Win64/Sirefef.b trojan detected and critical, auto-restarting problem

Hello people,

found the forums while browsing the internet for solutions to my problem. This thread here -> http://forums.majorgeeks.com/showthread.php?t=260886 , kind of has very similar problems to mine.

I'm running Windows 7 64-bit Home premium on a Dell laptop and yesterday found out that my firewall has been disabled for unknown period of time and reasons. I tried setting it to default but alas to no success. I also encountered the MSE bug and made the mistake to uninstall then re-install it in vain.

I managed to run Window Defender Offline who detected Sirefef.b trojan but with each restart and scan it finds it again even though I seem to remove it successfully.

I also tried clean Windows boot by disabling start-up items and services but the error message window for forced restart in 1 min persists.

Usually I would try to clean the PC by myself but from all the info I read over the web I was left with the impression that this is something beyond my abilities.

I tried searching for similar topics but the fact a specific fix file is needed I decided to go for a separate topic. Sorry for spam if I did something wrong.

Thanks in advance

 

Welcome to MajorGeeks, AngelHart

http://img827.imageshack.us/img827/1263/frst.gif Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Hello again,

thank you very much for the quick reply to my problem. Unfortunately I was overwhelmed today at work and it's now that I got the time to get the scan done. I hope everything will go smoothly.

Thanks again.

 

http://img827.imageshack.us/img827/1263/frst.gif Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

This is the next log required.

Can I ask if there is a tutorial on the forum about Farbar? I checked briefly the tutorial section and it's really neat, keep up the good work

Regards.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

There is not a public tutorial available for FRST. You can learn quite a bit though just by analyzing others' scan logs and fixes

Thanks

 

I don't know if it was a mistake, but accidentally I started the Windows Startup Repair process. I missed the moment with F8 and the PC showed me a message that Windows couldn't start and asked me if I wanted to enter the start-up repair and I thought that this would bring me to the recovery options. Attached is a photo shoot I took of te process. I wanted to ask if this is something extremely bad, just not ok or completely wouldn't interfere with the fixing process presented here?

Still, I decided to run the fix and this is the final log.

Thanks

 

No it is not bad. It is just windows repair taking extra long to give you more repair options (like the command prompt). Eventually it should bring you there.

 

I edited my post but will still post it as a separate message - the fix log. The board didn't allow me to re-attach it so you could find the file in the quoted post :-o

Cheers

 

The log looks good. What issues are you still experiencing? If the computer isn't rebooting automatically anymore, run this scan:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Notable issues:
- kinf of sluggish on the log on process, but otherwise logs
- I'm starting with turned off all start up progs and services - is it noral in this case not to see the MSE taskbar icon?
- should I turn on the start up and services processes?
- the display adapter seems to "forget" how small my desktop icons to remain, and after each restart I have to resize them(Q: is it possible to be because I resize them with Ctrl+Mouse Wheel?)
- I rebooted the pc 3 times and the autorestarting seems to have gone away

Aaaand another log comming up

Gratzie

 

I was testing some software on the pc when I encountered some issues:

- with the occurennce of the malware my firewall went offline and I got a "Update your firewall settings" message in the Windows Firewall tab in Control Panel. When I click "Use recommended settings" I'm presented with an error message stating "Windows Firewall can't change some of your settings. Error code 0x80070424"
- I started several of my apps and one (AutoCAD) doesn't seem to want to start at all. Otherwise Microsoft office products, Opera browser, etc. start normally. EDIT: After another reboot the program ran correctly. Still I find it an issue to mention. In addition, I booted the system with all start-up processes and services up and running. Seems ok.

 

There are still some Windows issues present according to your Farbar Service Scanner log. However, I'd like to be thorough before we attempt to fix these so read and follow this thread: READ & RUN ME FIRST Malware Removal Guide
Attach the logs here when finished. Also we prefer if you leave your system in Normal Startup in MSconfig.

 

Hi again,

I would like to apologize for my sluggish response. Following the instructions I decided to try the system for several days and it's been running smoothly. Everything seems fine.

I managed to run all the scans mentioned in the READ AND RUN ME topic under normal boot of Windows. Attached I'm providing the logs, hoping that I didn't miss something on the instructions, though I tried to check and double check everything before I execute each procedure.

Last but not least, only thing that is still kinda buggy is icons arranging and sizing themselves to a certain state after every reboot. I can't say how do they sort themselves though, but obviously it's not by name. Just to mention once again because I'm not sure I made it clear - the icons don't get randomly sized and arranged after reboot - they are always reverted to a specific sige, grid aligned, auto arranged.

EDIT: As requested UAC and disk emulation were disabled. However, I decided to keep my MSE untoched. Hope this hasn't interfered with any scans.

Best of luck.

 

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark everything except the below items:

• [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0)
• [HJ] HKLM\[...]\System : EnableLUA (0)

Now press the Delete button.
When it is finished, there will be a couple of new RogueKiller logs on your desktop. Attach the very latest one to your next post. (How to attach)

__

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

http://img825.imageshack.us/img825/2648/hjt.gif Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

__

The issue with the icons is something we've been hearing of lately. Not sure exactly what the cause is or how it can be fixed yet. I will update you if we do find a fix for it.

 

Hi again,

so I ran RogueKiller as instructed, You can find the log file attached to this post.

I noticed in the Windows Repair by Tweaking.com program that there was an option that read "Repair Icons" or something like it. Perhaps it could be used to solve the icons problem. I don't know, haven't tried because it was not in the instructions, but decided to mention it. In addition I think the program worked. After the restart it took the PC a little bit longer to start after I input my log-on password but it booted fine. In addition, I was presented with a message window from Windows Firewall saying that a program needs access and decided not to permit it, just in case. The program's name was "Pando Media Booster".

After I ran the MGTools's analyse.exe and fixed the said path I successfully merged the registries as well.

Hope I'm not taking too much of your time.

Best regards

 

Yes but this addresses a different kind of icons issue. And some people have had negative experiences with this fix so I wouldn't recommend it to you.

You can allow it if you want. Shouldn't hurt anything. It's an application you have installed although I'm not familiar with its purpose.

__

• Download each of the 5 files below onto the desktop of the computer with the issues:
  • wuauserv.reg
  • BITS.reg
  • WinDefend.reg
  • SharedAccess.reg
  • wscsvc.reg
• Now double-click each of them, one at a time, and allow each one to merge into the Windows registry.
• Let me know if you received a successful message for all four files.
  • If all were successful, reboot your computer and rescan with Farbar Service Scanner. Attach its latest log.
  • If they weren't successful, let me know but rescan with Farbar Service Scanner too.

 

All the regestry files merged successfully + Farbar's latest log

 

How is the computer running at this point?

 

Hello,

I think that the PC is working quite well now, thanks to you :cool I rebooted and it loaded much faster everything. In addition, the icon problem is not present after the reboot (decided to adjust them, just to see if there was any effect on them, seems there is ). Otherwise, I've been using the PC since you managed to remove the auto-restarting issue quite as usually.

A million thank yous to you, Thisisu.

If you deem more action necessary, just provide further instructions.

Cheers

 

You're welcome

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe