Author Topic: Infected with Win32:Sirefef-HO [Rtk]  (Read 24272 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #30 on: March 08, 2012, 09:14:17 PM »
OK I will use combofix to remove the Host file as it is a tad stronger

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Quote
File::
C:\Windows\SysNative\drivers\etc\hosts
C:\Windows\SysNative\epfwtdi.dll

NetSvc::
bhmonitorservice

Driver::
bhmonitorservice


Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #31 on: March 09, 2012, 01:30:02 AM »
combofix - thanks for all your help essex
« Last Edit: March 16, 2012, 05:06:47 AM by kinji »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #32 on: March 09, 2012, 07:54:32 PM »
That looks better could you run an OTL scan for me now please...

The only item I will need in the custom scans box is

Netsvcs

Then press quick scan

Are the redirects still apparent ?

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #33 on: March 09, 2012, 10:13:32 PM »
yes the redirects are happening. i will do your last step and let you know, thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #34 on: March 09, 2012, 10:48:38 PM »
Could you try IE to see if that is redirecting as well

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #35 on: March 10, 2012, 06:30:29 PM »
here is the otl. i will browse around in IE and see if it happens.
still happening in ff
« Last Edit: March 16, 2012, 05:07:00 AM by kinji »

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #36 on: March 10, 2012, 07:46:06 PM »
yes it redirects in IE also. i've noticed when i click on links toward the right upper corner of the browser ( not every time).i
avast ran a boot time scan and has also noticed a ton of new things and moved them into the chest.
Do you connect to users computer using the remote desktop tool in avast?
I would really love to get this out my computer for good, but it seems I can never keep you online long enough

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #37 on: March 10, 2012, 07:56:19 PM »
The host file is proving particularly stubborn

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Code: [Select]
Begin copying here:
Files to delete:
C:\Windows\SysNative\drivers\etc\hosts

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.


    • Accept the disclaimer


    • Right click on the window under Input script here:, and select Paste.



    • You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute

    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:

    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #38 on: March 11, 2012, 05:20:41 AM »
    The avenger never creates a logfile. it does restart my computer, but then nothing happens after that.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #39 on: March 11, 2012, 12:08:13 PM »
    And still the redirects ?

    Could you go to C:\Windows\system32\drivers\etc  folder and locate the Host file
    Right click and select edit
    Then try to remove the following lines

    O1 - Hosts: 109.163.226.208 www.google-analytics.com.
    O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
    O1 - Hosts: 109.163.226.208 www.statcounter.com.
    O1 - Hosts: 67.215.245.19 www.google-analytics.com.
    O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    O1 - Hosts: 67.215.245.19 www.statcounter.com.



    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #40 on: March 11, 2012, 04:59:16 PM »

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #41 on: March 11, 2012, 05:23:26 PM »
    Could you open the hosts.ics file and post the data here please

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #42 on: March 11, 2012, 08:03:41 PM »
    Code: [Select]
    # Copyright (c) 1993-2001 Microsoft Corp.
    #
    # This file has been automatically generated for use by Microsoft Internet
    # Connection Sharing. It contains the mappings of IP addresses to host names
    # for the home network. Please do not make changes to the HOSTS.ICS file.
    # Any changes may result in a loss of connectivity between machines on the
    # local network.
    #


    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #43 on: March 11, 2012, 09:13:35 PM »
    I will kill this

    We Need to Run a Batch Script

    • Press the Windows Logo in the bottom left corner of your screen.
    • In the box, enter notepad and press Enter.
    • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Code: [Select]
    @echo off
    attrib -r -h -s "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
    attrib -r -h -s "C:\Windows\SysNative\drivers\etc\hosts"
    attrib -r -h -s "C:\Windows\SysWOW64\drivers\etc\hosts"
    ren "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS" hosts.bak
    ren "C:\Windows\SysNative\drivers\etc\hosts" hosts.bak
    ren "C:\Windows\SysWOW64\drivers\etc\hosts" hosts.bak
    del /q /f "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
    del /q /f "C:\Windows\SysNative\drivers\etc\hosts"
    del /q /f "C:\Windows\SysWOW64\drivers\etc\hosts"
    echo 127.0.0.1 localhost > "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
    echo 127.0.0.1 localhost > "C:\Windows\SysNative\drivers\etc\hosts"
    echo 127.0.0.1 localhost > "C:\Windows\SysWOW64\drivers\etc\hosts"
    ipconfig /flushdns
    del %0
    • Select File -> Save.
    • Press the Desktop button on the left side of the save dialog.
    • In the box, type in Fix.bat.
    • Press .
    • Close Notepad.
    • Right click on your desktop, and choose .
    • Press Yes if prompted by User Account Control.
    Double click on Fix.bat


    Let me know if you're still experiencing redirects.

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #44 on: March 13, 2012, 01:53:36 PM »
    i give up.