Trojan tr/sirefef.bp.1 really messed up Windows XP

Hi guys,

I need some help here. This trojan prevented my computer from doing DNS-requests (I could reach Google via its ip only). After removal (Avira eventually removed the infected files using its boot-cd method as Webroot stayed silent, probably because DNS had been taken out) I can no longer see my ip address, DNS-server, gateway, etc.. in the Windows GUI and an ipconfig command no longer completes (it yields an error).

Can Webroot still fix this?

many thanks,
Jeroen

 

If they can't i know who can, two choices both are very good at removing that kind of infection..

Bleeping Computers..

http://www.bleepingcomputer.com/forums/

Geeks To Go..

http://www.geekstogo.com/forum/

Hogndog

Or you can wait for the Web Root Prevx moderator to get here..

 

Thank you very much for the suggestions. I'm going to give Webroot and Avira a chance first as techncially Avira may have deleted a critical file (just saying the virus may have damaged those files which Avira then deleted) but Webroot didn't catch the infection either so they can both have a go.

 

Do you have Malwarebytes on your machine? It just may be that the infection is hiding that file and running Malwarebytes might shed some light on the subject. I have a fresh copy if you want to run it..

 

I'll summarise what I have done so far:

1) Avira Real Time protection quarantined the infected files (+- 30 files designated as Trojan/sirefef.bp.1). There were many pop ups by Avira so the virus must have been multiplying as Avira kept finding more of them.

2) Did a webroot scan (it found nothing)

3) Did a full system scan with Avira (it said it found hidden objects and recommended using the boot-cd to get rid of them). So the scan aborted and I made such CD on another system.

4) Scanned with the boot CD. It killed a rootkit. Hopefully all of it.

5) Did a Webroot scan but since there is no internet, it found nothing.

I'll run Malwarebytes as I had thought of it a few times but may I ask how I can update it on the afflicted system?

edit: found how in their Faq. I'll keep you posted

 

Do you have a thumb drive in order to make this work? If your Internet connection is bust that's the only way to get her done..

O.k. i see your edit..

 

Jeroen1000 if you ever come across an infection that Webroot SecureAnywhere does not remove you should always contact WSA support first as they have there own Malware removal staff that will help you free of charge! http://www.webrootanywhere.com/support

TH

 

^ +1

I tend to agree with this.

There are also things you can do within Webroot SecureAnywhere to remove a stubborn file.

 

@ STV0726 It's impossible to know if WSA can do anything at this point as Avira deleted a possible critical file and he can't go online with that system now because of it!

TH

 

My point exactly.

 

Do remark that WSA was already crippled before Avira did this (the infection took out DNS-communication). Or am I mistaken here (perhaps WSA does not use DNS?)
I saved all the quarantined files on a flash drive. Anyone interested in a WSA-scan of those on a system connected to the internet vs a scan on the system that is _not_ connected to the internet?

I also ran MBAM. A tip: you might want to disable = shut down WSA while you run it. WSA was consuming 90+ % CPU and was slowing MBAM down considerably. It took me 3 hours to realise.

MBAM found 14 objects related to something called the zeroshell rootkit (I'd have to double check the name, I just woke very early as I need to go to work in a few moments lol). There were in places like system volume information, and also in temporary folders. Nothing in "major" system folders unlike the mess Avira cleaned up.

And nope, this still has not restored my internet access

 

I'm thinking you should do as Triple Helix advised and get in touch with Web Root, I'm assuming you are their customer yes?

 

Will do. Yes, I am. I'm usually apt enough to solve this myself but this is proving quite hard. I'm just going to try sfc to restore protected files and then call it a day.

Edit: the rootkit is called zeroaccess and not zeroshell
And the virus has damaged at least TCP/IP and even IPconfig is not working. So I'm looking at replacing damaged files and possible the registry is messed up too. Hmm. A reinstall is probably faster but I want to fix this the hard way haha.

 

I hope this works out for you.. I'm thinking it will..

Hogndog

 

ZeroAccess rootkit: https://www.wilderssecurity.com/showpost.php?p=1951410&postcount=12

 

Thanks Dermot7, I already found a boatload of threads detailing dozen's of possible fixes regarding the network components. It appears this will require a lot more effort than sfc /scannow lol.

I'm unsure this thread is allowed to continue now as this has turned into "a how to recover from the zeroaccess rootkit" discussion.

 

Whatever happens I'd be interested to see how the Web Root people deal with this infection, they have a good team, i had a chance to work with one of the technicians when it was Webroot Spy Sweeper. keep us posted if you can..

Thanks..
Hogndog

 

i have to admit that i haven`t read all the posts but have you ever scanned your pc (after this infection) with hitman pro?
have a look at this:
http://www.youtube.com/watch?v=7ukG3Zv1RXk

 

I've scanned it with:

- Avira
- Webroot Secure Anywhere
- Malware-bytes (Mbam)
- And tools spefically targeted at ZeroAccess (Tools from Eset, Webroot and Kaspersky)

All report a clean bill of health (although you never can be sure) and hopefully the infection has been contained. So I'm done with scanning for now. I want to fix my networking components lolz.
I'm going to contact Webroot today and ask what they propose.

 

Update:

sfc /scannow failed. I wonder whether it did anything really. It kept nagging for the disc and when I clicked ok, it continued for a while and then nagged again. I'm quite sure it was the correct disc as I could sometimes "hear" it read files off it. Whether it truly did...I don't know.

Anywhere, then I tried a tool from Foolischtech, named D7 that would reïnstall and or reset the tcp/ip stack. Now, that did not work. Whether it contributed to the final solution is debatable.

Uninstalling SP3 did the trick. Of course you can then just install it again.

So Windows XP owners can try this as a solution if they are unlucky enough to catch this infection.

 

IMO, next time you could go straight to WSA support and have the infection looked at and cleaned with the double benefit of not needing to run all those tools with half baked results and giving the opportunity to support to improve WSA for future infections.

 

Well, Avira did attack the virus straight away so the damage was done. If I could mind control my users I would have lol. The other tools did the clean-up for the inactive components so I did find it useful.

 

Glad to hear you fixed it! But I agree with fax/b], and think bext time you should have gone straight to Webroot support

 

Yeah I should have and I did (eventually-). They were quick to advise me. And I've thanked them for their assistance. Such a bad virus is a first time for me.