Solved Unable to fix Action Center notifications after virus Win64/Sirefef.B

Stupidly, I managed to get the Win64/Sirefef.B virus onto my PC.
Thankfully my virus scanner caught it before it could do any serious damage, but it's still left me with a few problems. Notably, the following:

• Security Center service was removed (I've since fixed this)
• Windows Firewall service was removed (I've since fixed this)
• The Action Center tray notification icon (white flag) no longer appears.

It's the final item that I've still not managed to restore.
Ironically, from searching various forums, there appear to be more posts wanted to remove it than restore it, but I quite like having it there. If something disables my firewall, I want to know about it ASAP, and that's what it does.

Things I already know
I no longer have the virus, I'm 99% certain of that, I just need to get the Action Center tray notifications back.
It's NOT been blocked by a group policy setting, it simply isn't running at all.
I've checked against a working PC, and that has ActionCenter.dll and ActionCenter.dll.mui loaded by Explorer.exe. No process on my PC has these items loaded.

Things I've already tried
The group policy settings.
Turning on the Action Center system icon (I can't, it's greyed out).
The ActionCenter.dll and ActionCenter.dll.mui files do exist on my PC, for whatever reason, explorer.exe just isn't attempting to load them.

So, can anyone offer any suggestions? I'm prepared to try anything except reinstalling Windows. I know this would work, but it's way more trouble than I want to go to. It was take me weeks to re-configure everything.

Thanks for any help you can give!

Cheers

Scott

Hi Scott, Welcome to Seven Forums.

I'm not entirely sure what the resolution to this is off the top of my head but just a quick question... where/how did you try to do the following?

MenaceF1 said:

Turning on the Action Center system icon (I can't, it's greyed out).

Click to expand...

Regards,
JDobbsy1987

Hi,

I right clicked the < icon in the tray area, and selected properties.
I'm given a list of System Icons, such as Clock, Volume, Power, and Action Center.
Power and Action Center are greyed out.
For Power, fair enough, I'm running a desktop.
But Action Center should allow me to turn it on/off, but I can't as it's greyed out.

I don't believe it's because the option to enable it is disabled somewhere.
I believe it's because the Action Center functionality isn't running.

Does that help?

Have you looked here? http://www.sevenforums.com/tutorials/19085-system-icons-enable-disable.html

Yes, that's the "Group Policy settings" that I've already tried. It's not a policy setting problem, the libraries themselves aren't being loaded into Explorer.exe.

SOLVED

Ok, I've managed to solve my own post, I'll give the details here anyway as it may benefit anyone else with a similar problem.

The virus had removed the following registry Key (amongst others):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
"AutoStart"=""

This starts the whole ball rolling for enabling the Action Center notifications.
When Explorer.exe starts, it looks for this key, and that it what then tells it to load ActionCenter.dll, and monitor for whatever messages it chooses to give.

Hope this is of use for someone else.

How did I find this out?
If anyone's interesting in more detail about how I managed to work this out, I decided to observe what the virus does in a controlled environment. So I created a virtual machine running Windows 7, and deliberately infected it with the same virus while running a tool called "Process Monitor" that tells me every file it creates or deletes, and crucially, every registry key it modifies or deletes.

This is how I discovered that it deleted that key, and I joined the dots up from there.

Many thanks for all those who tried to help, I hope my reply is useful!

I believe I'm supposed to mark this thread as solved?
I'll try to work out how to do that shortly.

Regards

MenaceF1

I'm glad you managed to fix it and thanks for posting it back.

Good work resolving it

Solution

Excellent detective work, Menace.

Great job figuring this out MenaceF1!! Persistence is the key to success, eh?

Now when someone does a search they have a better chance of finding the answer.

I'm curious as to whether you've also gotten the ability to mess with the visibility of the power icon. I think you should have that ability, too, as the two desktops I've got here let me manipulate the power icon visibility options. They are connected to UPSs though, maybe that has something to do with it.

Yes, I don't think there's anything sinister about the Power icon being greyed out on my PC. I believe windows will only enable it if it detects a device driver for a battery, UPS or similar. Same goes for the volume icon, if you don't have any audio hardware, that's greyed out too.

Gotcha. Wasn't necessarily thinking sinister (can't think of why any malware would try to block it), really just curious. Thanks for the response...

Since this morning I've also been dealing with what avast! identifies as Sirefef-JQ, Sirefef-IX, and Crypt-MBU. It was my first infection in nearly 20 years. I was able to kill the processes and clean up the remains before rebooting.

It disabled and then removed all of the services below, according to Event Viewer. You might want to see if these are missing for you. I've restored the registry keys from a full drive backup I (coincidentally) made last night. I'm just concerned about what else it did while it briefly had administrator rights.

Base Filtering Engine
Windows Firewall
Security Center
WinHTTP Web Proxy Auto-Discovery Service
IP Helper
Windows Defender

Sadly I have this too, i tried to copy MenaceF1's registry key thinking it would fix the problem, sadly no dice, while I got it working temporarily, the next day it was back to being greyed out in the system icons options thing and no longer at my task-bar where it should be, I have tried all the other ideas and fixes on the net yet this one seems to be the only thing close to a solution. I have run all the virus scans and malware scans using combofix, malwarebytes, avg2012 and spybot search and destroy. My question is this. Should i copy the registry entry again as it appears in MenaceF1's post again and see what happens??....

This is a realy serious Trojan/Rootkit, ricksta


Encyclopedia entry
Updated: Sep 20, 2011 | Published: Jun 21, 2011

Aliases

• BackDoor.Maxplus.23 (Dr.Web)
• ZeroAccess.b (McAfee)
• Zero Access rootkit (other)
• Max++ (other)
• ZAccess (other)
  Severe
  Encyclopedia entry: Trojan:Win64/Sirefef.B - Learn more about malware - Microsoft Malware Protection Center

Cool, more info. Hey got an update about this issue of mine. I managed to get the action centre working again, but still cant get the little white flag on the task bar working again. Real nasty piece of work this Trojan/Rootkit is. Does anyone know where I can get a copy of a clean registry from??....for the action centre?....

MenaceF1 said:

If anyone's interesting in more detail about how I managed to work this out, I decided to observe what the virus does in a controlled environment. So I created a virtual machine running Windows 7, and deliberately infected it with the same virus while running a tool called "Process Monitor" that tells me every file it creates or deletes, and crucially, every registry key it modifies or deletes.

Click to expand...

Would you mind sharing that log? I want to see if I've missed anything.

And do you have any idea how it got into your system? That's my biggest concern now. I THINK all I was doing at the time was browsing hotels.com and Google Maps in Firefox 11.

ricksta said:

Cool, more info. Hey got an update about this issue of mine. I managed to get the action centre working again, but still cant get the little white flag on the task bar working again. Real nasty piece of work this Trojan/Rootkit is. Does anyone know where I can get a copy of a clean registry from??....for the action centre?....

Click to expand...

I've attached a registry file containing the text below. Save it, double-click on the file in Explorer, and choose "Yes" to merge. The Action Center setting should no longer be greyed out after you restart Windows.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
"AutoStart"=""

Great news and really bad news. The Action centre has been fixed and now pops up as it should be. But I think the monster virus has taken on a bad turn. About 5 minutes ago my computer went haywire, threw up a warning message that my copy of windows isn't genuine. Now it appears as though something new has possessed my pc. A watermark message now appears on my desktop "Windows 7 Build 7601 This Copy of Windows Is not Genuine". and I cant update the pc nor can I get updates for MSE. What the heck is going on. Id love to get my hands around the neck of the s.o.b. that made this virus. Any help would be greatly appreciated. pls help

Hey all. Well, i took the easy road and re installed windows 7. Suffice to say it was the nastist virus i have ever encountered in my life . It got the best of me...lol. Thanks anyway. i guess if anyone else gets this virus, this is the check list. Action centre flag no longer appears, MSE will no longer allow updates. Action centre no longer launches (for me anyway). Greyed out system icons in the taskbar options. Hey if anyone else gets this nasty, be careful fiddling with the services and registry.

hi

thank you very very much profi i like to have contact whith you on msn if you would like too.sorry for bad english
bye have a nice day