Trojan tr/sirefef.bp.1 really messed up Windows XP

Discussion in 'Prevx Releases' started by Jeroen1000, Mar 27, 2012.

Thread Status:
Not open for further replies.
  1. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Hi guys,

    I need some help here:). This trojan prevented my computer from doing DNS-requests (I could reach Google via its ip only). After removal (Avira eventually removed the infected files using its boot-cd method as Webroot stayed silent, probably because DNS had been taken out) I can no longer see my ip address, DNS-server, gateway, etc.. in the Windows GUI and an ipconfig command no longer completes (it yields an error).

    Can Webroot still fix this?

    many thanks,
    Jeroen
     
    Last edited: Mar 27, 2012
  2. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    Last edited: Mar 27, 2012
  3. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Thank you very much for the suggestions. I'm going to give Webroot and Avira a chance first as techncially Avira may have deleted a critical file (just saying the virus may have damaged those files which Avira then deleted) but Webroot didn't catch the infection either so they can both have a go:).
     
  4. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    Do you have Malwarebytes on your machine? It just may be that the infection is hiding that file and running Malwarebytes might shed some light on the subject. I have a fresh copy if you want to run it..
     
    Last edited: Mar 27, 2012
  5. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    I'll summarise what I have done so far:

    1) Avira Real Time protection quarantined the infected files (+- 30 files designated as Trojan/sirefef.bp.1). There were many pop ups by Avira so the virus must have been multiplying as Avira kept finding more of them.

    2) Did a webroot scan (it found nothing):(

    3) Did a full system scan with Avira (it said it found hidden objects and recommended using the boot-cd to get rid of them). So the scan aborted and I made such CD on another system.

    4) Scanned with the boot CD. It killed a rootkit. Hopefully all of it.

    5) Did a Webroot scan but since there is no internet, it found nothing.

    I'll run Malwarebytes as I had thought of it a few times but may I ask how I can update it on the afflicted system?

    edit: found how in their Faq. I'll keep you posted:)
     
    Last edited: Mar 27, 2012
  6. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    Do you have a thumb drive in order to make this work? If your Internet connection is bust that's the only way to get her done..

    O.k. i see your edit..;)
     
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    Jeroen1000 if you ever come across an infection that Webroot SecureAnywhere does not remove you should always contact WSA support first as they have there own Malware removal staff that will help you free of charge! http://www.webrootanywhere.com/support

    TH
     
    Last edited: Mar 27, 2012
  8. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    ^ +1

    I tend to agree with this.

    There are also things you can do within Webroot SecureAnywhere to remove a stubborn file.
     
  9. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,014
    Location:
    Ontario, Canada
    @ STV0726 It's impossible to know if WSA can do anything at this point as Avira deleted a possible critical file and he can't go online with that system now because of it!

    TH
     
  10. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    My point exactly.
     
  11. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Do remark that WSA was already crippled before Avira did this (the infection took out DNS-communication). Or am I mistaken here (perhaps WSA does not use DNS?)
    I saved all the quarantined files on a flash drive. Anyone interested in a WSA-scan of those on a system connected to the internet vs a scan on the system that is _not_ connected to the internet?

    I also ran MBAM. A tip: you might want to disable = shut down WSA while you run it. WSA was consuming 90+ % CPU and was slowing MBAM down considerably. It took me 3 hours to realise:).

    MBAM found 14 objects related to something called the zeroshell rootkit (I'd have to double check the name, I just woke very early as I need to go to work in a few moments lol). There were in places like system volume information, and also in temporary folders. Nothing in "major" system folders unlike the mess Avira cleaned up.

    And nope, this still has not restored my internet access:doubt:
     
  12. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    I'm thinking you should do as Triple Helix advised and get in touch with Web Root, I'm assuming you are their customer yes? :)
     
  13. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Will do:). Yes, I am. I'm usually apt enough to solve this myself but this is proving quite hard. I'm just going to try sfc to restore protected files and then call it a day.

    Edit: the rootkit is called zeroaccess and not zeroshell
    And the virus has damaged at least TCP/IP and even IPconfig is not working. So I'm looking at replacing damaged files and possible the registry is messed up too. Hmm. A reinstall is probably faster but I want to fix this the hard way haha.
     
    Last edited: Mar 28, 2012
  14. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    I hope this works out for you.. I'm thinking it will.. :thumb:

    Hogndog
     
    Last edited: Mar 28, 2012
  15. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,198
    Location:
    Surrey, England.
  16. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Thanks Dermot7, I already found a boatload of threads detailing dozen's of possible fixes regarding the network components. It appears this will require a lot more effort than sfc /scannow lol.

    I'm unsure this thread is allowed to continue now as this has turned into "a how to recover from the zeroaccess rootkit" discussion.
     
  17. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    628
    Location:
    In His Service
    Whatever happens I'd be interested to see how the Web Root people deal with this infection, they have a good team, i had a chance to work with one of the technicians when it was Webroot Spy Sweeper. keep us posted if you can.. :)

    Thanks..
    Hogndog
     
  18. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
  19. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    I've scanned it with:

    - Avira
    - Webroot Secure Anywhere
    - Malware-bytes (Mbam)
    - And tools spefically targeted at ZeroAccess (Tools from Eset, Webroot and Kaspersky)

    All report a clean bill of health (although you never can be sure) and hopefully the infection has been contained. So I'm done with scanning for now. I want to fix my networking components lolz.
    I'm going to contact Webroot today and ask what they propose.
     
  20. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Update:

    sfc /scannow failed. I wonder whether it did anything really. It kept nagging for the disc and when I clicked ok, it continued for a while and then nagged again. I'm quite sure it was the correct disc as I could sometimes "hear" it read files off it. Whether it truly did...I don't know.

    Anywhere, then I tried a tool from Foolischtech, named D7 that would reïnstall and or reset the tcp/ip stack. Now, that did not work. Whether it contributed to the final solution is debatable.

    Uninstalling SP3 did the trick. Of course you can then just install it again. :)

    So Windows XP owners can try this as a solution if they are unlucky enough to catch this infection.
     
    Last edited: Mar 30, 2012
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    IMO, next time you could go straight to WSA support and have the infection looked at and cleaned with the double benefit of not needing to run all those tools with half baked results and giving the opportunity to support to improve WSA for future infections.
     
  22. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Well, Avira did attack the virus straight away so the damage was done. If I could mind control my users I would have lol. The other tools did the clean-up for the inactive components so I did find it useful.
     
  23. d0t

    d0t Registered Member

    Joined:
    Apr 23, 2011
    Posts:
    181
    Glad to hear you fixed it! But I agree with fax/b], and think bext time you should have gone straight to Webroot support :)
     
  24. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Yeah I should have and I did (eventually:p-). They were quick to advise me. And I've thanked them for their assistance. Such a bad virus is a first time for me.
     
Thread Status:
Not open for further replies.