Need help removing win32:sirefef-pl

[DJ32]

I've run avast and malwarebytes multiple times in both safe mode and regular mode. This one virus keeps appearing. Can someone give me any tips for getting rid of it once and for all? Thanks!

[schmidthouse]

Hi DJ32 and welcome to the forum.


Let's ask Essexboy, our Malware Expert to have a look inside.

See the guide here  http://forum.avast.com/index.php?topic=53253.0   
follow the instructions and attach (not copy and paste) the OTL.txt  log

Because of the time difference there may not be a response until tomorrow

[essexboy]

Monitoring

[DJ32]

I ran all of the programs as listed in the link and attached the OTL.txt log - please let me know if you want me to attach any other logs.

Thanks!

[essexboy]

OK Lets get at it

• Download RogueKiller  and save it on your desktop. 
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please post:    All RKreport.txt text files located on your desktop.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (Somoto Toolbar) - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll ()
O3 - HKLM\..\Toolbar: (Somoto Toolbar) - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll ()
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2011/07/09 13:25:06 | 000,003,380 | -HS- | C] () -- C:\ProgramData\trv43eeosx5j6t673wd1er7w408o4jh7w70f865753uce42
[2011/04/13 23:40:24 | 000,000,128 | -H-- | C] () -- C:\ProgramData\~41869064r
[2011/04/13 23:40:23 | 000,000,096 | -H-- | C] () -- C:\ProgramData\~41869064
[2011/04/13 23:40:14 | 000,000,328 | -H-- | C] () -- C:\ProgramData\41869064
[2011/03/12 18:24:04 | 000,011,004 | -HS- | C] () -- C:\ProgramData\R_+N.`,Z]JO
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Bob\AppData\Local\Temp\RarSFX0\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\Bob\AppData\Local\Temp\RarSFX2\h\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\Bob\AppData\Local\Temp\RarSFX0\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\Bob\AppData\Local\Temp\RarSFX2\procs\explorer.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Bob\AppData\Local\Temp\RarSFX0\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Bob\AppData\Local\Temp\RarSFX2\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Bob\AppData\Local\Temp\RarSFX0\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\Bob\AppData\Local\Temp\RarSFX2\winlogon.exe

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,90,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

:Files
C:\Windows\Installer\{a5f200a9-60c0-69f1-46e8-e9d3c030e011}
C:\Users\Bob\AppData\Local\{a5f200a9-60c0-69f1-46e8-e9d3c030e011}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[DJ32]

OK - I've run rogue killer and attached the logs. I'm going to run the OTL now.

[essexboy]

There is one RogueKiller log missing, the one after delete was selected do you have that ?

[DJ32]

First OTL run log results

[essexboy]

Could you run this part of RogueKiller again please and post the logs


• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

[DJ32]

I've attached both reports. Rogue killer has directed me to a website - how to get rid of Zero access - should I follow instructions for this?

I'll be gone most of the afternoon - so I'll check back later - thanks for your help so far!

[essexboy]

OK this time I could see that RogueKiller was going to replace the services file on reboot

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[DJ32]

Ok - here are results from Kasperky:


18:45:05.0969 4032  TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
18:45:07.0957 4032  ============================================================
18:45:07.0957 4032  Current date / time: 2012/09/09 18:45:07.0957
18:45:07.0957 4032  SystemInfo:
18:45:07.0958 4032 
18:45:07.0958 4032  OS Version: 6.0.6002 ServicePack: 2.0
18:45:07.0958 4032  Product type: Workstation
18:45:07.0958 4032  ComputerName: KIRKWOOD
18:45:07.0960 4032  UserName: Bob
18:45:07.0960 4032  Windows directory: C:\Windows
18:45:07.0960 4032  System windows directory: C:\Windows
18:45:07.0960 4032  Processor architecture: Intel x86
18:45:07.0960 4032  Number of processors: 4
18:45:07.0960 4032  Page size: 0x1000
18:45:07.0960 4032  Boot type: Normal boot
18:45:07.0960 4032  ============================================================
18:45:08.0155 4032  BG loaded
18:45:08.0539 4032  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:45:08.0545 4032  Drive \Device\Harddisk1\DR1 - Size: 0x7D00000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:45:08.0576 4032  ============================================================
18:45:08.0576 4032  \Device\Harddisk0\DR0:
18:45:08.0579 4032  MBR partitions:
18:45:08.0579 4032  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x24116724
18:45:08.0579 4032  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x24116763, BlocksNum 0x1316F5E
18:45:08.0579 4032  \Device\Harddisk1\DR1:
18:45:08.0580 4032  MBR partitions:
18:45:08.0580 4032  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x6, StartLBA 0x100, BlocksNum 0x3E700
18:45:08.0580 4032  ============================================================
18:45:08.0644 4032  C: <-> \Device\Harddisk0\DR0\Partition1
18:45:08.0744 4032  D: <-> \Device\Harddisk0\DR0\Partition2
18:45:08.0744 4032  ============================================================
18:45:08.0745 4032  Initialize success
18:45:08.0745 4032  ============================================================

[essexboy]

Could you attach the log at C:\TDSSKiller date time please

[DJ32]

tdsskiller log

[essexboy]

It does not appear to have run properly could you re-run it please