Solved Windows Server 2008, Sirfef.b/y and zeroaccess

[Broni]

See if you can access Windows updates.

 

[avenged187]

Yes, Update is working now.

 

[Broni]

Excellent.

ZeroAccess rootkit will often mess up MSE so you may need to reinstall it.

When ready let me know what else is not working.

 

[avenged187]

Going to reinstall MSE first. But it appears that some of the industry software that we use which is java based is non-functioning now.

 

[Broni]

One thing at a time please.

 

[avenged187]

Sorry. Just listing them off as I'm thinking of them. Been working on trying to get this server back in shape since 6pm last night.

 

[avenged187]

Ok, MSE reinstalled, updates working fine on that end.

 

[avenged187]

I think the java apps just need to be reinstalled, probably corrupted with all the changes. And just have to replace the firewall rules (ugh). but it seems as though most things are running correctly now.

 

[Broni]

Zero Access rootkit is not a joke so I'm not surprised some programs got messed up.
Hold on. I have to scroll up to see where we're at.

 

[Broni]

OK, see if Security Check will run now.

Also I'll need Eset scan log.

 

[avenged187]

security check is still not running properly. saying that every command is not recognized as an internal or external command.

 

[Broni]

Can you give me one example with full wording?

 

[avenged187]

'find' is not recognized as an internal or external command, operable program or batch file.

 

[Broni]

Hopefully it's just messed up path not files themselves.

First check if you can find "find.exe" in d:\Windows\System32 folder.

 

[avenged187]

I see find, as well as many other commands that weren't working in cmd, but its in c:\windows\system32. d: is simply the storage drive. no windows folder

 

[Broni]

I think we have a simple solution for it.
Your "path" is messed up.
See here how to fix it: http://helpdeskgeek.com/how-to/fix-not-recognized-as-an-internal-or-external-command/
Most likely you have c:\windows\system32 item missing from "path".
let me know...

 

[avenged187]

I have %systemroot%\system32 in there, which I thought should default to c:\windows\system32. I copied it and pasted it to notepad, and could paste it here.

 

[Broni]

It should.
I'm not really sure what's going on there.

Since we're getting well outside malware removal subject I want you to run Eset scan so we can wrap up malware removal part.

As for your other issue you'll have to create new topic in Windows forum.
I'm simply too busy here.

 

[Broni]

I've noticed that FSS was also looking for drivers in "D" drive so it must be something in your "path".

 

[avenged187]

Understood. Did you want me to run TFC first? or just the Eset?

 

[Broni]

TFC then Eset but also read my previous reply.

 

[avenged187]

Also, ESet is not running. When I click to have it run a scan, and accept the terms, it defaults to a blank grey window.

 

[Broni]

Try different browser.

 

[avenged187]

ok. TFC just finished. Server is rebooting.

 

[avenged187]

Also, oddly, changing %systemroot% to c: in path apparently fixed the problem, and security check just finished