Author Topic: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]  (Read 5336 times)

0 Members and 1 Guest are viewing this topic.

Chompey

  • Guest
Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« on: July 16, 2012, 03:20:20 AM »
Hello, I require assistance in purging my system from the Sirefef virus that seems to be affecting a variety of people recently. I have provided the logs required, and await further instructions. Much appreciated on helping me out.

EDIT: I just realized, the aswMBR log is..empty. Is that normal? I still have the console that scanned open, and it did show an infection. Kind of strange that it turned out to be blank.

EDIT 2: I'll just manually type out the content in aswMBR, this will be done in about 5-10 minutes.

EDIT 3: Ok, the aswMBR log is now fixed. Sorry about that.
« Last Edit: July 16, 2012, 03:40:33 AM by Chompey »

Chompey

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #1 on: July 16, 2012, 03:21:08 AM »
Here's the Extras log (couldn't fit it into the first post.)

SafeSurf

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #2 on: July 16, 2012, 11:34:27 AM »
Welcome to the forum.  I am going to refer you to our Certified Malware expert, named Jeffce.  He will also review your logs and give you further instructions.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Jeffce or another malware removal specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let us know if you have any questions.  Thank you.

jeffce

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #3 on: July 16, 2012, 02:36:11 PM »
Hi,

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.  :)
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes
  • Open the scanner and select the Protection tab
  • Remove the tick from "Start Protection Module with Windows" as seen below


Once complete continue with the instructions...
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
PRC - [2012/02/21 14:05:22 | 000,632,664 | ---- | M] (IObit) -- E:\Program Files\IObit\Game Booster 3\gbtray.exe
PRC - [2011/08/23 22:20:18 | 000,887,976 | ---- | M] (Ask) -- E:\Program Files\Ask.com\Updater\Updater.exe
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - E:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 1A AA F9 85 F0 CE CB 01  [binary data]
IE - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..\URLSearchHook: {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - SOFTWARE\Classes\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\InprocServer32 File not found
IE - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - E:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q="
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: E:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\npDisplayEngine: E:\Program Files\LivingPlay\nplplaypop.dll File not found
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: E:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2012/05/30 16:01:37 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- E:\Users\Rex\AppData\Roaming\Mozilla\Firefox\Profiles\c5uijkmc.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - E:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O2 - BHO: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Dealio Toolbar) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - E:\Program Files\Dealio Toolbar\IE\5.0\dealioToolbarIE.dll File not found
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - E:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - E:\Program Files\uTorrentBar\tbuTor.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..\Toolbar\WebBrowser: (KMPlayer Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [ApnUpdater] E:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [SearchSettings] "E:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe" File not found
O8 - Extra context menu item: Download all by FlashGet3 - E:\Users\Rex\AppData\Roaming\FlashGetBHO\GetAllUrl.htm ()
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1607446752-3160265075-427847365-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Setup.exe
[2012/07/14 04:03:36 | 000,115,712 | ---- | M] () -- E:\Users\Rex\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
E:\Windows\Installer\{2287c49e-cf7c-51d6-aa55-9ea7fc5aa140}\
E:\Users\Rex\AppData\Local\{2287c49e-cf7c-51d6-aa55-9ea7fc5aa140}\

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

Download Combofix from the link below, and save it to your desktop. 
Link

**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.
----------

In your next reply please attach the logs made by OTL and ComboFix.  :)

Chompey

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #4 on: July 16, 2012, 08:19:41 PM »
Alright, I have done what you said and have attached the logs. So far, after running the cleaning on OTL, there hasn't been any detection of malware from avast. When I disabled it and ran ComboFix though, it apparently found services.exe to be infected, and restored it itself. Here I am now after all that and, so far there still hasn't been any active threat detection (though I still assume there's leftover malware somewhere, which I could clean up with malwarebytes, but first and foremost I'm waiting for your instructions until the matter is fully taken care of).

Many thanks on helping me out here though, you don't know how much I appreciate being assisted by a Super Saiyan lol.

EDIT: By the way, when I ran ComboFix, it kept saying Avast was enabled or active, but I disabled the self-defense modules and real-time protection, so I'm unsure as to why it kept saying it was active. I haven't found a way to fully exit Avast either, but I'm 100% sure Avast was de-activated during the ComboFix run.
« Last Edit: July 16, 2012, 08:23:59 PM by Chompey »

jeffce

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #5 on: July 16, 2012, 09:14:07 PM »
Quote
I appreciate being assisted by a Super Saiyan lol
;D ;D
----------

Don't worry if ComboFix shows Avast still running.  They play well together. 

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
PRC - [2012/02/21 14:05:22 | 000,632,664 | ---- | M] (IObit) -- E:\Program Files\IObit\Game Booster 3\gbtray.exe
IE - HKCU\..\SearchScopes\{23A2CA66-A5DF-4EB0-A51F-121FA830A225}: "URL" = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=992732&p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>
O2 - BHO: (no name) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - No CLSID value found.

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Chompey

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #6 on: July 17, 2012, 10:25:17 AM »
Sorry for the delay, had business to deal with. Here's the new OTL log you requested.

I just want to say though, my computer has been running great now. My computer would've been wiped most likely if it weren't for you, and I'm very thankful for the time you spent on helping me out. This will most likely be my last reply (unless you state there's more work to be done based on that log I attached, but I assume it should be a clean report), so thanks a lot for you help, and for being awesome ;D.

jeffce

  • Guest
Re: Win64:Sirefef-A [Trj] and Win32:Downloader-PKU [Trj]
« Reply #7 on: July 17, 2012, 01:53:45 PM »
 Hi,

Looking much better.  Stick with me as we are almost done.  We need to check and make sure there is nothing still lurking in there.

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  • Click Scan (This scan can take several hours, so please be patient)
  • If there are threats that are found, please press List of found threats and then in the next window that opens press Export to text file...
  • Copy and paste/or attach that log as a reply to this topic
**Note** If not threats are found there will not be a log created.
----------