Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Sirefef trojan - just can't get rid of it


  • Please log in to reply
47 replies to this topic

#1 Davvy123

Davvy123

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2012 - 08:49 PM

My PC is infected with the Sirefef trojan.

It's a Windows 7 machine, and I had Microsoft Security Essentials (MSE) running on it.

Two weeks ago, MSE told me I had been infected with the "Win64/Sirefef.Y trojan", and that it had quarantined it. I then had MSE remove the trojan.

However the same trojan kept coming back. Every time I would have it removed, and it would be gone for a while, but then would be detected and quarantined by MSE, and I would have MSE delete it.

Eventually, the trojan caused MSE to shut down, and when I tried to restart MSE, I was told that the program was not installed. I uninstalled MSE and tried to re-install it, but now the PC would reboot after 1 minute, each time preceded by a error message "Windows has encoutered a problem and needs to reboot" or something like that.

I went online to research the problem, could not find much on this malware, and ended up hiring an online malware removal service - Yoocare.com - to clean the computer for me.

Booting into safe mode with networking and running TeamViewer so that they could work on my machine from remote, Yoocare spent a long time, but eventually removed the malware, and my computer worked fine for about a week. Then the same trojan re-appeared. I went back to Yoocare and they removed the virus again, twice, in the space of another week. Each time they told me that the machine was completely cleaned. The last time was a few days ago. Each time the machine worked fine, and I made sure I did not go browsing any bad websites or open any email from unknown senders.

Then yesterday MSE detected a new threat: "JS/BlacoleRef.W" and quarantined it. I had MSE remove the virus.

I also went online and used ESET online scanner to do a scan of my machine (a procedure I had seen the Yoocare people use when they were working on my machine). The ESET scan detected two threats: "Win64/Patched B trojan" and "Win32/InstallCore D application". I had ESET remove those two items as well.

All day today my machine worked fine, without any problem. However, I went out for a while, came back, booted the PC, and found out that MSE was turned off.When I tried to turn it back on, I was told that MSE was not installed, again! I went back to the ESET online scan and am running it now. So far it has already found 3 versions of the trojan: 2 of the "Win64/Sirefef.W", and one "Win64/Sirefef.AE", and has not completed yet. Even if I will have these removed, and anything else the ESET Scan will find, I don't believe that the trojan will be gone from my machine, and will just come back, like the previous times.

So - I really need some help to truly get rid of this problem. I'm not going back to Yoocare, because they have tried several times already and have not been able to root out this thing. Hopefully someone here will be able to help. Thank you very much in advance.

Davvy

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 14 June 2012 - 09:12 PM

Download

systemlook

Launch it and copy this script and paste in the BOX

:filefind
services.exe

Click on LOOK,post the generated log


Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply


Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

#3 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2012 - 09:55 PM

Thank you for your fast reply!

Here is the SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 19:28 on 14/06/2012 by usa
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Windows\ERDNT\cache64\services.exe --a---- 328704 bytes [18:43 07/06/2012] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 014A9CB92514E27C0107614DF764BC06
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe ------- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB

-= EOF =-

I am still running the ESET Online Scanner, will do the MBAM after that.
I have problems connecting to websites with my IE, Google Chrome, and Firefox. I had to copy the SystemLook Log onto a USB stick, transfer it to another PC, and post from the clean computer. Will do the same with the two other logs.

Davvy

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 14 June 2012 - 10:01 PM

Press Windows+R key and type

notepad and click ok

copy this script and paste in the notepad

@ECHO OFF
COPY /Y C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\WINDOWS\system32
DEL %0

Click on File>Save as

filename:services.bat
save as type:All types

Run the BAT file,post the new system look log

Edited by narenxp, 14 June 2012 - 10:16 PM.


#5 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2012 - 10:46 PM

The ESET list of threats detected is:

C:\Users\usa\AppData\Local\{e48fa91a-f199-c31a-6052-b0fe51f602aa}\n Win64/Sirefef.W trojan cleaned by deleting (after the next restart) - quarantined
C:\Windows\Installer\{e48fa91a-f199-c31a-6052-b0fe51f602aa}\n Win64/Sirefef.W trojan cleaned by deleting - quarantined
C:\Windows\Installer\{e48fa91a-f199-c31a-6052-b0fe51f602aa}\U\80000000.@ Win64/Sirefef.AE trojan cleaned by deleting - quarantined

The new SystemLook log after running the Services.bat file is:

SystemLook 30.07.11 by jpshortstuff
Log created at 20:31 on 14/06/2012 by usa
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Users\usa\Desktop\services.exe --a---- 328704 bytes [03:30 15/06/2012] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\ERDNT\cache64\services.exe --a---- 328704 bytes [18:43 07/06/2012] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe --a---- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 014A9CB92514E27C0107614DF764BC06
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe ------- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB

-= EOF =-

I am running the Malwarebytes Malware scan now, will post log when done.

Davvy

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 14 June 2012 - 10:50 PM

That didnt work

Press Windows+R key and type

notepad and click ok

copy this script and paste in notepad
@echo off
cd c:\windows\system32
takeown /a /f services.exe
cacls services.exe /g administrators:f
ren services.exe services.exe.old
COPY /Y C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\WINDOWS\system32
DEL %0

Click on FILE>> save as

filename:sevices.bat
Save as type:All types

Now right click on the services.bat file and select run as administrator and run it,click Y and press ENTER

Post the new system look log

Edited by narenxp, 14 June 2012 - 11:15 PM.


#7 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 14 June 2012 - 11:22 PM

I ran the first part of your script in command mode, as you initially instructed, then ran the original services.bat file. I did this before you'd made the edit to your post.

I then ran SystemLookup. Here is the resulting log. The MBAM is still running.

SystemLook 30.07.11 by jpshortstuff
Log created at 20:56 on 14/06/2012 by usa
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Users\usa\Desktop\services.exe --a---- 328704 bytes [03:30 15/06/2012] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\ERDNT\cache64\services.exe --a---- 328704 bytes [18:43 07/06/2012] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe --a---- 328704 bytes [03:54 15/06/2012] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe ------- 328704 bytes [23:19 13/07/2009] [01:39 14/07/2009] 24ACB7E5BE595468E3B9AA488B9B4FCB

-= EOF =-

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 14 June 2012 - 11:24 PM

Ok,that worked

I will wait for mbam log :thumbup2:

#9 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 15 June 2012 - 01:09 AM

The MBAM scan got done, found 3 threats, I had it delete them, reboot in normal mode. I'm running it again in full scan. The log from the first scan is below.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.15.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
usa :: USA-PC [administrator]

6/14/2012 8:38:45 PM
mbam-log-2012-06-14 (20-38-45).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 751586
Time elapsed: 2 hour(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\TaiXuong-JD\Doremisoft Video Converter Trial Setup\DoremisoftVideoConverterTrial4.4.3.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
Y:\UTILITIES - NEW\. DivX Plus 8.2.2 Build 1.8.6.4 Multilanguage + AudioDFX + key, Release May 5, 2012\KeyGen\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
C:\Users\usa\Desktop\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)

#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 15 June 2012 - 01:43 AM

With malwarebytes log,post these logs too

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here


Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Edited by narenxp, 30 June 2012 - 07:11 PM.


#11 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 15 June 2012 - 01:55 AM

The MBAM scan hung once. I had to restart it, and it's still running now.

I have downloaded the other two. Do you want me to run them after the MBAM, one at a time, or is it ok to run them concurrently?

#12 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 15 June 2012 - 01:59 AM

The MBAM scan just hung again.

I am restarting it one more time and will let it run, by itself.

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 15 June 2012 - 02:00 AM

Update and run MBAM,run one at a time :thumbup2:

#14 Davvy123

Davvy123
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 15 June 2012 - 02:06 AM

OK, I have updated MBAM and will let it do its full scan.

I'll have to get to bed now, will just let this run, I will get up early tomorrow and run the other two, hopefully MBAM won't hang again.

Thank you so much for helping me, I'll be sure to give you an update in the morning (PST).

Good night now,

Davvy

#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:20 AM

Posted 15 June 2012 - 02:08 AM

good night :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users