Solved Many backdoors/various Trojans/rootkit. Shutdowner present

[MelancholyRose]

To start off, I got this virus a few weeks ago. My graphics card's fan failed and I fixed it by now.

This virus entered my system by what I assume was an e-mail link. I was receiving various random junk mails that I tried to unsubscribe from. A few minutes later weird sounds and advertisements began happening. Next thing I knew, Microsoft Security Essentials was uninstalled and my firewall was down/missing. I reinstalled Essentials to find out what I was infected with. It repeatedly said Sirefef.

A shutdowner of some kind got installed and wouldn't allow me to work on my HDD for more than 30 seconds. It will pop up with an error message as soon as I get into Windows, EVEN in Safe Mode. I didn't have enough time to get a new malware-remover of some kind to restore the system, because my computer is only operational for 30 seconds on startup.

I made a Kaspersky Rescue Disk, and started it up. I scanned everything and it found many Trojans. I deleted/disinfected them. I got back into Windows in Safe Mode and I still get a "critical error" message and it shuts down in 30 seconds again. So I ran the Rescue Disk a second time. It didn't find any "threats" exactly, except for:

-Trojan program: Exploit.Jav - a .class file found in the cache
-Trojan program: Trojan.Win - found in AppData/Local/Temp and is a jumble of numbers. It's an executable file.

I would remove these via the Rescue Disk, but it won't let me do anything with them. It says "Status: Absent" under their detection and says "Not Found." It only appears under the "All" dropdown menu, not "Active Threats." Kind of sneaky, if this is the Trojan's work, because I can't delete them.

I downloaded a bunch of other anti-virus programs, including the rootkit removal tool from Kaspersky (TDSSKiller), EZSireFix, HitmanPro, ServicesRepair, and I have MalwareBytes already on the system, intending to use them, but I cannot get into Windows. I get a restart almost immediately, and yes, still in Safe Mode as well.

Is it possible to use the programs from a flash drive while in the Kaspersky Rescue Disk?

 

[HonorGamer]

Try giving http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html a shot.

But I honestly gotta say that, that is one mean virus.

-Justin

 

[MelancholyRose]

All right. I'll try that. Hopefully it's reliable. I've kind of hit a speed bump trying to kill this sucker.

 

[HonorGamer]

Yes it is reliable. Everyone here recommends that if MSE or Malwarebytes doesn't get em. And i bet.

-Justin

 

[MelancholyRose]

I'm actually honestly very shocked that the Kaspersky Disk couldn't beat it all. Kaspersky is usually a great anti-virus software company :/ Oh well, I'll try this, too. If it could at least get the shutdowner off of there I can use other programs to fix the residual damage.

 

[HonorGamer]

I do hope WDO will work for you. I also heard that Kaspersky is a good A/V. But not even the best A/V can take care of every virus.

-Justin

 

[MelancholyRose]

Windows Defender Offline cannot be started.

Error: Unable to detect a Windows system drive. This could be due to missing drivers, an encrypted drive, or a corrupted Windows installation.

Error Code: 0x8004cc01

That... doesn't look good at all.

 

[Borg 386]

It repeatedly said Sirefef.

Depending on the variant you have, it may have done irreparable damage.

Encyclopedia entry: Trojan:Win32/Sirefef.AC - Learn more about malware - Microsoft Malware Protection Center

Win32/Sirefef is a multi-component family of malware that uses stealth to hide its presence on an affected computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:

• Downloading and executing of arbitrary files
• Contacting remote hosts
• Disabling of security features

Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

As a consequence of being infected with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup.

A clean reinstall would be the best/safest option.

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

 

[HonorGamer]

If you have a Windows Insallation disk, Boot from that and follow this: http://www.sevenforums.com/tutorials/668-system-recovery-options.html

Seems like the virus decided to take some important system files with it.

-Justin

 

[MelancholyRose]

Erm... well, should I try repairing first before reinstalling?

What recovery option should I be using, by the way? Startup repair, system restore, etc?

 

[HonorGamer]

Try a system restore to the point before you clicked on the spam and such.

Like what borg said, it may not be fixable.

-Justin

 

[MelancholyRose]

Click on Repair your computer. (See screenshot below)

​

5. Select which operating system you want to restore and the click on Next. (See screenshot below)
NOTE: If Windows 7 is not listed here, or it is blank, then it is ok. Click on Next anyway.

It wasn't listed, it was blank, and I clicked Next anyway. I went to System Restore and it said:

To use System Restore, you must specify which Windows installation to restore. Restart this computer, select an operating system, and then select System Restore.

I thought I could leave it blank?

I didn't click Load Drivers. Should I try that?

 

[F5ing]

Although you might be able to get a deeply infected machine back into a 'workable' state it will likely take more than one program to do it.

But even if you can get it back into that 'workable' state I wouldn't trust it. I'd wipe that disk clean and reinstall. Quicker that way, and you can then be confident that it's secure.

Back up all your data to reliable media first though.

 

[F5ing]

To use System Restore, you must specify which Windows installation to restore. Restart this computer, select an operating system, and then select System Restore.

I thought I could leave it blank?

I didn't click Load Drivers. Should I try that?

System Restore might work, but you should be aware that your restore points can contain the malware too. Definitely contains it if you've been infected for some time.

 

[MelancholyRose]

I need to get that shutdown to stop happening before I can back anything up. I'm having a friend help me.

 

[kegobeer]

The easiest thing to do is to remove the drive and slave it into another computer (with up to date virus definitions, of course). Copy your essential files to the other computer. Put the drive back into the original computer, and reinstall Windows.

 

[MelancholyRose]

Apparently the Services.exe file is damaged, and that's what's causing the shut downs, not a virus. I thought to do an sfc scannow, but for some reason my computer just doesn't show my OS. It acts like I don't have one, even though I definitely do.

What I think is causing that is, I use a RAID 1 mirror. My other hard drive isn't being used right now, it hasn't been used for a while, so I'm using only the one drive. Do I need my RAID driver to get to my OS?

If so, do I need to use RAID drivers or Chipset drivers? http://support.amd.com/us/gpudownload/windows/Pages/raid_windows.aspx [EDIT: I'm thinking it's the AHCI Controller Driver under chipsets.]

EDIT: Looks like this is probably it. http://www.sevenforums.com/tutorials/68942-sata-drivers-load-windows-recovery-options.html

 

[OldMX]

My mother in law's laptop got infected and I got tired of fighting this rootkit because of the afterall damage to core files which SFC couldnt fix, ended wiping the disk and reinstalling clean, one thing I'm clueless about is how is this infection spreaded?

 

[MelancholyRose]

Judging on what I've read/been told about Sirefef is that if you try to remove it, it hides in system files and copies itself to Registry keys and such.

 

[Jacee]

This sounds like the Zero Access Rootkit. It has created a hidden partition to hide itself from being found and fixed. This is quite a nasty Rootkit!

Save what you can (pictures, important documents), then wipe your OS and do a "clean" install.