You’ve Got a Virus!

How to remove stubborn PC viruses

This article was prompted by my experience the past two days with disinfecting one of my customer’s computers. He had managed to pick up the Trojan:Win64/Sirefef.Y infection, which typically produces this dialog box:

It also prevents the Windows Security Center from running, shuts off the Windows Firewall, and protects itself from removal by normal methods. One of the infection vectors is the use of an outdated Java runtime; more about that later.

So, over the course of the day, I tried the following:

So, with no effective results under my belt at this point, in desperation I turned to Microsoft. Now, anyone who knows me, knows I am not Microsoft’s biggest fan. In fact, I’d have been perfectly happy of Bill Gates had sold used cars (along with Steve Jobs) instead of founding a software dynasty; but this article is credit where credit is due.

First, I had to download Windows Defender Offline (aka “WDO”) and burn it to a CD. Other options are making a DVD, or using a USB flash drive. Note: If you do this, be sure to do it immediately before using it, to ensure you have the latest updates. It should go without saying that you do this on a known “clean” (e.g., uninfected) PC.

 

Then I booted from the freshly-burned CD and did a full scan.  The original Sirefef.Y infection was found and cleaned.

Ah, but we weren’t finished yet!

I copied services.exe from the C:\Windows\System32 folder on a “clean” machine onto a USB stick. Then, booting from the Ultimate Boot CD for Windows I overwrote the one on the infected PC. This might not be a necessary step, but I work on the “belt and suspenders” theory; that made me confident that the file itself was not infected. Then, using UBCD4Win, I searched out and deleted all other copies of services.exe, to prevent the automatic reinstallation of the same virus.

Now the tricky part: I booted from the WDO CD again, and ran another full scan. It found and removed another 8 or 10 infections that had been hidden by the Sirefef.Y trojan! Without the second scan, I’d have unwittingly put the PC back into service and probably have found myself tearing my hair out, trying to find the subtle problems these other malware packages caused.

Next, I booted into the freshly-cleaned system, and used the System Protection applet to remove all existing restore points and create a new one.

Finally, after checking to make sure the Windows Security Center was running and Windows Firewall was on, I updated Microsoft Security Essentials and run a full scan with that. No malicious software found!

Right now, I am making sure the same vulnerability is not exploited; I’ve deleted all Java runtime installations, and installed the latest (Java 7 Update 5), and Windows Updates are underway.

All in all, about 10 hours of work to fix a problem that would not have existed if Java had been kept up-to-date. I am a sad, but much more diligent, panda.

Be Sociable, Share!

About icesnake

Icesnake, known to Law Enforcement the world over as Rich Tietjens, retired from the US Army in 1992 and has spent the intervening years attempting to die with the most gadgets, and thus, win. To this end, he has written software both as a freelance programmer and a paid consultant, tested network products and built driver disks for Intel, operated a Web hosting service for ten years, built more personal computers than any sane man would ever want, collected seven cats, and finally settled down in Oregon as the Information Technology Training Coordinator (fancy talk for "help desk and PC tech") for a small manufacturing firm. Rich started playing Dungeons and Dragons in 1976 and has never given up the RPG habit, progressing through Diablo, Everquest, Asheron's Call, Diablo 2, and World of Warcraft. Most evenings you can find him on Trollbane-US playing his mage, Icesnake - who is an Engineer and is trying to collect all the cool gadgets in Greater Azeroth... And so it goes.