Win32/Sirefef!cfg and Win32/Sirefef.AN

[ncoo21]

Hi all    I'm new to the forums and would appreciate some help if possible.

I haven't had any problems with malware or Trojans for a number of years, but last night I seem to have picked up a Trojan.  The names above are those that are showing.

I was initially using Windows Defender which kept flagging up (approx. every 5 mins) that a threat had been detected and required to be cleared.  I duly clicked "OK" but whilst this was going on I noticed that my internet history was slowly increasing - I assume it was accessing Ad sites as part of its attack.

I immediately downloaded Avast (should have earlier in fact) and carried out a full system scan.  This took a few hours and whilst the scan was ongoing the same pattern of blocking every 5 or so mins was repeating.

Finally once the scan was complete Avast flagged and moved a number of infected files to the virus chest.  I then carried out a boot scan and it uncovered a few more infected files which I also moved to the virus chest.  At this stage when my computed restarted the pop-up notices seemed to cease and my internet history stopped changing.  I assume this has cleared the problem but I've not encountered this before so wanted to ask a couple of questions to check:

(1) Can anyone explain exactly what bad thing has infected my computer?

(2) What should I do with the various files that are in the virus chest (i.e. should I simply delete them? I'm nervous about deleting them and affecting the running of my computer)?

(2) How can I check that the Trojan has definitely been removed and killed?

Any help would be greatly appreciated.

Kindest regards

[essexboy]

Hi there, first we will check for any remnants that Avast did not catch.  Then we will see exactly what variant you had

 Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[ncoo21]

Thanks, I've done that.

Logs attached.

[Pondus]

(1) Can anyone explain exactly what bad thing has infected my computer?

Win32/Sirefef
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FSirefef

(2) What should I do with the various files that are in the virus chest (i.e. should I simply delete them? I'm nervous about deleting them and affecting the running of my computer)?

that is what the chest (quarantine) is fore, so you have the option to restore
so there is no rush to delete from chest


avast! 8.x: Using the Virus Chest
http://www.avast.com/faq.php?article=AVKB21

Clean, quarantine or delete
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

[essexboy]

Looks like Avast got nearly all of this ..  It is an older variant of Zero Access/sirfef

Cheers Pondus

Just a few repairs to do

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[ncoo21]

Thanks - I'll do this.

Computer seems to be running reasonably well at the moment.  Presumably there's not too much damage or anything?

Will post the Combofix log once I've downloaded and run the fix.

thanks

[ncoo21]

I've done this and restarted my computer a couple of times.

Log attached.

It's running slightly slower than it was before I installed combofix.

I'm also having quite a few problems using internet explorer - it doesn't seem to be loading pages now (even although I'm connected to the internet) and I have to keep either refreshing the page or clicking the compatability view button.

Any idea why this might be?

thanks

[essexboy]

OK we will now finalise the repairs

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Files
netsh winsock reset catalog /c
netsh int ip reset reset.log hit /c
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[ncoo21]

Thanks for this.

I've done this, rebooted my computer and attached the log.

Still having problems using internet explorer - pages are loading blank until I click "refresh" or "compatability view" a number of times.  Any idea why this might be?

thanks

[essexboy]

Does this occur on all sites or just some ?

Could you update to IE10 http://windows.microsoft.com/en-gb/internet-explorer/ie-10-worldwide-languages