1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

GAC_64\Desktop.ini - Win32:Sirefef-PL Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by YourTransistor, Jul 9, 2012.

  1. YourTransistor

    YourTransistor Private E-2

    This was a big doh, moment for me. I have been relying on Microsoft Security Essentials and Windows Firewall with safe practices to keep my computer clean since the end of last year. Yet I slipped up and got infected from browsing a website.

    I noticed that during the infection the Adobe Flash Player installer popped up. I realized, too late, what was going on and canceled it. Of course the damage was done. A window for a fake antivirus call Security Shield popped up. MSE and Windows Firewall were disabled and I'm afraid to try and re install them in case it nukes my computer.

    Next my Chrome browser gave me invalid certificate errors and every browser was redirecting navigation.

    Java was also acting up and giving me syntax error windows. This had been happening for a while so not sure if it's a virus.

    I've performed backups of all my personal files and went through some other forums before landing on this one.

    Before using this site's READ ME, I ran the following and quarantined/deleted files when prompted.

    -MalwareBytes - quarantine/deleted files
    -Prevx - scan only
    -Eset online scanner
    -aswMBR - discovered the rootkit virus in post title
    -Hitman Pro (not sure if it was 64bit)
    -TDSSKiller - came up empty

    I deleted and replaced my hosts file, so now it is back to its default value.

    So far it's fixed the browser issues, but MSE and Windows Firewall are still down. So then I follow the Major Geeks READ ME to the teeth. The only problem I ran into was that MGtools was not allowed to install into the C: directory.

    I work from my PC so if it's infected I risk missing deadlines and this is already costing me income. I'd like to salvage the computer if I can, but I'll do a reformat if I have to.

    I've attached the logs you asked for and I'll attached logs from the other programs in a second post.

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, YourTransistor :)

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 31 <== Outdated

    [​IMG] Open RogueKiller again.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[3].txt
    Attach RKreport[3].txt to your next message. (How to attach)


    Manually delete the following folders:

    • C:\Users\Kyle\AppData\Local\{0470adf4-0dd4-eec5-b768-520f19998c6f}
    • C:\WINDOWS\Installer\{0470adf4-0dd4-eec5-b768-520f19998c6f} <== Does not exist anymore according to your logs, but double-check
    Let me know if you had any trouble doing this.


    C:\Users\Kyle\Desktop\aswMBR.txt <== Attach this to your next message


    I think your HitmanPro log is corrupted. I cannot get it to open. Please rescan and attach its log.


    [​IMG] Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to the Start Repairs tab.
    • Press the Start button
    • Create a System Restore point if prompted.
    • In the Repair Options window, choose the following repairs:
      • Reset Registry Permissions
      • Repair Windows Firewall
      • Repair Hosts File
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Windows Updates
    • Place a checkmark in Restart/Shutdown System When Finished
    • Fill in the Restart System bubble
    • Now click the Start button.
    • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.


    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)


    Let me know what problems remain after you have completed these steps.
  3. YourTransistor

    YourTransistor Private E-2

    Thanks for the warm welcome :)

    I caved in to paranoia and decided to wipe everything. I updated the backups of my personal files to an external hard drive, scanned with AVG and MalwareBytes to make sure the backup was clean. The scans didn't detect anything.

    I then wiped my entire hard disk using the zero write function with Darik's Boot and Nuke, and today I'm going to format and install a fresh copy of windows. I'm going to do the same with the laptop I'm on too lol! I've learned my lesson. I just didn't want to have any risk of working on an previously compromised system.

    I hope that the virus didn't copy itself to my external since I just copy pasted MyDocuments, My Music, My Videos, and My Pictures.

    I apologize for not having posted an update for my decision, because I didn't want to bump the post and I ran the disk wipe while I was sleeping :)

    After it's all said and done I'll follow MajorGeeks guide to preventing Malware. Do you have any advice for me at this point? Is there any other way to make sure my backups aren't corrupted?

  4. YourTransistor

    YourTransistor Private E-2

  5. thisisu

    thisisu Malware Consultant

    That's ok. Be safe :)

Share This Page

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds