Author Topic: Sirefef Trojan - Site redirects and more damage to my laptop  (Read 14768 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #45 on: March 19, 2012, 10:24:54 PM »
Having a quick scan with the more reputable url scanners I can find nothing

File Info

Report date: 2012-03-19 22:24:15 (GMT 1)
File name: index
File size: 34116 bytes
MD5 Hash: 1df63a08baf7658be9dc98d4e1d12672
SHA1 Hash: 8ac5e2acb15dee8a4c8534eb131f4ffd35ed129a
Detection rate: 0 on 9 (0%)
Status: CLEAN

Detections

Avast -
AVG -
Avira AntiVir -
ClamAV -
Comodo -
Emsisoft -
F-Prot -
Ikarus -
TrendMicro -

Scan report generated by
NoVirusThanks.org

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89219
  • No support PMs thanks
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #46 on: March 19, 2012, 10:41:27 PM »
I have just found out as well that MBAM blocks a whole domain .. Not the individual sites so good and bad are all lumped together as bad

Yes, oversee.net by all accounts is a host so would be hosting many sites across a range of IPs.

I couldn't see any reason either even the HPhosts link I posted wasn't clear either why HPhosts pinged it or even what its calcification is.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #47 on: March 19, 2012, 10:44:32 PM »
I disabled that part of MBAM when it started blocking Avast updates

DonZ63

  • Guest
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #48 on: March 19, 2012, 11:21:50 PM »
Quote
I saw few messages from Malwarebytes that says "Succesfully blocked access to a potentially malware website: 208.73.210.125 Type: Outgoing". I don't have any websites open at all. Is this something to worry about
I have MBAM Pro with IP blocking set on. I have never seen it block an outbound connection unless I was connected to the Internet. I would say there is a good chance that he has malware dialing out.

Also I never had a problem with Avast updates and MBAM Pro. Never a problem with it blocking any update for that matter. Actually every time it blocked an IP address, it was correct.

Here's what MBAM says http://forums.malwarebytes.org/index.php?showtopic=42028

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89219
  • No support PMs thanks
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #49 on: March 19, 2012, 11:47:53 PM »
I disabled that part of MBAM when it started blocking Avast updates

I disabled it immediately I started using MBAM Pro on both my systems and the biggest reason it it doesn't do what it says on the tin "Start malicious website blocking when protection module starts." As it isn't only malicious sites but a whole slew of other categories that have nothing to do with malicious sites.

Not to mention with the Network Shield, Web Shield, Firefox block reported attack sites and adblockplus, etc. I'm more than well protected without the MBAM site blocking.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

DonZ63

  • Guest
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #50 on: March 20, 2012, 01:00:59 AM »
OP should also verify proper exclusions have been set for Avast and MBAM Pro. Looks like the MBAM web site hasn't updated their instructions for Avast 7. These are for Avast 6.

The following instructions show you how to exclude Avast! 6 and Malwarebytes' Anti-Malware from one another to prevent conflicts and improve performance:
 
Set Exclusions for Malwarebytes' Anti-Malware in Avast! Antivirus 6 (Free, Pro and Internet Security):
 
•Open Avast! antivirus and click on REAL-TIME SHIELDS on the left

•Click on File System Shield on the left and click on Expert Settings

•Click the Exclusions section

•Click on Browse next to the blank entry at the bottom of the list (this will be the only entry if no other exclusions have been set yet)

•In the Select the areas window click on the + next to C:

•Click the + next to Program Files Note: For 64 bit Windows versions this will be Program Files (x86)

•Click the box next to Malwarebytes' Anti-Malware and click on OK

•Click OK again

•Click on Web Shield on the left and click Expert Settings

•Click on Exclusions and check the box next to URLs to exclude:

•Type or copy/paste the following address:
 
*.mbamupdates.com
 

•Click on OK
 
Also, for Avast! Internet Security:
 

•Click on Behavior Shield on the left and click Expert Settings

•Click on Trusted Processes

•Click on Browse next to the blank entry at the bottom of the list (this will be the only entry if no other exclusions have been set yet)

•Navigate to C:Program Files\Malwarebytes' Anti-Malware and click once on mbam.exe and click Open Note: For 64 bit Windows versions this will be Program Files (x86)

•Do the same for the following files:
 
◦mbamgui.exe

◦mbamservice.exe


•Click on OK

•Close Avast! antivirus
 

Set Exclusions for Avast! Antivirus Free, Pro and Internet Security in Malwarebytes' Anti-Malware:
 
•Open Malwarebytes' Anti-Malware and click on the Ignore List tab

•Click on the Add button on the lower left

•In the small browse window that opens, navigate to C:\Program Files and click once on avast software and click on OK

•Close Malwarebytes' Anti-Malware


Samuel E Lindsey
 Product Manager
 

ssrisa

  • Guest
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #51 on: March 22, 2012, 09:00:22 AM »
Hi essexboy,

System seems to be working fine now. Thanks for all your help. However, I have the Malwarebytes tool blocking a lot of ip addresses as I continue to browse.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #52 on: March 22, 2012, 08:48:16 PM »
Could you copy the last 10 or so blocks that MBAM has in the log please

ssrisa

  • Guest
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #53 on: March 24, 2012, 05:13:54 AM »
Please find the logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Sirefef Trojan - Site redirects and more damage to my laptop
« Reply #54 on: March 24, 2012, 01:47:50 PM »
Could you re-run OTL for me please with the following script

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT

[/list]