Author Topic: Removing Win32:Sirefef-PL [RTK]  (Read 7803 times)

0 Members and 1 Guest are viewing this topic.

Leviro2005

  • Guest
Removing Win32:Sirefef-PL [RTK]
« on: March 12, 2013, 10:33:25 PM »
Hi, I did a Boot Scan with Avast! because i was having some trouble with Avast Pro, trying to get Windows Defender to work, etc and I found a file infected with the trojan from the title, the file is \Windows\assembly\GAC_64\desktop.ini I canceled the boot scan beacuse it wouldnt let me do anything other than ignore and I figured it was more effective to deal with the problem than to wait and have to deal with it anyway.

I found a few threads on this virus in these forums and I've followed this thread: http://forum.avast.com/index.php?topic=53253.0 and I will attach my results as soon as they are all done (I'm doing this on my laptop while my poor desktop suffers!). As far as I can tell though, it hasn't eliminated the problem as aswMBR still found the file.

EDIT: attached the files now!

And maybe I should add that I'm using Windows 8.
« Last Edit: March 12, 2013, 10:37:00 PM by Leviro2005 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #1 on: March 13, 2013, 12:01:34 AM »
also attach AdwCleaner log

yes you have a ZerAccess rootkit and this need experts to remove

malware removers are notified. it may take hours before they arrive so be patient

Leviro2005

  • Guest
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #2 on: March 13, 2013, 12:17:01 AM »
Thanks! I'll add the other log when I get back to the desktop.

Edit: Hadn't run Adwcleaner yet. Have now and attached the log.
« Last Edit: March 13, 2013, 12:54:16 AM by Leviro2005 »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #3 on: March 13, 2013, 02:18:28 AM »
@   Leviro2005
Hello and Welcome to avast!



> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

  • Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.



Leviro2005

  • Guest
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #4 on: March 13, 2013, 12:36:09 PM »
I cannot run ComboFix as it is incompatible with Windows 8 and running in compatibility mode return this message: "DDS is not meant to run in 'Compatibility Mode'. The program shall now exit.'

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #5 on: March 13, 2013, 12:55:06 PM »
Sorry, my bad ... I was not paying attention to the edition.  :-[


Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:files
C:\Windows\Installer\{19e0cb91-b8e5-86c3-27cd-9569e897b19e}\@
C:\Windows\Installer\{19e0cb91-b8e5-86c3-27cd-9569e897b19e}\L
C:\Windows\Installer\{19e0cb91-b8e5-86c3-27cd-9569e897b19e}\U
C:\Windows\Installer\{19e0cb91-b8e5-86c3-27cd-9569e897b19e}\L\00000004.@
C:\Windows\Installer\{19e0cb91-b8e5-86c3-27cd-9569e897b19e}\U\00000008.@
C:\Windows\Installer\{19e0cb91-b8e5-86c3-27cd-9569e897b19e}\U\80000000.@
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\assembly\GAC_32\Desktop.ini
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]


  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
-------------------------------


Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit

    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

  • Unzip/unrar MBAR in a folder to your Desktop
  • Open the folder where the contents were unzipped to run mbar.exe

  • Click on Next > then on Update button to download fresh definitions.
  • When database updates click Next
  • In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"

  • If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
    Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

  • The Clean up procedure will be Scheduled for process.
  • When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

------------------------------------


Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

    Code: [Select]

    BASESERVICES
    /md5start
    services.exe
    /md5stop

    • Then click the Run Scan button at the top.
    • Attach here fresh OTL.txt.

Leviro2005

  • Guest
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #6 on: March 13, 2013, 01:55:51 PM »
OK, here are the logs requested.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #7 on: March 13, 2013, 02:46:03 PM »
Hi,

I want you to re-run Malwarebytes AntiRootkit one more time.

Attach here fresh system-log.txt

---------------------

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

    * When done, DDS will open two (2) logs:
        1. DDS.txt
        2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
-----------------------------

> How's your computer running now?

Leviro2005

  • Guest
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #8 on: March 13, 2013, 03:11:12 PM »
My computer is running fine. Nothing odd happening at all so far.

I've attached the logs.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #9 on: March 13, 2013, 05:31:18 PM »
Ok, logs looks good. Let's remove used tool.  ;)

> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.


---------------------------------

- Remove ( just delete ) Malwarebytes AntiRootkit software.

---------------------------------


I recommended to keep Malwarebytes AntiMalware and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Leviro2005

  • Guest
Re: Removing Win32:Sirefef-PL [RTK]
« Reply #10 on: March 13, 2013, 05:59:55 PM »
You guys are great! Thanks for your help, you saved me days of trouble!