06-12-2012 05:03 AM
Hi there! Having a tought time on this one. My father's computer got infected with ZeroAccess/Sirefef, and neither Norton nor F-Secure rescue disk couldn't fix it. MSE says its got at least 3 variants:
I anticipated some moves, disabled MSE and have downloaded aswMBR and updated it with the most up to date definitions. Run it, but couldn't finish the scan. The **bleep** trojan kept on crashing the program or trying to boot my system ("windows has encountered a critical error and will shut down in 1 minute"). I then loaded CMD with administrator privileges and run shutdown /a to stop the rebooting proccess. I was as fast as 3 seconds after the message.... but it didn't work:
A system shutdown is in process.(1115)
So I couldn't run it. Windows Vista 32 here. I think he got the thing on saturday (09/06/12) and I have several restauration points prior to that. Should I try to restore the system?
thank you very much.
Solved! Go to Solution.
06-12-2012 03:37 PM
I've run ESET Online Scanner, with "Scan archives" enabled, "Remove found threats" disabled, and in advanced settings I enabled "Scan potentially unwanted applications", "Scan for potentially unsafe applications" and "Enable Anti-Stealth technology"
The results follow!
06-12-2012 05:03 PM - edited 06-12-2012 05:50 PM
One less for me to worry about.
I did not asked you to do that so I am finished with this thread and breaking the CLSID variant of zeroaccess with services.exe
I asked you to uninstall MSE, not to run scans, I am not doing anymore, you are doing your own thing.
You have even tried reinstalling etc.
06-12-2012 08:28 PM
Sorry for that. I was just trying to be proactive. I read several posts where you instructed people to do that and was trying to save time. I've already uninstalled MSE (that's what I meant when I said "disabled MSE"). I'll not do anything else until instructed. What must I do?
06-13-2012 08:16 PM
Well, I actually managed to remove the plague on my own.
Steps I did:
- Boot the system with F-secure rescue CD (available for free here http://www.f-secure.com/en/web/labs_global/removal
- Let the scan and clean run. It cleans some files, but it skips/does nothing with the services.exe infection, which is responsable for reinfecting the machine. After it did its job, I pressed Alt + F4 (a hidden feature that drops you at a linux prompt)
- Entered windows directory (mine was at /mnt/scan/sda1/windows)
- Figured out the windows\winsxs has a backup of main system files, with more then one version on some cases!
- Found the backups of service.exe there, entering /mnt/scan/sda1/windows/winsxs and hitting ls -l *servicecontroller*
- Found three directories with service controller:
- Checked to see if all files and directories that MSE found to be with a virus were already cleaned by the rescue CD. The files weren't there, but the folders where. I deleted the folders (with rm -f )
- I then ejected the CD and rebooted the system in safe mode. Opened regedit (run, regedit.exe). Searched for the keys mentioned here (http://nakedsecurity.sophos.com/2012/06/06/zeroacc
(BTW, HKCR is HKEY_CLASSES_ROOT, and HKCU is HKEY_CURRENT_USER)
The first was with the correct value already, and the second one didn't exist! Don't know if the rescue CD already fixed it or I got a different variant, but allright (if they existed, I'd restore the first and delete the second). I also searched for the GUID that was on the directories found, and didn't find them, so I concluded the registry was clean.
- Final step: I found out that winsxs directory is actually the real container of the services.exe file (http://www.winvistaclub.com/f16.html). The one in windows/system32 is supposed to be only a hard link. So I restored the hard link, by doing:
move services.exe services.goodbutjustasimplecopy (have to rename it or windows won't let you ovewrite it)
fsutil hardlink create c:\windows\system32\services.exe services.exe
And then I rebooted the system. Bingo.
Took the time to write this here so it might help someone that was in the same trouble as me, and happen to catch quads in a bad day...