MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 07-09-12, 16:09
YourTransistor YourTransistor is offline
Private E-2
 
Join Date: Jul 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

This was a big doh, moment for me. I have been relying on Microsoft Security Essentials and Windows Firewall with safe practices to keep my computer clean since the end of last year. Yet I slipped up and got infected from browsing a website.

I noticed that during the infection the Adobe Flash Player installer popped up. I realized, too late, what was going on and canceled it. Of course the damage was done. A window for a fake antivirus call Security Shield popped up. MSE and Windows Firewall were disabled and I'm afraid to try and re install them in case it nukes my computer.

Next my Chrome browser gave me invalid certificate errors and every browser was redirecting navigation.

Java was also acting up and giving me syntax error windows. This had been happening for a while so not sure if it's a virus.

I've performed backups of all my personal files and went through some other forums before landing on this one.

Before using this site's READ ME, I ran the following and quarantined/deleted files when prompted.

-MalwareBytes - quarantine/deleted files
-Prevx - scan only
-Eset online scanner
-aswMBR - discovered the rootkit virus in post title
-MBRcheck
-Hitman Pro (not sure if it was 64bit)
-TDSSKiller - came up empty

I deleted and replaced my hosts file, so now it is back to its default value.

So far it's fixed the browser issues, but MSE and Windows Firewall are still down. So then I follow the Major Geeks READ ME to the teeth. The only problem I ran into was that MGtools was not allowed to install into the C: directory.

I work from my PC so if it's infected I risk missing deadlines and this is already costing me income. I'd like to salvage the computer if I can, but I'll do a reformat if I have to.

I've attached the logs you asked for and I'll attached logs from the other programs in a second post.
Attached Files
File Type: txt RKreport[1].txt (2.0 KB, 3 views)
File Type: zip hitmanpro.zip (673 Bytes, 2 views)
File Type: txt mbam-log-2012-07-09 (13-01-11).txt (1.8 KB, 1 views)
File Type: zip MGlogs.zip (315.3 KB, 4 views)
Reply With Quote
Sponsored links
  #2  
Old 07-10-12, 09:14
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,434 Times in 1,355 Posts
Default Re: GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

Welcome to MajorGeeks, YourTransistor

From Programs and Features (via Control Panel), please uninstall the below:
  • Java(TM) 6 Update 31 <== Outdated

Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

Manually delete the following folders:
  • C:\Users\Kyle\AppData\Local\{0470adf4-0dd4-eec5-b768-520f19998c6f}
  • C:\WINDOWS\Installer\{0470adf4-0dd4-eec5-b768-520f19998c6f} <== Does not exist anymore according to your logs, but double-check
Let me know if you had any trouble doing this.

__

C:\Users\Kyle\Desktop\aswMBR.txt <== Attach this to your next message

__

I think your HitmanPro log is corrupted. I cannot get it to open. Please rescan and attach its log.

__

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
  • Now open Repair_Windows.exe
  • Go to the Start Repairs tab.
  • Press the Start button
  • Create a System Restore point if prompted.
  • In the Repair Options window, choose the following repairs:
    • Reset Registry Permissions
    • Repair Windows Firewall
    • Repair Hosts File
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Windows Updates
  • Place a checkmark in Restart/Shutdown System When Finished
  • Fill in the Restart System bubble
  • Now click the Start button.
  • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed these steps.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #3  
Old 07-10-12, 09:33
YourTransistor YourTransistor is offline
Private E-2
 
Join Date: Jul 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

Thanks for the warm welcome

I caved in to paranoia and decided to wipe everything. I updated the backups of my personal files to an external hard drive, scanned with AVG and MalwareBytes to make sure the backup was clean. The scans didn't detect anything.

I then wiped my entire hard disk using the zero write function with Darik's Boot and Nuke, and today I'm going to format and install a fresh copy of windows. I'm going to do the same with the laptop I'm on too lol! I've learned my lesson. I just didn't want to have any risk of working on an previously compromised system.

I hope that the virus didn't copy itself to my external since I just copy pasted MyDocuments, My Music, My Videos, and My Pictures.

I apologize for not having posted an update for my decision, because I didn't want to bump the post and I ran the disk wipe while I was sleeping

After it's all said and done I'll follow MajorGeeks guide to preventing Malware. Do you have any advice for me at this point? Is there any other way to make sure my backups aren't corrupted?

Thanks!
Reply With Quote
  #4  
Old 07-10-12, 09:38
YourTransistor YourTransistor is offline
Private E-2
 
Join Date: Jul 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

I also read this article that you guys linked from your How to Protect Yourself from Malware thread.

http://technet.microsoft.com/library/cc512587.aspx

Which is why I ultimately decided to wipe to zeros
Reply With Quote
  #5  
Old 07-10-12, 13:02
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,162
Thanks: 269
Thanked 1,434 Times in 1,355 Posts
Default Re: GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

That's ok. Be safe
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
win32/sirefef.ab and win64/sirefef.p infection fix.txt needed swfrancoiss Malware Removal 11 07-08-12 00:27
Win32/Sirefef.AB & Win64/Sirefef.P; Browser Redirection, Windows Critical, Restarts Punkrulz Malware Removal 1 07-07-12 12:18
Infected with Win32/Sirefef.AB and Win64/Sirefef.P. Help Yellow77 Malware Removal 3 06-16-12 16:42
Trojan:Win32/Sirefef.AB & Win64/Sirefef.P Smokejumper Malware Removal 2 05-30-12 16:50


All times are GMT -5. The time now is 13:29.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger