gupdate (SIRESEF) trojan not removed via avast!

Hi,

I am new to the forum, and apologize if I do not follow every rule. But I am at wit’s end with this SIRESEF infection which I cannot seem to get rid of.

The details are thus:

[ol]- There is a folder “C:\Program Files(x86)\Google\Desktop\Install{numbers}\.…\” which I cannot open. I tried to delete the “C:\Program Files(x86)\Google\Desktop” folder, but Windows told me “Access Denied”. I got the same error when I tried to give my account (with Administrator privileges) full control of the folder.

  • There are registry keys in HKEY_LOCAL_MACHINE\System\CurrentControlSet\services listed as “gupdate”, but in fact their real name is “!etadpug”. They have a Preferences subfolder, but I cannot delete these keys. I get the error “.yek gniteled elihw rrorE” whenever I try.
  • There is a Google Update service running (pointing to the folder in 1), but I cannot Stop/Disable it, because I get the error “service with the same name exists” or something like that.[/ol]

I originally became aware of this infection after avast! alerted me to another (similar) folder, “C:\Users\steve\AppData\Local\Google\Desktop\Install”. I was able to delete that folder in safe mode; the corresponding one in Program Files(x86) cannot be deleted, even in safe mode.

A boot scan by avast! does not find anything untoward. Malwarebytes’ RegASSASSIN claims to delete the offending registry keys, but does not. A Quick Scan by avast! finished with the recommendation to delete the Google Update service. I clicked OK, but the service was not removed.

All I’ve been able to do is delete that AppData folder, and change some of the Registry values in the !etadpug key (in particular, the pointer to the Program Files(x86) is now null). Can anyone tell me how to remove this darn malware? If I need to post a log or anything like that, please let me know. Also I should mention I am a novice when it comes to advanced techniques (it took me a long while to figure out how to delete that AppData folder), so please be detailed (and patient!) when replying. I greatly appreciate it.

Thanks,
Steve

Hi you will need to run this programme and attach the generated log

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

OK I’ve attached those files (too long to paste).

Thanks,
Steve

OK lets kill it

Copy all of the text in the Code box to a notepad file

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "" <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

Save the file to the same location as FRST as Fixlist.txt
Run FRST as before and press fix
A fix log will then be created post that here

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Thanks so much! I have attached OTL.txt and Extras.txt . Here is the content of the FRST fix log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-09-2013
Ran by steve at 2013-09-24 11:46:15 Run:1
Running from C:\Users\steve\Downloads
Boot Mode: Normal

Content of fixlist:


HKCU.…\Run: [Google Update*] - <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; “” <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Google Update* => Value deleted successfully.
*etadpug => Service deleted successfully.
C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.
“C:\Program Files\Windows Defender” => Deleting reparse point and unlocking started.
“C:\Program Files\Windows Defender\en-US” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpAsDesc.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpClient.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpCmdRun.exe” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpCommu.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpEvMsg.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpOAV.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpRTP.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MpSvc.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MSASCui.exe” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MsMpCom.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MsMpLics.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender\MsMpRes.dll” => Deleting reparse point and unlocking done.
“C:\Program Files\Windows Defender” => Deleting reparse point and unlocking completed.

==== End of Fixlog ====

You may need to re-install windows defender… OK repair and final check time. Can you confirm the alerts have ceased

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I think this did the trick! My computer is running fine. The malicious Google Update service no longer appears in services.msc; the Program Files(x86) folder has been removed; and the suspicious registry keys for etadpug are gone. Thanks so much once again!

The ComboFix.txt log is attached.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: