Sirefef-A attack!

[AlDibb]

Hi,

A few days ago, Avast started giving warnings of the following Trojan's:
- Sirefef-A
- DNS Changer VJ
It started whilst my wife was browsing the net on various Russian websites - but not using sites that should be considered overly dangerous.

I have run two Avast full scans and two boot scans and Avast is detecting and quarantining the viruses but they still seem to be activated each time the computer was started, with further Avast warnings. Also, my internet connection was being 'altered' so that I had to run network diagnostics and then restart the computer to get online. Internet Explorer also seemed to be running very slowly, to the point of the whole system freezing regularly.

So, I have tried to follow the steps in the Read and Run-Me First guide and the Windows XP Malware removal procedure (logs attached).

Super Anti-spyware ran and did not detect anything.

Malwarebytes picked up and deleted a few trojans.

The problems started with Combofix and then repeated with RootRepeal because each time the computer froze not long after beginning the scanning process. I have tried a number of times with each of them and I have attempted to run them in Safe Mode - but with no success.

MGTools also ran successfully.

After running Malwarebytes, Avast has stopped issuing warnings and I have had no problems getting online. However, I am deeply suspicious that I still have some Malware that is interrupting Combofix and RootRepeal and my browser (Internet Explorer) still seems to be running very slowly and intermittanly freezing.

My thanks in advance for your assistance. This has been driving me crazy for a few days now!!

Cheers,
Al.

[thisisu]

Welcome to MajorGeeks, Al

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22
• J2SE Runtime Environment 5.0 Update 7

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Please download BlitzBlank to your desktop.

• Double-click BlitzBlank.exe to open (Vista/7 right-click and select Run as Administrator)
• Press OK at the warning prompt.
• Click the Script tab
• Copy the text inside the code box below and paste it into the text-field.

Code:

DeleteFolder:
C:\WINDOWS\Installer\{f7ce0457-08e3-b544-c563-b4c545a5c8e0}
"C:\Documents and Settings\Admin_2\Local Settings\Application Data\{f7ce0457-08e3-b544-c563-b4c545a5c8e0}"

• Now click the Execute Now button.
• The fix will require a reboot in order to complete successfully.
• Upon reboot, locate C:\blitzblank.log and attach this log to your next message. (How to attach)

__

Attempt to run ComboFix using these directions:

• Press and hold the Windows key and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

[AlDibb]

Hello,

I'm very grateful for your help so far - thanks very much!

I managed to follow your instructions as far as running Combofix and the BlitxBlank log is attached.

When I came to run Combofix. I disabled my antivirus and firewall and then ran the program from the run dialog box as per your instructions. Combofix loaded - with the dialog box with the green bar - it created a system restore point and then came up with the window which says "scanning for infected files....... This typically doesn't take more than 10 minutes" etc.

Soon after, the computer froze. I rebooted and attempted to run Combofix again from the run dialog box and it reached the same point. This time the computer didn't freeze straight away, although it didn't appear to be doing anything either. I left it running overnight and by morning, it had frozen at the same stage. There didn't appear to be any sign of Combofix having worked at all - the clock format hadn't changed and the internet connection was still active.

Is there anything else to try? Thanks again for your help.

[thisisu]

Hello.

Follow these instructions and remember to attach the log once the scan is finished: ESET Online Scanner

[AlDibb]

Hi,

The ESET scan ran successfully - log attached.

Thanks again!

[thisisu]

How is the system running at this point?

[AlDibb]

Hi,

The system is running but it is still running more slowly than it was before. I also have a problem with loading webpage pictures - they appear as square icons with a red cross inside. This is happening across all webpages, compared with only rare occurences before

I also just attempted to run Combofix as per your previous instructions and the system is still hanging at the same point.

However, Avast is no longer giving any warnings at start up and I can at least browse the internet, which is a big improvement on how things were before!

[thisisu]

I do not think malware is the cause of ComboFix and RootRepeal not running. It's probably some other type of Windows issue or maybe your low capacity / legacy 20GB hdd is the problem. We'll run a couple more checks just to make sure.

The ESET scan looks very good.

__

As for your other problem with images not showing up. You may want to try this: Microsoft Fix it 50195

__

I want you to read and follow these instructions: TDSSKiller - How to run

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  services.exe
  svchost.exe
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

[AlDibb]

Many thanks once again for your help and advice!

My computer is quite a few years old, so maybe I do need to think about an upgrade! On the other hand, it did seem to be running fine before these problems started last week.

Unfortunately, the Microsoft Fix didn't completely cure the pictures issue. I'll try a few more things once the system is completely clean to try to resolve that.

In the meantime, I did manage to run TDSKiller and OTL. TDS Killer found one unsigned file. OTL crashed the first time with a BSOD but ran fine the second time round. It produced two logs, I guess you only want the first one OTL.txt, but I've attached them both just in case.

There doesn't seem to be any change in the operation of the system post-scan and pre-scan.

[thisisu]

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

:otl
SRV - [2011/06/26 07:45:56 | 000,256,000 | R--- | M] () [Auto | Stopped] -- C:\ComboFix\pev.3XE -- (PEVSystemStart)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rootrepeal.sys -- (rootrepeal)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O33 - MountPoints2\{8ae19a44-aebb-11df-a634-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{8ae19a44-aebb-11df-a634-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8ae19a44-aebb-11df-a634-806d6172696f}\Shell\AutoRun\command - "" = E:\SmartAccess\ConnectGo.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/06/09 23:40:22 | 000,047,807 | ---- | M] () -- C:\WINDOWS\WPCSET.BIF
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:C31F31E6
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
:files
C:\WINDOWS\Installer\{f7ce0457-08e3-b544-c563-b4c545a5c8e0} /d
C:\Documents and Settings\Admin_2\Local Settings\Application Data\{f7ce0457-08e3-b544-c563-b4c545a5c8e0} /d
dir /s C:\WINDOWS\$NtUninstallKB2718704$ /c
c:\windows\system32\wevtutil.exe cl Application /c
c:\windows\system32\wevtutil.exe cl Security /c
c:\windows\system32\wevtutil.exe cl Setup /c
c:\windows\system32\wevtutil.exe cl System /c
:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"00PCTFW"=-
"Adobe ARM"=-
:commands
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

[AlDibb]

I ran OTL and it required a reboot. In the process of shutting down for the reboot, the system crashed on a BSOD re "Driver Corrupted MMPool". Upon the restart, OTL finished running and produced a log (attached). Immediately, I then received 2 window's messages saying that the "system has recovered from a serious error". I have attached the details in a file called serious error.txt.

GetLogs.bat ran successfully - log attached.

Many thanks once again for your help!

[thisisu]

Can you attach this file? C:\Documents and settings\Admin_2\LOCALS settings\Temp\WER7d28.dir00\Mini060612-01.dmp

It may also be in here: C:\Windows\Minidump

[AlDibb]

Unfortunately I can't attach the file directly. The uploader won't allow *.dmp extensions.

I've attempted to load the file into WinDbg and the copy and paste the results into the attached .txt file. I fear, however, the results may not be very useful

[AlDibb]

I just had an idea and added a .txt extension to the end of the .dmp file to try and trick the uploader into allowing me to attach the file and it's worked! Hopefully, you can open it more successfully than me

[thisisu]

Did these bluescreens just start or has this been going on for a while?

[AlDibb]

We did have a problem with bluescreens a few years ago but I cleared that by re-installing windows from the original CD.

Since then, we have had blue screens very rarely. There have been quite a few over the last week, mainly whilst running cleaning programs / fixes.

Thanks, Al.

[thisisu]

To me it sounds like there may be a problem with the computer's memory/RAM.

This typically isn't the scope of this forum and you may need to pursue any remaining issues in a different subforum but this is a quick way to test memory:

http://www.memtest.org/
http://www.memtest.org/download/4.20...+-4.20.iso.zip <-- burn the .ISO as an image to a blank CD.
Boot from the CD.
Let me know if you start seeing red lines fill up the screen, like this:

The red means failed memory (at least one stick).
If there's no red after a couple of passes, then we can rule out memory.

[thisisu]

Also, please run C:\MGtools\FixNet.bat
It will run a few commands and then reboot your computer.

Once your computer has been rebooted:

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

[AlDibb]

Hi,

Sorry not have posted sooner - I've been away from home for a few days.

OK, I ran the memory test and it did two passes - both successful - with no errors found.

I followed your instructions with MGTools and the log is attached.

Thanks again for your advice - I will be away again for a while but I will really appreciate any further help on my return.

Al.

[thisisu]

I'm glad to hear memtest passed

Your latest logs are clean.
What malware related problems are you still having, if any?