Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.FD/AE/EZ Infection. Any help appreciated!


  • Please log in to reply
7 replies to this topic

#1 Buztafen

Buztafen

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 21 July 2012 - 01:50 PM

Hello,

My Windows 7 Ultimate (SP1) machine appears to be infected with multiple variants of Sirefef . Can anyone help me through the process of removing these malicious infections?

Here is the log file from the most recent ESET Online Scan:-

C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\00000008.@ Win64/Agent.BA trojan
C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\80000000.@ Win64/Sirefef.AE trojan
C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\80000032.@ a variant of Win32/Sirefef.FD
Operating memory a variant of Win32/Sirefef.EZ trojan

Many thanks for looking.

Regards,

Chris.

BC AdBot (Login to Remove)

 


#2 Buztafen

Buztafen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 21 July 2012 - 01:54 PM

Update.

Here is the FSS log:-

Farbar Service Scanner Version: 19-07-2012
Ran by Buz (administrator) on 21-07-2012 at 19:52:46
Running from "C:\Users\Buz\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.


Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile. The key does not exist.
ATTENTION!=====> Unable to open HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile. The key does not exist.


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Regards.

#3 Buztafen

Buztafen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 21 July 2012 - 01:55 PM

And the aswMBS log:-

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-21 14:37:23
-----------------------------
14:37:23.823 OS Version: Windows x64 6.1.7601 Service Pack 1
14:37:23.823 Number of processors: 4 586 0xF0B
14:37:23.823 ComputerName: BUZ-PC UserName: Buz
14:37:24.712 Initialize success
14:37:32.185 AVAST engine defs: 12072001
14:37:43.354 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
14:37:43.370 Disk 0 Vendor: SAMSUNG_SP1614C SW100-30 Size: 152626MB BusType: 3
14:37:43.370 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-6
14:37:43.370 Disk 1 Vendor: SAMSUNG_SP1614C SW100-30 Size: 152626MB BusType: 3
14:37:43.370 Disk 1 MBR read successfully
14:37:43.386 Disk 1 MBR scan
14:37:43.386 Disk 1 Windows 7 default MBR code
14:37:43.386 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152624 MB offset 64
14:37:43.401 Disk 1 scanning C:\Windows\system32\drivers
14:37:53.541 Service scanning
14:38:12.480 Modules scanning
14:38:12.480 Disk 1 trace - called modules:
14:38:12.495 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:38:12.495 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004a38060]
14:38:12.495 3 CLASSPNP.SYS[fffff88001bd043f] -> nt!IofCallDriver -> [0xfffffa80047b3520]
14:38:12.511 5 ACPI.sys[fffff880011777a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-6[0xfffffa80047ad060]
14:38:13.088 AVAST engine scan C:\
14:53:55.951 File: C:\Users\Buz\AppData\Local\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\00000004.@ **INFECTED** Win32:Malware-gen
14:53:55.966 File: C:\Users\Buz\AppData\Local\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\000000cb.@ **INFECTED** Win32:Malware-gen
15:06:40.159 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
15:06:43.186 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
15:09:43.397 File: C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\00000004.@ **INFECTED** Win32:Malware-gen
15:09:43.506 File: C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\000000cb.@ **INFECTED** Win32:Malware-gen
15:09:43.569 File: C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\80000000.@ **INFECTED** Win32:Malware-gen
15:09:43.647 File: C:\Windows\Installer\{2129c945-32c0-9566-ac8e-4cb75ac7585b}\U\80000032.@ **INFECTED** Win32:Downloader-PKU [Trj]
15:58:07.093 Scan finished successfully
18:46:58.579 Disk 1 MBR has been saved successfully to "C:\Users\Buz\Desktop\MBR.dat"
18:46:58.579 The log file has been saved successfully to "C:\Users\Buz\Desktop\aswMBR2.txt"

#4 Buztafen

Buztafen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 21 July 2012 - 03:52 PM

Ok i decided to use a system restore from about a week ago which is way before the problems started. The errors (with Peerblock) which notified me to the infection appear to have gone. Everything seems fine now...has system restore sorted my problem or could there still be underlying problems?

Thanks for any advice.

#5 Buztafen

Buztafen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 22 July 2012 - 06:22 AM

Seen as no one has replied to this thread i'll muddle on by myself. If its in the wrong part of the forum i do apologise but im going to continue for completeness.

After using system restore i have re-run FSS and aswMBR. FSS seems fine though ive only just started using it so dont fully understand it. However aswMBR still comes up with 1 red error:-

\Driver\atapi[0xfffffa80039f6060] -> IRP_MJ_CREATE -> 0xfffffa80043042c0

Is there a way to get rid of this? Full logs are below:-

Farbar Service Scanner Version: 19-07-2012
Ran by Buz (administrator) on 22-07-2012 at 10:35:10
Running from "C:\Users\Buz\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error: Other errors
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
As always thanks for looking, though don't be shy and post something if you like...anything will do...otherwise it's just me talking to myself. :(

Looking through the rest of the forum it appears this thread may be better suited to the "Virus, Trojan, Spyware, and Malware Removal Logs" forum. Didnt see that that before sorry. Can the thread be moved there please? Thanks.

Mod Edit: Removed Aswmbr log, not allowed in this forum - Hamluis.

Edited by hamluis, 22 July 2012 - 02:48 PM.
Removed MRL forum data - Hamluis.


#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:43 AM

Posted 22 July 2012 - 07:02 AM

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#7 Buztafen

Buztafen
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 22 July 2012 - 10:38 AM

Thanks narenxp. Will do.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:43 AM

Posted 22 July 2012 - 11:11 AM

You're welcome :)

Edited by narenxp, 22 July 2012 - 11:11 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users