Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef infection using svchost


  • This topic is locked This topic is locked
63 replies to this topic

#1 joeljunk

joeljunk

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 03 September 2012 - 10:33 PM

Recently Windows Defender found Sirefef related files on my Window7 Home Premium SP1 x64 system. Using ProcessExplorer I was able to find that the file Windows Defender flagged was being creating by a C:\Windows\SysWOW64\svchost.exe process. Looking further I found that this same process was launching dozens of TCP connections to a seemingly random list of web addresses. If I kill or suspend the rogue process it gets restarted within several minutes.

Next I attempted to fix the problem with TDSSKiller but it did not detect anything. Finally I tried ComboFix (without having been instructed to -- sorry). It seemed to be working, but then after the reboot I saw its blue DOS window appear and then quickly disappear about 30 times or so, and after that there was nothing and there was no log file in c:\. So I'm not sure it completed successfully. After that I successfully uninstalled it.

thanks in advance,
JJ

Edited by joeljunk, 03 September 2012 - 10:52 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:07 PM

Posted 06 September 2012 - 06:27 AM

Hello joeljunk, ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



STEP 1



  • Please download RKill by Grinler from the link below and save it to your desktop.

    RKill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious.
    Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista/7, please right-click on it and select Run As Administrator).
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
  • A logfile of Rkill will be saved on your desktop. Please add it's content with your next answer.
  • Note: Do not reboot the computer until you've finished the next step.


STEP 2


  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.



STEP 3



Please follow the instructions below:


  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the Posted Image icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.Posted Image
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the Posted Image textbox.
  • Don't copy the word "quoted"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\temp\*.exe
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %Public%\Documents\Softwrap\YOYOGAMESGM70FINAL\*.exe
    %Public%\Documents\Fonts\*.exe
    %Public%\Documents\Config\*.exe
    %Public%\Documents\*.*
    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\ComObjects*.exe
    %PROGRAMFILES%\*.*
    %PROGRAMFILES%\*.
    %ProgramFiles(x86)%\*.*
    %ProgramFiles(x86)%\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    dfsc.sys
    hlp.dat
    str.sys
    crexv.ocx
    /md5stop

  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
    • OTL.txt <-- Will be opened


Regards,
Georgi

cXfZ4wS.png


#3 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 07 September 2012 - 11:36 PM

I've followed your instructions. Nothing unexpected happened. The first 2 logs are attached. The 3rd I've pasted here per your request (as "Private" and to expire in 30 days).

Thanks for your help,
JJ

Edited by joeljunk, 07 September 2012 - 11:50 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:07 PM

Posted 08 September 2012 - 05:17 AM

Hi,


The logs from Rkill and RogueKiller are clean.
Can you please attach the OTL.txt and Extras.txt in your next reply since I am not registered at pastebin.
Also do you have a folder called C:\Qoobox? If so please zit that folder and upload it here.



Regards,
Georgi

cXfZ4wS.png


#5 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 08 September 2012 - 09:29 AM

Here's the first one.

#6 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 08 September 2012 - 09:35 AM

The Extras.txt file is saying it's "too big to upload" so I put it on pastebin here as "Public" and to expire in 30 days.

#7 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 08 September 2012 - 09:36 AM

No, I don't have a C:\Qoobox folder.

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:07 PM

Posted 09 September 2012 - 08:20 PM

Hi,



  • Please download BlitzBlank by emsisoft and save it to your desktop.
  • Open Blitzblank.exe by double click on it.
  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:

    DeleteFolder:
    C:\Users\joeljenica\AppData\Local\{f536b490-5c66-a61e-9483-f5b244077cbb}

  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\



Regards,
Georgi

cXfZ4wS.png


#9 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 10 September 2012 - 09:32 PM

Here it is.

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:07 PM

Posted 11 September 2012 - 07:21 AM

Hi,



Let's check for leftovers from ZeroAccess:
You will need a flasdrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.



Regards,
Georgi

cXfZ4wS.png


#11 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 12 September 2012 - 08:10 PM

Here it is.

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:07 PM

Posted 12 September 2012 - 11:53 PM

Hi,


  • Please download a fresh copy of Combofix from here.
  • Save it to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.



Regards,
Georgi

cXfZ4wS.png


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:07 PM

Posted 15 September 2012 - 07:15 AM

Hi,


Are you still with me?



Regards,
Georgi

cXfZ4wS.png


#14 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 16 September 2012 - 03:41 PM

Yes, I'm still here.

I've had some trouble with the ComboFix. It seemed to be running normally and then after it rebooted the machine it launched a series of DOS windows, hundreds of them, one at a time. I don't know whether that's normal, but it went on launching them for a very very long time (over 2 hrs?). Then when it seemed to be finished the machine was barely usable for lack of memory (I suppose) and I couldn't check for the log file so I rebooted. But when I logged into my user again the flickering DOS windows started all over again and this time after a very long run it crashed and stopped (CF13270.3XE Application Error). There was no log file in C:\. I have rebooted once again and once again the DOS windows have started (which, by the way, makes the machine completely unusable since the flickering DOS windows continually steal focus).

Can you please advise what I can do about this?

Edited by joeljunk, 16 September 2012 - 06:48 PM.


#15 joeljunk

joeljunk
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 16 September 2012 - 06:44 PM

Here's another update:
The third run of the flickering DOS windows finished and there was no crash this time. Also, I found the log at C:\ComboFix\ComboFix.txt (see attachment).

And I still have the problem that whenever I reboot the ComboFix flickering DOS windows start up again.

Thanks for your help.

Edited by joeljunk, 16 September 2012 - 06:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users