Win32.Sirefef Trojan disabling my anti-rootkit

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by execute, Nov 18, 2009.

  1. execute

    execute Private E-2

    So on the 16th, I downloaded a suspicious file, which I decided to not open and scan first with nod32 v4. My OS is Windows 7 RC1.

    Nod32 said "this file is trojan. Unable to clean"
    As soon as nod32 scanned it (with real time file scanner)... process manager was showing a.exe.

    nod32 before it stopped even detecting the trojan any longer, said that cngaudit.dll was packed with sirefef.A or kryptik.BDG or kryptic.YQ trojan.

    Here are the steps I took:
    -end process a.exe. I remove it from registry. I remove also msa.exe from CurrentVersion/Run. After restart, a.exe is back.
    -I scan with nod32 again, remove and delete a.exe and b.exe from %APPDATA%\Local\Temp\
    -After restart, windows fatal error and requires me to restart right after I login. -I am forced to restart 8 times in a row, until finally windows 7 RC1 starts working again. The trojan is still there.
    -I installed antirootkit tools like unhackme.exe, and they are automatically closed by the trojan and security permissions changed to prevent running.
    -Antirootkit (partizan?) boot loader is ineffective.
    -I tried running spybot S&D, it gets closed, and can't even fix it in safe mode.
    -I tried running hijackthis, and it gets closed.
    -Turned off System Restore
    -Attempted Update Windows, successfully updated RC1 to latest files, and no changes.
    -Attempted to run hijackthis in safe mode. Trojan still active in safe mode on cngaudit.dll (running).


    I saw some symptoms like:
    -Disables any cleaner/removal/anti-virus tool that tries to stop it.
    -installs plugin to firefox, causing it to crash and become obsolete even with a full fresh reinstall with deleted user files.
    -installs plugin for IE so that all search engine links redirect to ads and videos.
    -Makes %Windir%/win32k.sys = 0kb

    Things that simply wont work:
    -safe mode tricks, virus runs on safe mode
    -win32kdiag, disabled
    -spybot s&d
    -nod32
    -hijackthis
    -combofix
    -windows update (doesn't replace correct files)
    -windows defender (detects nothing wrong)
    -windows 7 startup repair via restart (not CD boot).

    Any ideas????? I've never seen a trojan that's this evasive ever. The only other worse kind of malware I see, are worms that infect all files, but at least you can remove those viruses, you just can't save the files.

    BTW please make sure when you research this worm, you dont confuse it with older versions. In older versions it infected eventlog.dll and leaved dllcache folder in system32 alone. But this time it has deleted dllcache folder so you can't replace old DLLs and infected cngaudit.dll instead.
     
    Last edited: Nov 18, 2009
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Have you considered just saving your data and personal files and doing a complete reformat?

    You can try doing this:

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.

    Now download and Run exeHelper

    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

    Then try running these instructions: Using MGtools


    Attach the below logs when finished with all of the above:

    • C:\avplog.txt - from AVPfind
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools
     
  3. execute

    execute Private E-2

    Alright
    1) Ran all three bat files / programs, and gathered/attached logs. (There was no getLogs.bat created so I could not run that)
    2) Also I tried seeing if netstat worked. The trojan closes that within seconds. Looks like there are some HTTP activity going on while I'm not doing anything.
    3) Scanning with the spyware scanner atm, I'll update if anything happens.

    I really need some sort of advanced antirootkit tool that loads on boot and won't be closed automatically or permissions changed. Or some sort of program that with a restart will automatically change my cngaudit.dll etc to original windows version without OS running. Maybe I'd have to do this with linux.

    Of course, if I'm going to that extent maybe I should prefer to reformat. But I just can't believe we can't defeat this thing.

    Also either it's just me or your programs were just closed by the trojan before anything important could be logged.

    EDIT UPDATE: Hah, looks like Superantispyware is not running anymore either, it just disappeared while scanning. I think the only way to defeat this is to fix it without windows running. This is the most advanced trojan i've seen yet. Can you also please explain, how this trojan got into my computer without me even running the file? Isn't this some sort of exploit on nod32 ?? Shouldn't nod32 people be warned that a trojan is using their scanner to somehow run themselves?
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now download this Win32kDiag and save to your Desktop.

    • Double-click the Utility to run it and and let it finish.
    • When it states Finished! Press any key to exit, press any key to close the program.
    • It will save a Win32kDiag.txt file to your desktop automatically. Attach this log file to your next message.
    Now download SysProt AntiRootkit

    This is a ZIP file so unzip onto your Desktop which should create a SysProt folder on your Desktop.

    • Open the SysProt folder by double clicking it
    • Double click Sysprot.exe to start the program.
    • Click on the Log tab.
    • In the Write to log box, make sure to select and unselect the following items.
      • Process << Selected
      • Kernel Modules << Selected
      • SSDT << Selected
      • Kernel Hooks << Selected
      • IRP Hooks << NOT Selected
      • Ports << NOT Selected
      • Hidden Files << Selected
    • At the bottom of the page
      • Hidden Objects Only << Selected
    • Click on the Create Log button on the bottom right.
    • After a few seconds a new window should appear.
    • Select Scan Root Drive. Click on the Start button.
    • When it is complete a new window will appear to indicate that the scan is finished.
    • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Attach the SysProtLog.txt log file to your next message.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds