Solved Zeroaccess, Sirefef and Windows 7 reboot loop

Brilliant - you're a star! I'll run through all the steps, see how the computer runs and let you know.

Out of interest I have a couple of quick questions, though I appreciate the demands on your time!
  • What happens with the various versions of Win32/Sirefef in quarantine?
  • What does this line in the FSS scan mean? "Attempt to access Local Host IP returned error: Localhost is blocked: Destination is offline".

OTL Logs etc to follow...
 
If you ran all final steps OTL Cleanup took care of FRST quarantined folder.

As long as your connection is fine FSS item is meaningless. If you run it right after restart FSS may not catch existing connection.

Good luck and stay safe :)
 
Thanks, that's good to know. :) MSE history shows Sirefef.AB has been quarantined a number of times, although they don't appear in scans so were those taken care of?

I ran the OTL script (results below), and I'm up to Step 4; Windows installed updates with one failure that I'll try again after the reboot. Great instructions and thanks for the tips and tool suggestions. I'll check how the computer behaves when running a few typical programs and as per step 13 I'll let you know...though all seems to be good as far as I can tell! (y)You're a star, mon amie!(y)

I have a removable sata drive that I used with the infected PC recently, before the clean-up - what's the best way of checking that it is safe? (I haven't used it on any other PC).





All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: praAnkster
->Temp folder emptied: 1297423 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 2027 bytes
->Google Chrome cache emptied: 15969692 bytes
->Flash cache emptied: 379 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 992628 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 17.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: praAnkster
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: praAnkster
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.56.0 log created on 08092012_214832

Files\Folders moved on Reboot...
C:\Users\praAnkster\AppData\Local\Temp\~DFD5E6FC3858906C25.TMP moved successfully.
File\Folder C:\Windows\temp\ZLT008d6.TMP not found!

PendingFileRenameOperations files...
File C:\Users\praAnkster\AppData\Local\Temp\~DFD5E6FC3858906C25.TMP not found!
File C:\Windows\temp\ZLT008d6.TMP not found!

Registry entries deleted on Reboot...
 
If you ran all final steps OTL Cleanup took care of FRST quarantined folder.​
Yeah, I suspected that they were the same instances of the virus that MSE had quarantined but was unsure as MSE identified it as Sirefef.AB and the FRST quarantined folder contained Sirefef.FC. MSE also shows them as still in quarantine (with the option of removing - which I'm no going anywhere near unless told to! :) ).


As for how my computer is doing...the only issue so far is...
I tried that stubborn windows update again, but it failed again. (No problem, I'll look into that). I used Chrome right away to look up the updater error, and the computer hung (no keyboard or mouse response)...I tried a soft reboot, Chrome closed after showing the "He's dead Jim" page crash error... the machine showed "Task Host Window" and "Window Update" were preventing windows from shutting down and hung again... eventually I had to do a hard reboot. Since then it seems OK.

So fingers crossed...
 
Yeah just the one, I was just about to post the details, I loaded up chrome, got a Windows message saying Chrome had failed - I clicked on close program, but it appeared Chrome was still running, then as I was about to copy details from Windows Update logs the system hung. I did a soft shutdown and this worked. Just waiting for it to boot again...
 
[FONT=Tahoma]It is this one...[/FONT]
[FONT=Tahoma]Security Update for Windows 7 (KB2667402)[/FONT]
[FONT=Tahoma]Installation date: ‎09/‎08/‎2012 23:41[/FONT]
[FONT=Tahoma]Installation status: Failed[/FONT]
[FONT=Tahoma]Error details: Code 8024200D[/FONT]
[FONT=Tahoma]Update type: Important[/FONT]
[FONT=Tahoma]A security issue has been identified that could allow an unauthenticated remote attacker to cause the affected system to stop responding. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.[/FONT]
[FONT=Tahoma]More information: [/FONT]
[FONT=Tahoma]http://go.microsoft.com/fwlink/?LinkId=232664[/FONT]
[FONT=Tahoma]Help and Support: [/FONT]
[FONT=Tahoma]http://support.microsoft.com[/FONT]
[FONT=Tahoma]That is the one that failed and is pending to be installed, however I noticed a couple have failed in the past, Security Update for .NET Framework 3.5.1 (KB2656355) is the only important one that appears unresolved (although it is not pending in the Windows Update list).[/FONT]
[FONT=Tahoma]Oh, I've just discovered KB2667402 in the "Installed Updates" list. It was installed the last time the installer ran before today. Interesting.[/FONT]



[FONT=Tahoma]I'll have to look at it in the morning as it is late here. All the best Matt[/FONT]
 
Regarding the update [FONT=Tahoma](KB2667402)[/FONT], I tried uninstalling the update and then ran Windows Update to reinstall...and it worked!

From searching around this seems to be a common problem with this update, and the fix above seems to work for most.
(Some speculate that the problem arises because MS updated the update, and some machines may be trying an improper over-install).

That just leaves [FONT=Tahoma](KB2656355) [/FONT]although Windows Update does not prompt for it to be downloaded - maybe it has been superseded by a later update.

I haven't had Chrome hang again but I've only used it briefly. I'll give it a good workout now! I'm just about to download the other tools in Step 5 onwards (WOT etc.).

So unless you hear back from me I *think* we are done. Broni you are a legend! Thanks for your help, time and security tips. (I must admit that searching through Techspot I was hoping you'd help me out having seen the good work you'd done with others). I'll be sending a small thank you to your paypal when I can, and if you enjoy music I can send you a free sampler of my work by way of thanks (although it may not seem like thanks when you listen to it!). ;)
 
You must log in or register to reply here.

Similar threads

E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
Nicki
Solved Must have picked up something... some COVID computer variant???
Replies
9
Views
3K
Broni
Broni
R
Solved Data Hijacking, Help Please
2
Replies
37
Views
5K
Broni
Broni

Latest posts

Back