Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.AG / Sirefef / Sirefef.AO / Sirefef.AN


  • Please log in to reply
41 replies to this topic

#1 Harold Robinson

Harold Robinson

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 30 July 2012 - 10:56 AM

Microsoft Security Essentials reports infection by "Sirefef.AG / Sirefef / Sirefef.AO / Sirefef.AN" it keeps telling me that its cleaning the infection but it never does. Research on Google brought me here.

I am sorry but in desperation, I ran combofix. I was thinking that I would at least scan the system and tell me what was going on, instead it appears to have at least fixed some of the problems. Can you go though the logs and let me know if I need to do anything else? Remember I ran combo fix first before reading the posting instructions. Before I ran combofix, I attempted to fix the problem with online virus scanner for Kasperkey, and this really screwed things up by corrupting services.exe. I did manage to get services.exe copied from a known good source over to the laptop so that it would boot again.

I plan on wiping the laptop and installing the OS from scratch but I need it in its current configuration so that I can finish up a project I am working on.

Thank you for all your help

Sincerely,

Harold Robinson

Attached Files



BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 01 August 2012 - 02:32 PM

Hello and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: Do not choose Cure or Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

#3 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 02 August 2012 - 10:47 AM

D-FRED-BROWN,

WOW! Very professional. Thank you for answering my questions.

Please find enclosed the following attachments:

1. TDSSKiller Log file -> None generated. Nothing found.
2. Combofix.txt
3. Checkup.txt

Also I received the following popup after Combofix finished its work.

Window title: "FLAM3-ANIMATE.EXE - System Error"
Window Message: "The Program can 't start because PTHREADGC2.DLL is missing from your computer. Try re-installing the program to fix this problem"
Button: "OK"

I clicked OK and logged into the laptop. Other than that it seems pretty quite and seems to be a bit quicker than it has been in a few weeks. Funny this all started when I looked in my system tray and found MSE (Microsoft Security Essentials) disabled. Then just before that, I had one single pop-up appear letting me know that Bridget from Russia is ready to chat. Before then, the laptop felt slightly sluggish but because I felt it needed to be rebuilt, I just attributed that to "windows bloat".

Let me know what I need to do next.

Sincerely,

Harold

Combofix.txt
Attached File  Combofix.txt   23.99KB   1 downloads

checkup.txt
Attached File  checkup.txt   1.05KB   1 downloads

#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 02 August 2012 - 02:13 PM

Window title: "FLAM3-ANIMATE.EXE - System Error"
Window Message: "The Program can 't start because PTHREADGC2.DLL is missing from your computer. Try re-installing the program to fix this problem"
Button: "OK"

I wouldn't worry about it, it happens from time to time.

Then just before that, I had one single pop-up appear letting me know that Bridget from Russia is ready to chat.

I think "Bridget" didn't really have "chatting" on her mind this time :lol:


----------Step 1----------------
Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

File::
c:\windows\system32\drivers\ikmppjzt.sys
c:\windows\system32\drivers\iaataqbh.sys
c:\windows\system32\drivers\qgoytopt.sys
c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
C:\Windows\System32\Drivers\28360635.sys

Driver::
28360635
ikmppjzt
iaataqbh
qgoytopt

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)


----------Step 2----------------
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

----------Step 3----------------
Please include both the ComboFix and OTL reports in your next reply, and let me know how things are running now.

#5 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 03 August 2012 - 01:17 PM

Hi D-Fred-Brown,

Here is the requested log.

The link you provided to me OTL is down. I was getting 500 server errors last night and this morning it will not connect at all.

The script you had me issue to combofix has made the computer much faster. I guess I gotta start using KUBUNTU and running windows in a virtual machine. I run windows only because my clients run windows. You know, Office, Outlook that sort of thing. I love to download free software and try it out. Usually this is for some problem I need to resolve, for example, converting an AVI to DVD. I am sure this is how I was infected. All the software looks liget enough. I usually don't have a problem, so this really surprised me.

Here is the log.
Attached File  ComboFix.txt   27.2KB   0 downloads

Let me know what else you would like me to do. I really appreciate all the time you have put into this.

How did you become a volunteer?

Sincerely,

Harold Robinson

#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 03 August 2012 - 02:25 PM

The link you provided to me OTL is down. I was getting 500 server errors last night and this morning it will not connect at all.

Try this link: http://www.itxassociates.com/OT-Tools/OTL.exe

Looks like the main link is down for some reason.


The script you had me issue to combofix has made the computer much faster. I guess I gotta start using KUBUNTU and running windows in a virtual machine. I run windows only because my clients run windows. You know, Office, Outlook that sort of thing. I love to download free software and try it out. Usually this is for some problem I need to resolve, for example, converting an AVI to DVD. I am sure this is how I was infected. All the software looks liget enough. I usually don't have a problem, so this really surprised me.

Glad to hear things are running better.

Yeah, it's tricky nowadays... I'd advise you to do some researching before you install a specific program.

You can also use www.virustotal.com to scan possibly suspicious files.


How did you become a volunteer?

I was trained at SpywareInfo Forum's 'Boot Camp'- there is a link in my signature ;) Let me know if you have any questions about training programs, I'd be happy to answer them :)

The following are websites who host training facilities: United Network of Instructors and Trained Eliminators

---------------------


For now, see if you have any luck with the new OTL link. Post up the report it creates when finished. :thumbup2:

#7 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 03 August 2012 - 06:40 PM

Ok,

Downloaded the requisite program and here is the log:

Attached File  OTL.Txt   197.77KB   2 downloads

I actually did follow that link and it sent me to a forum page. From there I started browsing the whole site. Have not had much time to go through it.

How many "tickets" do you handle in a particular week?

Harold

#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 04 August 2012 - 11:32 AM

How many "tickets" do you handle in a particular week?

There's no "set" requirement. You can do however many you like, really. Right now I think I'm around 20 or so (total, not per day).

---------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    [2012/07/24 13:31:21 | 000,043,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\qgoytopt.sys
    [2012/07/24 13:23:31 | 000,043,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ikmppjzt.sys
    [2012/08/03 01:53:43 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/08/03 01:53:43 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    @Alternate Data Stream - 298 bytes -> C:\Windows\System32\drivers\qgoytopt.sys:changelist
    @Alternate Data Stream - 298 bytes -> C:\Windows\System32\drivers\ikmppjzt.sys:changelist
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.


#9 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 04 August 2012 - 05:40 PM

Ok,

Did what you requested. This is the LOG report from OTL.

Attached File  OTL-LOG.log   6.77KB   5 downloads

Also received the following windows:

http://imageshack.us/photo/my-images/401/screenhunter01aug041517.jpg

http://imageshack.us/photo/my-images/842/screenhunter02aug041528.jpg

Edited by Harold Robinson, 04 August 2012 - 05:43 PM.


#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 05 August 2012 - 01:28 PM

I think I know what caused that.

Please navigate to the following folder (in bold): C:\_OTL\MovedFiles\

There, you should see between 4-6 folders. Each should be called something like 08052012_130428, arranged in numerical order.

Double-click on the 3rd folder. Once inside, you should see yet another folder entitled C_Windows. Inside of C_Windows, you'll see another one called System32. Once inside System32, you'll see the file 7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0. (The final filepath should look something like C:\_OTL\MovedFiles\########_######\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

Copy and paste the file above into your C:\Windows\System32\ directory.

Please do the same for the 4th folder in C:\OTL\MovedFiles\... the file you'll be copying from there is called 7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0.

Let me know how things go.

#11 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 August 2012 - 05:03 PM

Hi again,

I tried to copy the file but it will not allow me to do that. It sees the file in the system32 folder but will not allow me to overwrite it.

Here is screen shot of the copy process:

http://imageshack.us/photo/my-images/521/screenhunter03aug051458.jpg

--Harold

#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 05 August 2012 - 05:14 PM

Don't use any program to copy the files, just do it normally as you would without one.

#13 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 August 2012 - 08:50 PM

Allright here you go.

Teracopy is a program (can download for free) that replaces the windows copy functions and makes them much faster. So this is how I would normally do this. That is Right click on the file select copy then go to the system32 folder and paste it.

Just for clarity sake, I decided to do this from the DOS prompt. As you can see from the image below, I get "Access Denied". I had to unhide these files so that I could use the DOS window to copy them.

http://imageshack.us/photo/my-images/29/screenhunter01aug051844.jpg

-- Harold

#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:12:35 AM

Posted 05 August 2012 - 08:59 PM

Try this:

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

FCopy::
C:\_OTL\MovedFiles\08042012_150318\C_Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 | C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
C:\_OTL\MovedFiles\08042012_150318\C_Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 | C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

#15 Harold Robinson

Harold Robinson
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 06 August 2012 - 01:40 AM

Sorry, but that did not fix my problem.

I was tempted to run it again. This is because combofix needed an update and I took it. I was thinking that maybe combofix forgot its script. According to the log though it looks like it was suppose to copy those files.

Here is the log for you to review.

Attached File  ComboFix.txt   29.41KB   1 downloads

Harold




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users