Sirefef.Y and Sirefef.B on Win7 64-bit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by datenshi, Jun 25, 2012.

  1. datenshi

    datenshi Private E-2

    Hello!

    Recently I discovered Microsoft Security Essentials and Windows Defender had been disabled on my computer (Windows 7 64-bit) and I couldn't turn them back on. Running Malwarebytes revealed an infection of Rootkit.0Access. MBAM couldn't remove it, but I tried running TDSSKiller and it was able to remove the infected files.

    After restarting, I ran TDSSKiller again and it came up clean. Then I ran Malwarebytes again and now it was reporting the presence of two trojans, Win64/Sirefef.Y and Win64/Sirefef.B. Malwarebytes couldn't remove the trojans, and at this point I checked Microsoft Security Essentials and noticed it still wouldn't turn back on. I uninstalled MSE, downloaded a fresh copy, and reinstalled it. At this point it started to work correctly, found the trojans and tried to remove them... and then of course I found myself constantly restarting the way it seems many people with this malware have been :(

    Any advice would be appreciated. I haven't been able to run the utilities asked for in the Malware Removal Guide, change settings, etc. due to the way the computer keeps restarting. (I see it's being asked that people disable Daemon Tools, which I do have installed and can't get to right now, argh.) Please note I have a second clean laptop available that I can make use of and I can burn DVDs, but I have no flash drives available.

    Thank you very much!
     
  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, datenshi :)

    [​IMG] Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)


    [​IMG] While you are still using FRST:
    Type the below bolded text in the edit box after "Search:".

    services.exe

    Then click the Search button.

    It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

    __

    So in your next message attach both Search.txt as well as FRST.txt
     
  3. datenshi

    datenshi Private E-2

    Thank you! It seems like a really nice community. I'm grateful you'd take up your personal time just to help out people like me. :)

    I managed to get my hands on a flash drive, so attached are Search.txt and FRST.txt.
     

    Attached Files:

  4. thisisu

    thisisu Malware Consultant

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.
     

    Attached Files:

  5. datenshi

    datenshi Private E-2

    Fixlog.txt is attached. I tried to boot normally and the restarting problem seems to have resolved, thank you! Should I run the malware removal procedures in the sticky now?
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

    You're welcome. And yes please do.
     
  7. datenshi

    datenshi Private E-2

    Okay! I ran through the sticky and came out the other end with the attached log files.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    Are you familiar with this application? Nakido
    Seems related to P2P downloads, not typically something we recommend and some AVs have flagged it as malicious.
    It's in Control Panel => Programs and Features in case you want to uninstall it.

    You should uninstall this: Java(TM) 6 Update 31 (outdated).

    __

    You should delete these if you do not know what they are for:
    • C:\Users\Michelle\Games and Apps\Games\Utilities\Game Hacking\Neko57v110\Neko57.EXE
    • C:\Users\Michelle\Games and Apps\Games\Utilities\Game Hacking\NScripter Utilities\nsaout\nsaout.exe

    Also it looks like Windows Firewall is turned off (damaged by Sirefef).

    You can try the below to repair it:

    [​IMG] Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to the Start Repairs tab.
    • Press the Start button
    • Create a System Restore point if prompted.
    • In the Repair Options window, choose the following repairs:
      • Reset Registry Permissions
      • Repair Windows Firewall
    • Place a checkmark in Restart/Shutdown System When Finished
    • Fill in the Restart System bubble
    • Now click the Start button.
    • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

    [​IMG] Now install the current version of Sun Java from: here

    Let me know what problems remain after you have completed these steps.
     
    Last edited: Jun 26, 2012
  9. datenshi

    datenshi Private E-2

    Okay, I took the following actions:

    -uninstalled Nakido
    -uninstalled Java 6 Update 31
    -deleted Neko57.EXE
    -deleted nsaout.exe
    -ran Windows Repair and followed the given instructions
    -installed the latest Java

    Windows reports that Windows Firewall is working properly, and I was able to reenable Microsoft Security Essentials without causing a restart or any other apparent issues. These were the only actual symptoms I was having :) Should I do any more scans/post any more logs? Thanks so much for walking me through this.
     
  10. thisisu

    thisisu Malware Consultant

    You're welcome.

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds