Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef Trojan ||| Reboot Loop


  • This topic is locked This topic is locked
9 replies to this topic

#1 Stratego

Stratego

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2012 - 02:41 PM

OS - Windows 7 32-bit

I have obtained the Sirefef trojan on my laptop and would like assistance in getting rid of it.
My situation is very similar to the one found in this topic.

I am afraid to use the Internet on my infected laptop, so I hope to use a USB flash drive to solve the problem (as in the above topic).

Let's tackle this problem together! You guys are great at what you do, and I admire your expertise. I'm ready to follow your lead!


Thanks,
Stratego

BC AdBot (Login to Remove)

 


#2 Stratego

Stratego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2012 - 06:07 PM

I do not have access to the System Recovery Options because I have misplaced my Windows 7 installation disc.

However, I still managed to use Farbar Recovery Scan Tool, although it was not in a recovery environment.
I think I should be okay.

The following is my FRST.txt:


Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by Zack at 15-08-2012 16:40:14
Running from F:\
Service Pack 1 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-08-15 16:31 - 2012-08-15 16:40 - 00000000 ____D C:\FRST
2012-08-15 14:31 - 2012-08-15 16:04 - 00000914 ____A C:\Windows\PFRO.log
2012-08-15 14:14 - 2012-08-15 14:14 - 00000000 ____D C:\Users\All Users\ESET
2012-08-15 14:08 - 2012-08-15 14:14 - 00000000 ____D C:\Program Files\ESET
2012-08-15 03:06 - 2012-08-15 16:37 - 00001512 ____A C:\Windows\setupact.log
2012-08-15 03:06 - 2012-08-15 03:06 - 00000000 ____A C:\Windows\setuperr.log
2012-08-14 21:18 - 2012-08-14 21:18 - 00000000 ____D C:\Windows\System32\%APPDATA%
2012-08-09 18:10 - 2012-08-09 18:10 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-07 23:20 - 2012-08-07 23:21 - 00000000 ____D C:\Users\Zack\AppData\Local\{444C18B3-E601-48F9-8F3C-E32039587937}
2012-08-07 23:20 - 2012-08-07 23:20 - 00000000 ____D C:\Users\Zack\AppData\Local\{3D76711C-E527-4528-BC03-EE107F1E9789}
2012-08-07 18:57 - 2012-08-07 18:57 - 00000000 ____D C:\Users\Zack\AppData\Local\Apple Computer
2012-08-07 18:55 - 2012-08-07 18:55 - 00000000 ____D C:\Users\Zack\AppData\Roaming\Apple Computer
2012-08-07 18:53 - 2012-08-15 00:31 - 00000000 ____D C:\Users\All Users\Apple Computer
2012-08-07 18:53 - 2012-08-07 18:54 - 00000000 ____D C:\Program Files\QuickTime
2012-08-07 18:50 - 2012-08-07 18:50 - 00000000 ____D C:\Users\Zack\AppData\Local\Apple
2012-08-07 18:49 - 2012-08-07 18:49 - 00000000 ____D C:\Users\All Users\Apple
2012-08-07 18:41 - 2012-08-07 18:48 - 39483256 ____A (Apple Inc.) C:\Users\Zack\Downloads\QuickTimeInstaller.exe
2012-07-19 02:27 - 2012-07-19 02:27 - 00003440 ____A C:\Users\Zack\.recently-used.xbel

============ 3 Months Modified Files ========================

2012-08-15 16:38 - 2011-09-15 13:52 - 00017408 ____A C:\Windows\System32\rpcnetp.exe
2012-08-15 16:38 - 2011-09-14 14:27 - 00058288 ____A (Absolute Software Corp.) C:\Windows\System32\rpcnet.dll
2012-08-15 16:38 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-15 16:37 - 2012-08-15 03:06 - 00001512 ____A C:\Windows\setupact.log
2012-08-15 16:35 - 2009-07-13 19:11 - 00259072 ____A C:\Windows\System32\services.exe
2012-08-15 16:34 - 2012-04-06 18:06 - 01996453 ____A C:\Windows\WindowsUpdate.log
2012-08-15 16:05 - 2011-09-15 13:53 - 00017408 ____A C:\Windows\System32\rpcnetp.dll
2012-08-15 16:04 - 2012-08-15 14:31 - 00000914 ____A C:\Windows\PFRO.log
2012-08-15 14:15 - 2009-07-14 00:34 - 00019744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-15 14:15 - 2009-07-14 00:34 - 00019744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-15 03:06 - 2012-08-15 03:06 - 00000000 ____A C:\Windows\setuperr.log
2012-08-15 00:59 - 2012-03-02 13:40 - 00702900 ____A C:\Windows\System32\perfh015.dat
2012-08-15 00:59 - 2012-03-02 13:40 - 00136818 ____A C:\Windows\System32\perfc015.dat
2012-08-15 00:59 - 2012-03-02 13:04 - 00623376 ____A C:\Windows\System32\perfh01F.dat
2012-08-15 00:59 - 2012-03-02 13:04 - 00123504 ____A C:\Windows\System32\perfc01F.dat
2012-08-15 00:59 - 2011-05-16 08:24 - 03911108 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-14 22:23 - 2009-07-14 00:53 - 00032654 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-10 15:21 - 2009-07-14 00:57 - 00067584 ___AS C:\Windows\bootstat(45).dat
2012-08-09 18:10 - 2012-08-09 18:10 - 00098304 ____A (Sony DADC Austria AG.) C:\Windows\System32\CmdLineExt.dll
2012-08-07 18:48 - 2012-08-07 18:41 - 39483256 ____A (Apple Inc.) C:\Users\Zack\Downloads\QuickTimeInstaller.exe
2012-08-04 13:38 - 2012-04-06 18:06 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-04 13:38 - 2011-05-16 09:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-07-19 02:27 - 2012-07-19 02:27 - 00003440 ____A C:\Users\Zack\.recently-used.xbel
2012-07-14 18:43 - 2012-07-14 18:43 - 16559808 ____A (Mozilla) C:\Users\Zack\Downloads\Firefox Setup 13.0.1.exe
2012-07-09 01:17 - 2012-07-09 01:14 - 00069853 ____A C:\Users\All Users\LUInstall.LiveUpdate
2012-06-26 16:24 - 2012-06-26 16:17 - 00000006 ____A C:\Users\Zack\Downloads\settings
2012-06-24 18:45 - 2012-06-24 18:22 - 00000291 ____A C:\Windows\PowerReg.dat
2012-06-10 20:02 - 2011-11-18 12:17 - 00000107 ____A C:\Users\Zack\webct_upload_applet.properties
2012-06-07 22:59 - 2011-09-15 14:28 - 00013160 ____A (Absolute Software Corp.) C:\Windows\System32\Upgrd.exe
2012-06-07 22:59 - 2011-09-14 14:27 - 00058288 ____N (Absolute Software Corp.) C:\Windows\System32\rpcnet.exe
2012-06-04 13:42 - 2010-08-21 17:13 - 00049592 ____A (Absolute Software Corp.) C:\Windows\System32\pkgslv.exe
2012-06-04 13:42 - 2010-08-21 17:13 - 00046008 ____A (Absolute Software Corp.) C:\Windows\System32\pkgmgr.dll
2012-06-03 20:53 - 2012-06-03 20:54 - 00476960 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-06-03 20:53 - 2012-06-03 20:54 - 00157472 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-06-03 20:53 - 2012-06-03 20:54 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-06-03 20:53 - 2012-06-03 20:54 - 00149280 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-06-03 20:53 - 2012-01-11 18:01 - 00472864 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-05-20 19:15 - 2012-05-20 19:15 - 00446764 __RSH C:\KPRUF
2012-05-19 21:07 - 2011-05-16 09:43 - 00001945 ____A C:\Windows\epplauncher.mif
2012-05-19 20:57 - 2012-05-19 20:57 - 00052156 ____A C:\Windows\System32\Drivers\KmxAgent.asc
2012-05-19 20:55 - 2012-05-19 20:33 - 00006108 ____A C:\Windows\System32\FDInstall.log


ZeroAccess:
C:\Windows\Installer\{67c1ec62-15ba-835a-9e46-e313afe21a1e}
C:\Windows\Installer\{67c1ec62-15ba-835a-9e46-e313afe21a1e}\L
C:\Windows\Installer\{67c1ec62-15ba-835a-9e46-e313afe21a1e}\U
C:\Windows\Installer\{67c1ec62-15ba-835a-9e46-e313afe21a1e}\L\00000004.@

ZeroAccess:
C:\Users\Zack\AppData\Local\{67c1ec62-15ba-835a-9e46-e313afe21a1e}
C:\Users\Zack\AppData\Local\{67c1ec62-15ba-835a-9e46-e313afe21a1e}\@
C:\Users\Zack\AppData\Local\{67c1ec62-15ba-835a-9e46-e313afe21a1e}\L
C:\Users\Zack\AppData\Local\{67c1ec62-15ba-835a-9e46-e313afe21a1e}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 19:11] - [2012-08-15 16:35] - 0259072 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\services.exe IS INFECTED. <===== ATTENTION!

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 32%
Total physical RAM: 3574.04 MB
Available physical RAM: 2424.41 MB
Total Pagefile: 7146.37 MB
Available Pagefile: 5810.44 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.4 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:104.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
4 Drive f: () (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 973 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 31 KB

==================================================================================

Disk: 0
DiskPart has encountered an error: The RPC server is unavailable.
See the System Event Log for more information.

==================================================================================

Partitions of Disk 1:
===============

DiskPart has encountered an error: The RPC server is unavailable.
See the System Event Log for more information.

==================================================================================

Last Boot: 2012-08-10 01:31

======================= End Of Log ==========================

#3 Stratego

Stratego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 15 August 2012 - 06:10 PM

The standout above appears to be services.exe.
Therefore, I conducted a search using the Farbar Recovery Scan Tool for services.exe.

Here is the result of my Search.txt:


Farbar Recovery Scan Tool Version: 15-08-2012
Ran by Yes at 2012-08-15 18:26:58
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 19:11] - [2009-07-13 21:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 19:11] - [2012-08-15 16:43] - 0259072 ____A () D41D8CD98F00B204E9800998ECF8427E

=== End Of Search ===

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:03 PM

Posted 16 August 2012 - 06:09 PM

unfortunately, the fix for FRST has to be run in the recovery environment

did you check to see if your machine has the recovery environment pre-installed on your computer?

Try this:

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.



Let me know if you are able to access that way.

If not, you can create a recovery disk

follow the instructions here

http://www.howtogeek.com/howto/5409/create-a-system-repair-disc-in-windows-7/


Once you are in the recovery environment, run the following fix:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{67c1ec62-15ba-835a-9e46-e313afe21a1e}
C:\Users\Zack\AppData\Local\{67c1ec62-15ba-835a-9e46-e313afe21a1e}
C:\Windows\assembly\GAC\Desktop.ini
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 16 August 2012 - 06:10 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Stratego

Stratego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 19 August 2012 - 12:03 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by Zack at 2012-08-15 23:44:19 Run:1
Running from F:\

==============================================

C:\Windows\Installer\{67c1ec62-15ba-835a-9e46-e313afe21a1e} moved successfully.
C:\Users\Zack\AppData\Local\{67c1ec62-15ba-835a-9e46-e313afe21a1e} moved successfully.

==== End of Fixlog ====

#6 Stratego

Stratego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 19 August 2012 - 12:37 AM

My computer is running very smoothly now.
Thanks so much!

Any last steps to make sure my computer is clean?

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:03 PM

Posted 19 August 2012 - 07:15 AM

yes, we need to run several more scans to make sure there are no leftovers, stay with me till I give you the "all clear", we don't want this regenerating.

If you could please move on to ComboFix (the instructions are above, just below where I gave the instructions for the FRST fix)


thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Stratego

Stratego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 19 August 2012 - 01:19 PM

I'm hesistant to use ComboFix after reading problems that other users have encountered.

May we proceed using a different strategy?

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:03 PM

Posted 19 August 2012 - 07:47 PM

This is the best and safest tool to use and I know how to use it and what to do if there is a problem, you'll be fine

the cautions are for people not to use the tool without the assistance of a trained helper

It is of course up to you if you proceed with me or not

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:03 PM

Posted 25 August 2012 - 05:04 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users