Trojan:Win32/Sirefef.AB + Trojan:Win64/Sirefef.P

[thebillo]

Hi,
I'm stuck with Microsoft Security Essentials detecting two trojans upon startup:

Trojan:Win32/Sirefef.AB
Trojan:Win64/Sirefef.P

Located in:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

I ran everything on the READ & RUN ME (except RootRepeal as I got Windows 7 Professional x64).

I hope I have attached all needed logs.

P.S. I'm pretty sure that the KMService.exe in the MBAM log is a false positive (It's MSOffice activator).

[thebillo]

Also this:

[thebillo]

By the way I also tried to run "aswMBR.exe" but after a while it crashes on me.

[TimW]

It looks like Combo cleared the infection. What issues are remaining, if any?

[thebillo]

Quote:

Originally Posted by TimW

It looks like Combo cleared the infection. What issues are remaining, if any?

It didn't. The two files are still there after the reboot.
Should I retry Combo?

[TimW]

Yes, re-run Combo and also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Attach both logs.

[thebillo]

Here's the logs after Combo and MGtools re-run.

[chaslang]

Uninstall the below old versions of software:
Java(TM) 6 Update 30

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

DirLook::
C:\Program Files (x86)\capy
C:\Program Files (x86)\Kyoto
C:\Program Files (x86)\LIMBO

File::
C:\Windows\SysNative\drivers\kcpashum.sys
C:\Windows\SysNative\drivers\qwqazpwj.sys
C:\Windows\SysNative\drivers\tlizyxcx.sys
C:\Windows\SysNative\drivers\vmbhyggj.sys
C:\Windows\SysNative\drivers\wpvtwxar.sys
C:\Windows\SysWOW64\0

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=""

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[thebillo]

I followed all the instructions but the two Desktop.ini are still there and still infected (after rebooting and scanning with MSSE).

Don't tell me I shouldn't have re-enabled MSSE after the ComboFix.

Also during the MGtools scan I'm getting this message:
"Ordinal 1108 could not be located in dynamic link library WSOCK32.dll"

Here are the logs:

[chaslang]

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems downloadFarbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems downloadFarbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Quote:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

[thebillo]

Here's the log.
(Issue is still there after the reboot.)

[chaslang]

Download this >> fixlist.txt

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[thebillo]

LOGS→HERE

From the prompt windows it seemed that MGtools couldn't scan c:\Windows\assembly\GAC_32\Desktop.ini
*ACCESS DENIED*

[chaslang]

You have the most recent form of Zero Access infection. We have some mode hidden stuff to find to get this fully fixed. Let's try another fix followed by a using a new version of MGtools.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"FEF8744CD65187A9A35777C3C14400CFEA38D588._service_run"=-
[HKEY_USERS\S-1-5-21-914960229-731433123-2916926270-1000\Software\Microsoft\Windows\CurrentVersion\run]
"FEF8744CD65187A9A35777C3C14400CFEA38D588._service_run"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=-

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Download this >> fixlist.txt

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the new Fixlog.txt log from FRST
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[thebillo]

Thanks chaslang for helping me with this infection. It seems like a bad one.
I did everything you said but it didn't help much, apparently.
Here are the logs you asked for.

[chaslang]

Okay, now run the C:\MGtools\ZAchk.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below log which should have been updated after running the above:

• C:\MGlogs.zip

[thebillo]

Done.

[chaslang]

Delete your current copy of ComboFix.exe and then download and save the current version to your Desktop. Get it here >> combofix.exe


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::
Driver::
awgqpkvv

File::
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_14ECAB12C5A388703B399E.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_21F3885A18D238E15AAE81.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_3DB4D70983DF794995291A.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_6FEFF9B68218417F98F549.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_9FB6819D6CF6DEE3B8A4CC.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_A5996C2237B83F6E65294C.exe
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}\_D707CE1C009F1381803C2C.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\SysNative\drivers\awgqpkvv.sys

Folder::
C:\Windows\installer\{09773A12-2E8A-4FAE-AF37-1CF5D521D09E}

Fcopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | c:\windows\system32\services.exe
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll | c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll | c:\windows\SysWOW64\user32.dll

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[thebillo]

OK, now it seems that the files have been deleted (I rebooted twice).
Now I'm going to reboot re-activating MSSE at startup.
Let's see...

Meanwhile, LOGS:

[thebillo]

Yes! Everything seems good now!
Thanks for your precious help. I can't thank you enough.
Is there anything else I should do now to be sure the malware has gone forever?