Sirefef Trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by pike8, Jan 20, 2012.

  1. pike8

    pike8 Private E-2

    i'm using Win7 firewall + NOD32 AV, and i've never had any problem with trojans, malware, etc.

    tonight, i was doing some recording and firefox was opened (just a few youtube links and a few forums that i occasionaly visit).

    all of a sudden, firefox began trying to open some mediashifting site, but it always ended up problem loading page. i looked it up on google and found out that it's some kind of virus, so i ran spybot; it found some problems, i fixed those and restarted my PC.

    after restart, NOD32 has gone crazy - tray icon is red, and protection status says this:

    Code:
    Analysis of application protocols will not function
    
    An error occured while starting services. Analysis of application protocols (POP3, HTTP) will not function.
    NOD's log shows turbulent activity, it deletes Sirefef.DV trojan, Sirefef.EF trojan, Sirefef.CR trojan and similar many times, but some of them can't be deleted, it says "UNABLE TO CLEAN".

    when i run a search via google or yahoo (in any browser), and click to follow the result, it redirects me to some hooot.com.

    i ran lavasoft ad-aware, it found some trojans, i chose recommended actions, restarted PC, but it's all the same.

    please tell me is there any solution other than formatting my HDD and starting all over.

    P.S. despite a risk that i'll be laughed at; is there a possibility that my data (photos, videos, documents) are infected, and if i backup them, that they'll still carry some malware?
     
  2. pike8

    pike8 Private E-2

    sorry, just a little update.

    i've followed instructions from Fixing Google Redirection/hijacking and other redirection problems sticky post (http://forums.majorgeeks.com/showthread.php?t=230267), TDSSkiller found several suspicious files and one for curing, so i cured it, rebooted, and for now redirection is gone.

    but, nod is still acting crazy as i mentioned in first post (protection status issue, constantly finding Sirefef variants).

    also, i forgot to mention last night, windows 7 firewall is gone. i can't turn it on, and when i go to services.msc, there is no security center at all.

    i have a lot of data that is important to me (some photos, documents, movies and save games), may i be sure that they're not infected and safely backup them?
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm sorry but no you have not. You should have attached the logs as requested. And since you are still having problems, you should have continues past TDSSkiller on to step 5 and run ALL of step 5 which includes MBRcheck and the READ & RUN ME FIRST.
     
  4. pike8

    pike8 Private E-2

    ok, i ran TDSSkiller again now, it found a few threats, one of which was a virus which was cured, and after restart, redirection is gone.

    after that, i've followed further instructions, until the step where i was supposed to disable emulation software with Defogger; it ran for some time, trying to disable emulation, then computer hang. after reset, i tried to manually uninstall Daemon Tools Lite, but i couldn't find it in add/remove programs. :confused



    here are my logs:
     

    Attached Files:

    Last edited by a moderator: Jan 22, 2012
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ignore it and keep going as stated in the READ & RUN ME.

    How are you missing these instructions posted multiple times? >> (See: HOW TO: Attach Items To Your Post )
     
  6. pike8

    pike8 Private E-2

    ok, i'm really sorry, i was really disturbed by all this so i guess i wasn't following the guideline; i'll start over again.

    two nights ago, firefox started opening some mediashifting URL's, but couldn't really open them, it was giving problem loading page.
    -i installed spybot SD, ran it, it found some problems and apparently fixed them. after reboot, problem was back along with some other problem.
    following the link from google or yahoo, in any browser, redirected me to hooot.com
    -NOD32 was constantly finding and deleting variants of sirefef trojan, but some of them couldn't be cleaned.
    -also, NOD stopped fully functioning:
    Code:
    Analysis of application protocols will not function
    
    An error occured while starting services. Analysis of application protocols (POP3, HTTP) will not function.
    -Win7 firewall looks damaged, i can't turn it back on, and there is no security center in services.msc



    -first, i did the dns flush, cleared browser and java cache, reinstalled java, installed latest version of silverlight, etc.
    -this morning, i ran TDSSKiller and Malwarebytes Anti-Malware, both runned from safe mode, solved redirection problems completely - logs attached.


    -i still have problem with nod32; after redirection problem was solved, NOD finally stopped finding and deleting sirefef variants, it doesn't do anything, as if computer is clean, but it's still not running it's full service.
    -also, win7 firewall still can't be started, security center is still missing from services.msc.
    -right now, i've seen qoobox folder on my C: drive, it looks very suspicious.


    so, i started with "house cleaning", setting normal startup mode, checking for installed malware software and skipped (as you said) disabling emulation software with defogger, since it was freezing my computer.

    then i went on to vista/win7 malware removal/cleaning procedure:
    -UAC was already disabled
    -i ran superantispyware and it found no serious problems (log attached)
    -ran malwarebytes anti-malware and it found no problems (as mentioned, i ran it earlier, and it solved my redirection problems; i attached both logs).
    -combofix is the next, but it says that my real time scanning from NOD is still running, and tells me to disable NOD first, then run combofix. i did so, but it still recognized NOD running. then i booted to safe mode, but still the same. in the end, i uninstalled NOD32, but combofix still says that NOD32 real time scanning is running. should i just ignore this and run combofix, or what?
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes and then run MGtools. We need the logs from these to continue.
     
  8. pike8

    pike8 Private E-2

    i left combofix to run overnight; i checked it a few times when i was waking up, and it was
    always at the beginning:

    Code:
    Scanning for infected files...
    This typically doesn't take more than 10 minutes
    However, scan times for badly infected machines may easily double
    this morning when i woke up, it was still there, with this window
    [​IMG]
    can't find a log, i guess it's not created since program didn't properly run.


    after that, i ran MGtools, it started, then after some time, some processdll.exe window showed, i clicked cancel to debug (ok was for terminate),
    after that it showed me this window:
    [​IMG]


    i clicked retry, and mgtools seemed to be stuck on:
    Code:
    Running processdll.exe to find loaded DLLs
    after an hour or so, i terminated it. log attached.


    also, there are four virtual drives in my computer, probably a virus effect.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is with all the network adapter stuff showing in your logs?
    Do these all show up in your network connections?



    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you referring to the below items I highlighted in purple?
    Code:
    Get Logical Disk Info From WMI                                  
    ==============================================================  
    Description       DeviceID  FileSystem  Size          VolumeName  
    Local Fixed Disk  C:        NTFS        640027717632  Željo      
    [B][COLOR=purple]Removable Disk    E:                                              [/COLOR][/B]
    [B][COLOR=purple]Removable Disk    H:                                              [/COLOR][/B]
    [B][COLOR=purple]Removable Disk    I:                                              [/COLOR][/B]
    [B][COLOR=purple]Removable Disk    J:[/COLOR][/B]   
    If those are what you are referring to the appear to be part of your PC for reading flash cards
    Code:
    Get Disk Drive Info From WMI                                    
    ==============================================================  
    Model                             Name                Size          
    WDC WD6400AAKS-65Z7B0 ATA Device  [URL="file://\\.\PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL]  640131932160  
    [B][COLOR=darkgreen]Generic USB CF Reader USB Device  [/COLOR][/B][URL="file://\\.\PHYSICALDRIVE2"][B][COLOR=darkgreen]\\.\PHYSICALDRIVE2[/COLOR][/B][/URL][B][COLOR=darkgreen]                [/COLOR][/B]
    [B][COLOR=darkgreen]Generic USB MS Reader USB Device  [/COLOR][/B][URL="file://\\.\PHYSICALDRIVE4"][B][COLOR=darkgreen]\\.\PHYSICALDRIVE4[/COLOR][/B][/URL][B][COLOR=darkgreen]                [/COLOR][/B]
    [B][COLOR=darkgreen]Generic USB SD Reader USB Device  [/COLOR][/B][URL="file://\\.\PHYSICALDRIVE1"][B][COLOR=darkgreen]\\.\PHYSICALDRIVE1[/COLOR][/B][/URL][B][COLOR=darkgreen]                [/COLOR][/B]
    [B][COLOR=darkgreen]Generic USB SM Reader USB Device  [/COLOR][/B][URL="file://\\.\PHYSICALDRIVE3"][B][COLOR=darkgreen]\\.\PHYSICALDRIVE3[/COLOR][/B][/URL]
     
  11. pike8

    pike8 Private E-2

    you're right, it was my card reader.

    as for the connections, when i go to network and sharing center/change adapter settings, there is only lan and dsl connection.

    fss log attached.

    also, in the meantime, i've followed microsoft procedure for restoring security center/firewall, and now it works. after that, i tried installing nod32 again, and it works also. i scanned pc with it, and it found only 2 suspicious objects:
    Code:
    AppData\LocalLow\Sun\Java\Deplyoment\cache\6.0\ - a variant of Java/TrojanDownloade.OpenStream.NCG Trojan
    Desktop\SoftonicDownloader_for_regcleaner.exe - Win32/SoftonicDownloader potentially unwanted application
    both were quarantined.
     

    Attached Files:

    • FSS.txt
      File size:
      3.2 KB
      Views:
      6
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay things are sounding better. Let's get one more set of logs to make sure all is good but we will use a newer version of MGtools.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.
    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\MGlogs.zip
    Also, are you having any remaining malware problems?
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    To add a note, the below were things I previously saw that I wanted to add to the cleanup list:

    Folder::
    C:\Users\haris\AppData\Local\d424a95e

    File::
    C:\Users\haris\AppData\Roaming\setup.exe
    C:\Users\haris\Desktop\mm41wd4x.exe
    C:\Windows\System32\dds_log_trash.cmd
    C:\Windows\System32\Dvbpws.dll
     
  14. pike8

    pike8 Private E-2

    when you say cleanup list, you mean i should simply delete those?

    in the meantime, i found some procedure on microsoft site to restore firewall/security center, and it worked. http://answers.microsoft.com/en-us/...c3b8-69ec-4b4b-a703-4b745fe6e8ee?tab=MoreHelp

    i was able to install nod after this (i uninstalled it while trying to run combofix, and couldn't install it again), and it also works normally. i scanned pc with nod, and it found just two suspicious files and quarantined them; for some reason, nod deleted log files, but i remember that one of those was somtehing about java in appdata, and the other one was softonic downloader for regcleaner.

    my recycle bin was acting weird too; a few times when i was about to delete some files, i got message that recycle bin is corrupted, or something like that. i found some solution on microsoft site, after that i deleted many times, and no message appeared, but today it showed up once again, and after that it stopped showing again.

    windows update is not working (error 80096001), i can't even install .net framework, it says “A system-level error occurred while verifying trust”.

    i scanned pc again with mgtools version you gave me in your post; the same error messages i mentioned before showed up again and it got stuck just as the last time. log attached.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No. It is a note of things I will need to make a fix to remove.

    First you should not be doing this. The below is a direct quote from the beginning of the READ & RUN ME
    And if you had searched our forum, you would see that those instructions at Microsoft were actually derived from fixes we have been given people for quite some time in this forum.;) It is just a matter of WHEN those fixes should be used. Running them when malware has not been properly removed yet will result in the fix not helping or in making things worse.

    As per above. None of this was requested and you should not be doing this.

    It's nothing to worry about. Just keep ignore it and do what you have been doing.




    Now download SubInACL.msi from Microsoft.
    • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
    • Now download the below file and save it to your Desktop:
    • Now right click on resetperm.cmd and select Run As Administrator which can be critical to running this script. Be patient as this may take awhile to run.
    Once it finishes, reboot your PC.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  16. pike8

    pike8 Private E-2

    after resetting permissions with the tool you gave me, windows update finally works.
     

    Attached Files:

  17. pike8

    pike8 Private E-2

    sorry for bump, but i don't see edit option; this situation got me somewhat paranoid, so i'd like to create backup copies of my personal data (documents, videos, pictures and some other stuff like savegames). so, i'd like to know if it's safe to plug my USB external HDD and copy my data on it? which types of files get infected with this trojans, viruses or whatever infected my PC?
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you can backup your personal important data that is not available elsewhere.

    Any file can actually get infected, the probabilities are just lower for some types. Like .txt files for example. Exectuable type files are the most commonly infected.


    Are you still having any problems? If so, what.
     
  19. pike8

    pike8 Private E-2

    well, almost everything is fine.

    i have a program called bsaunpacker (a tool for the elder scrolls: skyrim game).
    after problems with virus, it stopped working, showing this error (very similar to the one given by mgtools).
    [​IMG]

    i found that the problem might be .net framework related, so i tried to reinstall it. before these last fixes you gave me (reset permissions), i couldn't install .net framework (gave me “A system-level error occurred while verifying trust” error).

    after fixing windows update, i can install .net framework 4 (after installing it, i immediately got windows updates for it), .net framework 1.1, but couldn't install .net framework 3; it told me to turn windows features on or off, i tried to disable .net framework 3.5.1 there and then install, but it still couldn't work.

    bsaunpacker still doesn't work.

    oh, and i am worried why combofix never gets past
    Code:
    Scanning for infected files...
    This typically doesn't take more than 10 minutes
    However, scan times for badly infected machines may easily double
    P.S. about backing up my data; when i move them to an external HDD, i'll reformat my PC and install fresh copy of windows. how can i check my data from external HDD before copying it back on my PC?
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These may be issues you need to work in the Software Forum as your logs were not showing any more signs of malware. It is possible that there is residual damage to Windows 7 itself or to some of your applications/games that needs to be repair. This could mean you will have to completely uninstall the problems applications and then reboot and make sure they all uninstalled. Then attempt reinstalling. Problems like you are describing with .NET Framework are seen quite a lot when you search on this. I don't know if there are ever any real competent fixes other then reinstall.


    Also may just mean damage to Windows itself.

    If you are going to format and reinstall then it is not worth the effort to try and fix your residual Windows 7 / .NET Framework issues.

    You can scan your external harddrive using your antivirus program and also tools like Malwarebytes and SUPERAntiSpyware before you use any files from it.
     
  21. pike8

    pike8 Private E-2

    so, my system seems to be clean?

    i'll try and repair the damage myself, but if i don't succeed, the important thing is that i don't have to worry about my data, since it obviously isn't infected.

    only one more question; if i decide to reinstall, what AV/firewall combination do you suggest for maximum protection?

    i hope that i won't have to write in this topic again and that i'll have no more problems with malware, so i just want you to know that i am endlessly grateful for all your help. there are so many people with problems on this forum; every one of them with unique problem, a lot of them not following your guidelines thoroughly (including me :-o). and yet, you kindly approach every single one of us and patiently work with us ,helping us solve our issues. altruism is not dead. once again, thank you very much and all the best to you!
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Based on the logs you had attached yes. But we could run a couple more scans if you would like just to double check. Some would be repeats just to make sure that items indicated as fixed were fixed.

    However I thought you said you were going to reinstall.

    Comodo Internet Security which includes antivirus, antispyware, firewall and more, but it will take some getting used to the firewall and defense+ popups/notifications while you get it to recognize everything you run.

    Otherwise Avira antivirus and a firewall like PC Tools.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds