Author Topic: Infected: win32:Sirefef-PL [Rtk] - Help Please  (Read 19352 times)

0 Members and 1 Guest are viewing this topic.

Gimmick

  • Guest
Infected: win32:Sirefef-PL [Rtk] - Help Please
« on: July 25, 2012, 04:05:20 AM »
Hello Forum,

I detected a problem file through Avast! about 2 weeks ago after I had noticed that my Miscrosoft Security Essentials had been failing to update. I downloaded avast to change my protection and the first full scan detected the seemingly popular win32:Sirefef-PL [Rtk]. It was located at C:\Windows\assembly\GAC32\desktop.ini and also C:\Windows\assembly\GAC64\desktop.ini. My original attempts to move the infected files to the chest failed and so did my attempts to delete them. I ran my computer in safe mode and went offline to attempt a scan, and this time I was successful and moving the infected files to the chest and then continuing to delete them.

I spent some time researching the virus and searching for possible ways of removal, and even now that I have removed the discovered files I feel as though my computer certainly is still infected. Through research and fiddling around I believe I may have actually been infected back on January 10th and failed to notice until a week or two ago when I had a barrage of pop ups and noticed that my windows firewall had been refusing to turn on and protect my computer. I also had a popup that would surface every time I tried to run a MSE scan that would force restart my computer. I have frequently used malwarebytes and MSE throughout this computer’s life, but I never found anything infected until I switched to avast (kudos). Now that I have removed the files and avast scans do not detect any problems I still feel as though my computer is infected. Throughout the last 6 or so months while I believe I have been infected my CD-ROM drive has gone bad (who knows if it is related or not), so while I have decided I wanted to do a hard format and OS re-install I cannot do so because my install CD cannot be read by my computer. It is quite the fail boat!

Would it be alright if I simply posted some logs for a sense of security from you great minds? I have tried to follow forum guidelines of how to best aid you in this process. P.S. I am currently running avast, RUBotted, and PrivateFirewall as my protection if that is of relevant information. Logs are either posted or attached! Thanks you!

-Derek

Malwarebytes:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.24.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
owner :: OWNER-PC [administrator]

7/24/2012 5:44:00 PM
mbam-log-2012-07-24 (17-44-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 194048
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-24 18:47:35
-----------------------------
18:47:35.512    OS Version: Windows x64 6.1.7601 Service Pack 1
18:47:35.512    Number of processors: 1 586 0x170A
18:47:35.514    ComputerName: OWNER-PC  UserName: owner
18:47:36.973    Initialize success
18:47:37.509    AVAST engine defs: 12071700
18:47:50.236    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:47:50.239    Disk 0 Vendor: FUJITSU_MJA2320BH_G2 8919 Size: 305245MB BusType: 11
18:47:50.257    Disk 0 MBR read successfully
18:47:50.259    Disk 0 MBR scan
18:47:50.263    Disk 0 Windows 7 default MBR code
18:47:50.275    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       293279 MB offset 2048
18:47:50.307    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        11962 MB offset 600637440
18:47:50.337    Disk 0 scanning C:\Windows\system32\drivers
18:48:04.056    Service scanning
18:48:48.432    Modules scanning
18:48:48.440    Disk 0 trace - called modules:
18:48:48.483    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
18:48:48.491    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c0a790]
18:48:48.824    3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa8004c095d0]
18:48:48.830    5 hpdskflt.sys[fffff880019f8289] -> nt!IofCallDriver -> [0xfffffa8004aca0d0]
18:48:48.836    7 ACPI.sys[fffff88000f8f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004ab7680]
18:48:50.119    AVAST engine scan C:\Windows
18:48:52.473    AVAST engine scan C:\Windows\system32
18:51:26.866    AVAST engine scan C:\Windows\system32\drivers
18:51:40.049    AVAST engine scan C:\Users\owner
19:00:25.231    AVAST engine scan C:\ProgramData
19:01:21.027    Scan finished successfully
19:01:33.040    Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\Maintenance\MBR.dat"
19:01:33.046    The log file has been saved successfully to "C:\Users\owner\Desktop\Maintenance\aswMBR.txt"



Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #1 on: July 25, 2012, 07:25:17 AM »
malware removers are notified. It may take several hours before one arrive so be patient

Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #2 on: July 25, 2012, 08:01:40 AM »
Thank you for the update! I am in -6 GMT so the overlap may be quite different but I will be checking as frequently as I can.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #3 on: July 25, 2012, 04:00:47 PM »
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
    O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.

    :Files
    ipconfig /flushdns /c
    C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Users\owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #4 on: July 25, 2012, 07:59:02 PM »
Thank you for the guidance Essexbboy. I am working on running the fix using the script you provided in OTL but the program is "not responding" during the creating retore point phase of the script. It has been stuck on not responding for about 20 minutes. I have not tampered with anything within this time but am just waiting it out. Should I do a power button manual restart and attempt again if the program does not respond for some time? Or perhaps this is expected to take a while? I will wait it out for some time and hopefully you will have time to respond. I would imagine there have been some changes made to my system with this script so I don't want to make any presumptive moves. If it begins responding I will continue with the process and post the logs you requested. Thanks.

Edit: I am currently accessing this website through a roommate's computer
« Last Edit: July 25, 2012, 08:02:19 PM by Gimmick »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #5 on: July 25, 2012, 08:30:23 PM »
Yes restart and continue with Combofix, we may need to check out system restore later

Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #6 on: July 25, 2012, 09:45:33 PM »
Essexboy,

It seems as though OTL did indeed run its fix because there was a notification and a log after I manually restarted my computer. I have downloaded and ran combofix, it appeared to delete one file at the end of its run and my computer is generating a log from combofix now. However, I need to run to work for a few hours and will be back to check in about 4 hours from this posting. I have the log report from OTL and assume I will have the one from combofix for that posting in a few hours. I'll get back to you then. Thanks again.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #7 on: July 25, 2012, 09:49:38 PM »
No problem but I will be offline in about two hours

Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #8 on: July 26, 2012, 02:07:31 AM »
I have not encountered any problems in my 10 minutes of browsing around on my computer, obviously it will take some time before I know with certainty that things are better. I have just noticed a generally less functional system since I think I may have acquired the suspected virus. Have any of the logs I have posted led you to believe that there is still a virus or problems within my system? Here are the updated OTL and ComboFix logs. I hope attachments are fine for this.

OTL:

Files\Folders moved on Reboot...
C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\owner\AppData\Local\Temp\JET9E60.tmp not found!
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\Windows\temp\WebEx\Log\724\atashost.log moved successfully.

PendingFileRenameOperations files...
File C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\owner\AppData\Local\Temp\JET9E60.tmp not found!
[2012/07/25 12:12:14 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5
File C:\Windows\temp\WebEx\Log\724\atashost.log not found!

Registry entries deleted on Reboot...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #9 on: July 26, 2012, 04:57:33 PM »
I would like to do one further check as the services file was not infected, that sometimes means the MBR is

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #10 on: July 26, 2012, 07:45:53 PM »
Essexboy,

The log was over 10,000 characters so I will need to attach it rather than paste it. I hope that is alright. There were 3 suspicious files found.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #11 on: July 26, 2012, 07:57:38 PM »
No thats good, how is the computer behaving ?

Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #12 on: July 26, 2012, 08:40:23 PM »
Essexboy,

I am running a final scan with avast now, but as far as the computer condition goes it seems quite well. I believe I mentioned earlier that I have not been able to turn on my windows firewall since acquiring the virus, but I successfully turned it on just not for the first time since January! That must be a good sign. I am running privatefirewall as my firewall with windows' firewall off and avast as my antivirus. I use Glary utilities and CCleaner regularly and malwarebytes as my scanner. Do you think that is sufficient or would you recommend anything else or any switches? The last problem I have encountered is that whenever I try to update some software (it just happened with Glary and Ccleaner) it opens up Microsoft Word and loads the updating website as a text file within work-of course making it so I can't easily get the update. Perhaps it just changed some setting on my computer in this process, but any idea how to easily fix that? The same thing also happened when I tried to update my old tdsskiller to run for you, but I simply downloaded your updated file from your link to my desktop and everything worked fine. Any idea why this may be happening? Thank you for your help so much!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #13 on: July 26, 2012, 08:51:18 PM »
Sounds like an association problem

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished


Gimmick

  • Guest
Re: Infected: win32:Sirefef-PL [Rtk] - Help Please
« Reply #14 on: July 26, 2012, 09:59:23 PM »
Thank you you Essexboy! I am running the program as instructed now, but again I must head to work for a few hours. I will respond on the condition of my computer later and hopefully tomorrow we will have this all finished! Thanks again.

-Derek