MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 06-07-12, 14:27
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Hi,
I'm stuck with Microsoft Security Essentials detecting two trojans upon startup:

Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

I ran everything on the READ & RUN ME (except RootRepeal as I got Windows 7 Professional x64).

I hope I have attached all needed logs.

P.S. I'm pretty sure that the KMService.exe in the MBAM log is a false positive (It's MSOffice activator).
Attached Files
File Type: txt ComboFix.txt (18.6 KB, 22 views)
File Type: txt mbam-log-2012-06-07 (18-57-20).txt (2.0 KB, 5 views)
File Type: log SUPERAntiSpyware Scan Log - 06-07-2012 - 18-41-19.log (584 Bytes, 4 views)
File Type: zip MGlogs.zip (293.4 KB, 6 views)
Reply With Quote
Sponsored links
  #2  
Old 06-07-12, 14:53
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Also this:
Attached Files
File Type: txt TDSSKiller.2.7.36.0_07.06.2012_21.27.43_log.txt (143.6 KB, 16 views)
Reply With Quote
  #3  
Old 06-07-12, 15:01
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

By the way I also tried to run "aswMBR.exe" but after a while it crashes on me.
Reply With Quote
  #4  
Old 06-07-12, 15:18
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

It looks like Combo cleared the infection. What issues are remaining, if any?
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #5  
Old 06-07-12, 15:20
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Quote:
Originally Posted by TimW View Post
It looks like Combo cleared the infection. What issues are remaining, if any?
It didn't. The two files are still there after the reboot.
Should I retry Combo?
Reply With Quote
Sponsored links
  #6  
Old 06-07-12, 15:22
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 45,948
Thanks: 400
Thanked 4,456 Times in 4,232 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Yes, re-run Combo and also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Attach both logs.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #7  
Old 06-07-12, 20:21
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Here's the logs after Combo and MGtools re-run.
Attached Files
File Type: txt ComboFix_NEW.txt (28.9 KB, 6 views)
File Type: zip MGlogs.zip (324.0 KB, 2 views)
Reply With Quote
  #8  
Old 06-07-12, 20:55
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Uninstall the below old versions of software:
Java(TM) 6 Update 30

Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
ClearJavaCache::
KILLALL::

DirLook::
C:\Program Files (x86)\capy
C:\Program Files (x86)\Kyoto
C:\Program Files (x86)\LIMBO

File::
C:\Windows\SysNative\drivers\kcpashum.sys
C:\Windows\SysNative\drivers\qwqazpwj.sys
C:\Windows\SysNative\drivers\tlizyxcx.sys
C:\Windows\SysNative\drivers\vmbhyggj.sys
C:\Windows\SysNative\drivers\wpvtwxar.sys
C:\Windows\SysWOW64\0

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=""
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 06-08-12, 05:53
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

I followed all the instructions but the two Desktop.ini are still there and still infected (after rebooting and scanning with MSSE).

Don't tell me I shouldn't have re-enabled MSSE after the ComboFix.

Also during the MGtools scan I'm getting this message:
"Ordinal 1108 could not be located in dynamic link library WSOCK32.dll"

Here are the logs:
Attached Files
File Type: txt ComboFix.txt (55.3 KB, 7 views)
File Type: zip MGlogs.zip (328.3 KB, 1 views)
Reply With Quote
  #10  
Old 06-08-12, 21:56
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems downloadFarbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems downloadFarbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Quote:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 06-09-12, 04:58
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Here's the log.
(Issue is still there after the reboot.)
Attached Files
File Type: txt FRST.txt (77.8 KB, 15 views)
Reply With Quote
  #12  
Old 06-09-12, 23:18
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Download this >> fixlist.txt

Save fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • Fixlog.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #13  
Old 06-10-12, 06:24
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

LOGS→HERE

From the prompt windows it seemed that MGtools couldn't scan c:\Windows\assembly\GAC_32\Desktop.ini
*ACCESS DENIED*
Attached Files
File Type: txt Fixlog.txt (867 Bytes, 6 views)
File Type: zip MGlogs.zip (332.3 KB, 2 views)
Reply With Quote
  #14  
Old 06-10-12, 21:24
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

You have the most recent form of Zero Access infection. We have some mode hidden stuff to find to get this fully fixed. Let's try another fix followed by a using a new version of MGtools.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FEF8744CD65187A9A35777C3C14400CFEA38D588._service_run"=-
[HKEY_USERS\S-1-5-21-914960229-731433123-2916926270-1000\Software\Microsoft\Windows\CurrentVersion\run]
"FEF8744CD65187A9A35777C3C14400CFEA38D588._service_run"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=-
Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.



Download this >> fixlist.txt

Save fixlist.txt to your flash drive.
  • You should now have both fixlist.txt and FRST64.exe on your flash drive.
Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:
  • the new Fixlog.txt log from FRST
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #15  
Old 06-11-12, 06:16
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Thanks chaslang for helping me with this infection. It seems like a bad one.
I did everything you said but it didn't help much, apparently.
Here are the logs you asked for.
Attached Files
File Type: txt Fixlog.txt (1,000 Bytes, 7 views)
File Type: zip MGlogs.zip (285.8 KB, 2 views)
Reply With Quote
Sponsored links
  #16  
Old 06-11-12, 12:23
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Okay, now run the C:\MGtools\ZAchk.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log which should have been updated after running the above:
  • C:\MGlogs.zip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #17  
Old 06-11-12, 13:03
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Done.
Attached Files
File Type: zip MGlogs.zip (290.9 KB, 15 views)
Reply With Quote
  #18  
Old 06-12-12, 00:36
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 79,735
Thanks: 61
Thanked 7,429 Times in 3,975 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Delete your current copy of ComboFix.exe and then download and save the current version to your Desktop. Get it here >> combofix.exe


Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
ClearJavaCache::
KILLALL::
Driver::
awgqpkvv

File::
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_14ECAB12C5A388703B399E.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_21F3885A18D238E15AAE81.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_3DB4D70983DF794995291A.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_6FEFF9B68218417F98F549.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_9FB6819D6CF6DEE3B8A4CC.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_A5996C2237B83F6E65294C.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_D707CE1C009F1381803C2C.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\SysNative\drivers\awgqpkvv.sys

Folder::
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}

Fcopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | c:\windows\system32\services.exe
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll | c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll | c:\windows\SysWOW64\user32.dll
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #19  
Old 06-12-12, 06:46
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

OK, now it seems that the files have been deleted (I rebooted twice).
Now I'm going to reboot re-activating MSSE at startup.
Let's see...

Meanwhile, LOGS:
Attached Files
File Type: txt ComboFix.txt (29.1 KB, 11 views)
File Type: zip MGlogs.zip (296.0 KB, 4 views)
Reply With Quote
  #20  
Old 06-12-12, 07:39
thebillo thebillo is offline
Private E-2
 
Join Date: Jun 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

Yes! Everything seems good now!
Thanks for your precious help. I can't thank you enough.
Is there anything else I should do now to be sure the malware has gone forever?
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojans: Win32/Sirefef.AB and Win64/Sirefef.P gravanov Malware Removal 4 06-03-12 20:25
Trojan:Win32/Sirefef.AB & Win64/Sirefef.P Smokejumper Malware Removal 2 05-30-12 16:50
Win32/Sirefef.DA trojan CRD72 Malware Removal 6 11-18-11 07:32


All times are GMT -5. The time now is 17:06.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger