Win32:Sirefef-AO, and Win64:Sirefef-A and others?

[oldcorollas1]

Hi All,
Need some expert help with this one. 

I usually run MBAM weekly, never picks anything up.
Looked at some resume/job sites a few days ago and IE shut down unexpectedly 
Checked with process explorer, and a couple of SVChost.exes were popping up from nasty looking sources such as:
\\.\globalroot\systemroot\installer\[99d6c928-147d-54d5-377f-bd821ed462e7]\U
so I would cancel them as soon as they popped up, and went looking for info on net..

checked registry for "globalroot" and found two keys
HKCR and HKLM\software\classes\CLSID\[99d6c928-147d-54d5-377f-bd821ed462e7]\InprocServer32
\\.\globalroot\systemroot\installer\[99d6c928-147d-54d5-377f-bd821ed462e7]\n.

updated MBAM, full scan = nothing?
DL'd AVAST free version and quick scan found nothing, but it would block Win32:Sirefef-AO, and Win64:Sirefef-A from running every 5 minutes.
tried TDSSKiller and it found sptd.sys locked, but nothing else i can remember..

then did a full system scan with AVAST and found:
Win32:Dropper-gen   in \local settings\temp\tempfiles.exe
HTML:RedirME-inf   in \temp internet files
Win32:Malwae-gen    in \program files\Winace\order.exe|>[ASPack]
Win32:Krap-AIL       in PSFactoryBuffer.exe (I had already deleted it)
Then the big ones,
Win64:Sirefef-A     in \windows\installer\[99d6c928-147d-54d5-377f-bd821ed462e7]\U\80000000.@
Win32:Sirefef-AO    in \windows\installer\[99d6c928-147d-54d5-377f-bd821ed462e7]\U\800000cb.@

Then did a boot-time scan with AVAST and found 2 more:
Win32:Malware-gen  in C:\System Volume Information\restore{F3916368-82B8-44E9-A6BE-254B11BEFE11}\RP1807\A014070.exe|>[ASPack]
Win32:Krap-AIL in C:\System Volume Information\restore{F3916368-82B8-44E9-A6BE-254B11BEFE11}\RP1807\A014071.exe
disabled system restore after seeingthat.

Did aswMBR and it found \windows\system32\hkcmd.exe was infected with Win32:Malware-gen

Then did more MBAM/TDSS etc and not really finding anything, but the threats for the two Sirefef’s would come up every 5mins when connected to net, or when opening new browser tab in IE (and maybe Chrome?)

Uninstalled Java (was out of date) and installed new one, and was fine for an hour or so, then the Sirefef threats started poppng up again in AVAST.

Did another boot-time scan in AVAST and this time it found:

Win32:Hoblig-B in \documents and settings\owner\local settings\temp\apart.dll

Now, am getting the two sirefef threats continually popping up every 5 mins with net cable plugged in.



followed log advice here http://forum.avast.com/index.php?topic=53253.0
logs for MBAM, aswMBR and TDSS are attached.

OTL won't run and gives error:

Exception EReadError in module OTL.exe at 00016A6B
Error reading DIskParttionInfo1.Active: .


what can I do??? any and all help appreciated!!

[Pondus]

OTL won't run and gives error:

Try running OTL in safe mode....


malware removers are notified        may be sveral hours waiting time before they arrive

[oldcorollas1]

Thanks!

when getting into safe mode, it prompts "press ESC to cancel loading SPTD.SYS"
I pressed ESC and eventually it goes into safe mode.

OTL didn't run, same error as before. (edit: this was OTL.exe, i did not try .com or .scr versions)

downloaded again from http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/ but still no go (from desktop or from USB)

[Pondus]

you have the Zero Access rootkit infection.....and this needs a specialist to remove it

dont run anymore tools...wait for instructions





if you click the "notify" button at top or bottom here......you should get a message when you get a reply here   

[oldcorollas1]

notify is on, will wait for further instructions

bugger, was hoping it wouldn't be that...

edit: while I remember, when Avast blocks the recurrent sirefef threats, it says the process causing it was explorer.exe

[Pondus]

you may check your "explorer.exe" by uploading to http://virusscan.jotti.org/en and testing with 20+ malware scanners
alternative "http://metascan-online.com/"      virustotal seems to be under maintenance for the moment
when you have the result, copy the URL in the address bar and post it here for us to see

[oldcorollas1]

PC is in safemode now, and I'm hesitant to boot to normal mode and connect to net again..

I tried with hkcmd.exe before to virustotal, but the uploaded file was 0kb (is 160k in explorer) and nothing detected..

If I copy explorer.exe to USB, then send from second PC, is that ok? or danger to second PC? will zeroaccess allow the infected file to be sent, or will send the "spare" real copy?

[Pondus]

If I copy explorer.exe to USB, then send from second PC, is that ok? or danger to second PC? will zeroaccess allow the infected file to be sent, or will send the "spare" real copy?

it is not important to do....... just out of curiosity to see if it is infected.....
the malware remover will see where the infection is located from the logs.... so just wait. Essexboy should be here in about 4 hours

[oldcorollas1]

ok, it will all come out in the wash later
no worries, i'll set alarm to wake up around that time then. thanks!

[essexboy]

Hi lets try a different OTL scan.  If this should fail as well do you have access to a USB stick that we could use or a CD ?
As it is hanging on the Partition inspection you may have more that Sirfef

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[oldcorollas1]

Hi Essexboy, (sorry for the late reply, is morning here)

I tried running OTL.exe and OTL.com in safe and normal mode, from desktop and USB, and all get same partition read error
.scr is associated with autocad, so changing that now, and finding a CD.

any other listing things we could try?

[oldcorollas1]

OTL.exe .com and .scr run from CD, desktop and USB all get error reading DiskPartitionInfo1.Active:
(This is running in normal mode. should I try safemode as well?)

worth trying OTLPENet to boot from CD and run OTL?

edit:
Ran Gmer for a quick look. this came up in red
Library  c:\windows\system32\n  (*** hidden ***)  @ C:\WINDOWS\Explorer.EXE [3528]           0x45670000

[Run4TheShadows]

Sounds like we're having very similar troubles.  Let me know if you have any luck in beating this thing!

http://forum.avast.com/index.php?topic=98472.0

[oldcorollas1]

ran OTL PE version 3.1.48.0 from bootable CD (REATOGO-X-PE desktop)

only OTL.txt was produced, and is attached
edit: default settings were "use safelist" for services/drivers/standard registry, and "none" for extra registry
File scan settings - 30 days/use no-company-name whitelist/ created/modified within "file age", + LOP check, +purity check

[oldcorollas1]

re-ran with extra registry set to "use safelist" and have attached as OTL2.txt (almost same) and Extras2.txt