessary, but in the vast majority of cases it can be avoided.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 37761353
I do agree that I definitely want to avoid reload.  I have worked on removing infections for 4 years now, and 99% of the time you can avoid reloading.  The other 1% is the system is far too gone, or you just don't find an answer.  I actually figured out that recently there is an infection going around (rootkit, use TDSSKiller), which infects the MBR and makes the computer BSOD with STOP 7B (0x0000007B).  Normally, that is a hard drive issue, but it turns out you just need to recreate the MBR and it will boot into Windows, (or slave the drive and scan with TDSSKiller).

Is there a way to manually delete these infected files in the Assembly directory?  I don't actually SEE the files, but I'm not too familiar with what the Assembly directory does, or how it works.

I will try to use RogueKiller in a bit and see if that makes a difference.  I have already used RKill on it.

The weird thing is that I was browsing, and found that ASWmbr is a scanner that will generally repair/fix a lot of rootkit infections.  The scanner finds the infected files, but I can't click on the FIX button.

Any suggestions?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 8

Accepted Solution

by:
Scott Thompson earned 0 total points
ID: 37761421
Okay, now I feel stupid!

I figured out how to take care of this issue!

This takes some command line work, so I'm going to post the solution step by step for anyone looking for this.

HOW TO REMOVE infected files C:\Windows\assembly\GAC_32\desktop.ini and C:\Windows\assembly\GAC_64\desktop.ini

1.  Boot into Windows, into an account with Administrator privileges.

2.  Open Command Prompt by Run As Administrator.

3.  Go to C:\Windows\assembly\GAC_32 folder

4.  Type dir /ah to verify desktop.ini is located in the folder.

5.  First we need to get permissions to the file.  Type CACLS desktop.ini /e /p (account name):f
Example: cacls desktop.ini /e /p Jean:f

6.  You now have permissions to access the file.  Now let us make the file accessible.  Type attrib -s -h desktop.ini.  This will unhide the file and clears the system file attribute.

7.  From here, you can run Avast! Free Antivirus to move the file to quarantine, or simply type del desktop.ini.  I prefer to have Avast! move it to quarantine as to have a backup for any further issues.

8.  Repeat steps 3-7 for C:\Windows\assembly\GAC_64\desktop.ini.

I hope this helps people!

I will mark this as the solution once I verify there are no further issues on the machine.
0
 
LVL 28

Expert Comment

by:Run5k
ID: 37763872
For future reference, if your ultimate goal was to delete those two specific files it may be a bit easier to boot into an alternate operating system environment like the Parted Magic LiveCD. It's a freeware Linux-based environment that is designed to help you add, delete, and manipulate hard drive partitions, but you can also utilize it to delete files & folders:

http://partedmagic.com/doku.php

And for those of us who may need it, here is a short Parted Magic tutorial in PDF format:

http://www.jhhcvandermeijs.nl/linksandreviews/partitions.pdf
0
 
LVL 8

Author Closing Comment

by:Scott Thompson
ID: 37786171
Take that infection! :P
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now