Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS


  • This topic is locked This topic is locked
14 replies to this topic

#1 razvan986

razvan986

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 November 2011 - 08:53 AM

Hy there

My eset Nod 32 antivirus 4 detected Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS
I tried to remove them with Kaspersky removal tool, Malwarebytes anti-malware, SPYBOT
All Failed to delete this file C:\WINDOWS\assembly\GAC_MSIL\desktop.ini wich is a Win32/Sirefef.CH trojan
The other Win32/Rootkit.Agent.NUS trojan is in operating memory
My pc symptoms are: 1. can't acces a direct link....i have to press 3-4 times the Enter Key in browser..then page will load.
2. Pc is moving slow

Attached Files


Edited by razvan986, 07 November 2011 - 08:56 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 07 November 2011 - 09:06 AM

Hi

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 razvan986

razvan986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 November 2011 - 09:56 AM

Hi

Please do the following:

Please download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


No C:\ComboFix.txt in my pc
Ive run combofix, and disabled Eset antivirus protection once.........said first time that did found a rootkit and cant remove it...then automaticaly tryed second time to fix rootkit...and then just noticed me that my computer needs reboot...and ive waited 30 minutes to reebot ....the blue welcome screen just didnt do anithing for 30 min...i didnt have patience and ive rebooted from pc button....NOW WHAT TO DO?

Attached Files


Edited by razvan986, 07 November 2011 - 09:58 AM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 07 November 2011 - 10:33 AM

Hi,

I just want to make certain that you rebooted after TDSSKiller so it could finish removing the infection?

NEXT

Please delete the copy of ComboFix that you have on your desktop, then download a fresh copy


Now re-run ComboFix, making sure you disable your security programs

Please give ComboFix lots of time to run and create a log

It may take much longer than you expect it should, this is a very serious infection.

Give it at least an hour,

Please post the resulting log

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 razvan986

razvan986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 November 2011 - 11:31 AM

after 50 minutes :( here is the log

waiting for next instructions!

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 07 November 2011 - 11:38 AM

Hi,

Please do the following:

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic426726.html/page__pid__2466585#entry2466585

Collect::
c:\windows\system32\drivers\orwkqxo.sys
c:\program files\e3476483.tmp

Folder::
c:\documents and settings\Razvan\Local Settings\Application Data\d17ef6cd

DirLook::
c:\windows\PIF

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 razvan986

razvan986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 November 2011 - 12:39 PM

Hi,

Please do the following:

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic426726.html/page__pid__2466585#entry2466585

Collect::
c:\windows\system32\drivers\orwkqxo.sys
c:\program files\e3476483.tmp

Folder::
c:\documents and settings\Razvan\Local Settings\Application Data\d17ef6cd

DirLook::
c:\windows\PIF

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Ive done what you said....but my combofix.. notifyed me that needs reboot.......and windows went in a blue screen mode with logo windows in the middle......after 10 minutes i will reach 1 hour of waiting.....does i have to take soo long
Im typeing from my laptop now....and i hope that my pc will reboot until nextday in the morning,,,,,then if not i will hape to shut it down :((

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 07 November 2011 - 01:09 PM

Please shut down the computer and reboot it,

allow it to boot into normal mode


see if there is a log located at C:\combofix.txt

(there is no need to "quote" my reply > just click the "Add Reply" button)

Edited by CatByte, 07 November 2011 - 01:10 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 razvan986

razvan986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 November 2011 - 02:10 PM

Ive press 10 seconds on turn off button...power up the pc...combo started to make a log.
Ive scaned with Eset for viruses...but no more viruses :)
Thanks a lot..sorry for so many quotes :)

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 07 November 2011 - 04:01 PM

Hi,

Please do the following:

On your keyboard, press the Windows logo key and the letter R to open a Run command box

Copy/paste the following two commands one at a time into the open run box, hitting enter after each.


sc stop 11884376
sc delete 11884376


Reboot the machine.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Make sure your ESET antivirus is up to date and run a scan, let me know the results

(note it may find items already in quarantine or old restore points, those can be ignored, we will clean them up later)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 razvan986

razvan986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 08 November 2011 - 08:20 AM

Ive done what you said
Ive deleted "sc delete 11884376"
Ive scanned with malwarebytes
Ive scanned with Avira antivirus and Eset...no viruses
But those Win32/Sirefef.CH & Win32/Rootkit.Agent.NUS...still left some damage on my Ide hard disk
I made screen shot....games are not working quite well....are loading very hard...are very sluggish on FPS...I can't activate DMA MODE on my Secondary IDE...its on "PIO MODE"....my avg pc tuneup says my hitachy hard disk supports DMA mode and must re-enable it for faster performance.
And computer also is not so fast i used to know....it has a slower startup..slow response time

Attached Files


Edited by razvan986, 08 November 2011 - 10:02 AM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 08 November 2011 - 06:31 PM

Hi

Run chkdsk to see if it finds any bad sectors

  • Click Start > Run... then type in CMD and click on OK.
  • At the Command Prompt C:\ > type the following: chkdsk c: /r and hit the Enter/Return key.
    Note: chkdsk c: /r presumes that the disk upon which you wish to run Error Checking is your C: Drive (most often)
  • When prompted with:

CHKDSK cannot run because the volume is in use by another process
Would you like to schedule this volume to be checked next time the system
restarts (Y/N)

  • Hit the Y key then at the Command Prompt C:\ >
  • Type in EXIT and and hit the Enter/Return key.
  • Now Reboot(Restart) your computer.
Note: Upon Reboot(Restart), CHKDSK will start and carry out the repairs required.

Then run a defrag:

  • Open My Computer.
  • Right-click the local disk volume that you want to defragment (usually your C:\ drive) > then click Properties.
  • On the Tools tab > click Defragment Now.
  • Click Defragment.


NEXT

Your Java needs updating:


Posted Image Your Java is out of date.
Java™ 6 Update 26 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



Let me know if there are still issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 razvan986

razvan986
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 09 November 2011 - 08:49 AM

Thanks a lot
But i made a fresh install of windows...
Youre answer had come to late...i decided to reinstall windows xp :busy:
Ive put an avg 2012 antivirus free edition and Zone alarm firewall free

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 09 November 2011 - 10:20 AM

OK

Thanks for letting me know

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:25 AM

Posted 09 November 2011 - 10:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users