Author Topic: Infected with Win32:Sirefef-HO [Rtk]  (Read 24256 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #60 on: March 14, 2012, 05:16:05 PM »
OK been having a thunk around the problem ...  What I intend to try now is to replace all host files with dummies

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Code: [Select]
Begin copying here:
Files to replace with dummy:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
C:\Windows\SysNative\drivers\etc\hosts
C:\Windows\SysWOW64\drivers\etc\hosts
Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.


    • Accept the disclaimer


    • Right click on the window under Input script here:, and select Paste.



    • You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute

    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:

    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #61 on: March 14, 2012, 07:30:24 PM »
    I ran it twice.
    The program said it completed the first step.
    reboots
    then nothing, no signs of the program does anything after.
    no logfile either.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #62 on: March 14, 2012, 07:42:52 PM »
    OK lets see if we can reveal the Host file as it may be superhidden

    1.In Windows 7, click the Start menu button in the bottom left hand corner. The Windows Start menu is displayed.

    2. Select Control Panel and then Appearance and Personalisation. A list of options is displayed within sub-categories.

    3. From Folder Options (the second option from the bottom), select Show hidden files and folders. The Folder Options window is displayed.

    4. Select the View tab and locate Hidden files and folders. Click the radio button for Show hidden files, folders and drives and click OK.

    5. Locate the checkbox Hide protected operating system files (Recommended) and click to disable it.

    6. Click Apply and then OK.


    Is the Host file now visible at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #63 on: March 14, 2012, 07:54:54 PM »
    yes the file is there now.

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host

    127.0.0.1       localhost
    ::1             localhost

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #64 on: March 14, 2012, 08:38:21 PM »
    Clever little buggers

    Download the following zip file
    http://www.howtogeek.com/downloads/TakeOwnership.zip
    Extract to the desktop and merge the reg file
    Accept the warnings
    This adds a right click take ownership option

    Now go to each of these locations and right click the host file and take ownership

    C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
    C:\Windows\SysNative\drivers\etc\hosts
    C:\Windows\SysWOW64\drivers\etc\hosts

    Then run the MSFixit on this page http://support.microsoft.com/kb/972034/en-us

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #65 on: March 14, 2012, 08:44:26 PM »
    C:\Windows\SysNative\drivers\etc\hosts
    C:\Windows\SysWOW64\drivers\etc\hosts

    these files don't exist???

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #66 on: March 14, 2012, 08:47:34 PM »
    No problem we just need to check those areas out

    Now run the MSFixit please

    Then run a quickscan OTL

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #67 on: March 14, 2012, 09:00:15 PM »
    otl
    « Last Edit: March 16, 2012, 05:05:07 AM by kinji »

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #68 on: March 14, 2012, 09:06:55 PM »
    Quote
    O1 HOSTS File: ([2011/12/22 16:11:00 | 000,000,833 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)

    That looks better

    Could you now check for redirects please

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #69 on: March 14, 2012, 09:14:00 PM »
    ok i will let you know, im working on a website and browsing around right now.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #70 on: March 14, 2012, 09:15:34 PM »
    Ta - another sneaky trick to add to my list

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #71 on: March 14, 2012, 10:49:47 PM »
    Essex thanks soo much for your help! i have not had another redirect. I hope it stays that way!
    I have my avast turned on, also do you recommend I run another program to avoid this situation again?
    Thanks,
    Kinji

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #72 on: March 14, 2012, 10:53:06 PM »
    No, thank you for your forbearance whilst we tracked this miscreant down..  Mayhap another one to the good guys  8)

    Subject to no further problems   :)

    I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

    Now the best part of the day ----- Your log now appears clean  :thumbsup:

    A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

    Remove ComboFix

    • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
    • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK



    • Follow the prompts on the screen
    • A message should appear confirming that ComboFix was uninstalled
    Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

    We will now confirm that your hidden files are set to that, as some of the tools I use will change that
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Do not show hidden files and folders.
    • Click Yes to confirm.
    • Click OK.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version of Java components and upgrade the application.

     Upgrading Java:
    • Go to this site  and click Do I have Java
    • It will check your current version and then offer to update to the latest version
    SPRING CLEAN

    To manually create a new Restore Point
     
    • Go to Control Panel and select System
    • Select System
    • On the left select System Protection and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name i.e. Clean
    • Select Create
    Now we can purge the infected ones
    • GoStart > All programs > Accessories > system tools
    • Right click Disc cleanup and select run as administrator
    • Select Your main drive and accept the warning if you get one
    • For a few moments the system will make some calculations
    • Select the More Options tab
    • In the System Restore and Shadow Backups select Clean up
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

    Malwarebytes.  Update and run weekly to keep your system clean

    Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

    It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
    To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?

    Keep safe  :wave:

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #73 on: March 15, 2012, 03:29:01 PM »
    Ok, thanks for your help.  8)  ;D
    I have not had another redirect so I went ahead with your final instructions.

    Can you have a moderator delete this thread, I don't see the need to publicly display my log files any further -

    Offline Pondus

    • Probably Bot
    • ****
    • Posts: 37526
    • Not a avast user
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #74 on: March 15, 2012, 03:36:47 PM »
    Quote
    Can you have a moderator delete this thread, I don't see the need to publicly display my log files any further -
    you can rermove your log file(s) if you edit the post(s) they are in   ;)