Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Sirefef.A.61


  • This topic is locked This topic is locked
24 replies to this topic

#1 vorzsaka

vorzsaka

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 26 December 2012 - 09:33 AM

Through an Adobe Flash Player update, my laptop was infectet by a bundle of viruses which made it impossible to run exe files. With the help of your page I managed to remove "Vista Defender Virus" and with exefix_vista I could repair the registry and run the exe programmes again. I updated AVIRA to the 2013 version which several times removed ATRAPS.GEN /ATRAPS.GEN2. I am not sure whether these were removed completely, but when I ran AVIRA scan last time, no threats were reported.

At the moment AVIRA is constantly alerting that it is preventing an attack on C:\$RECYCLE.BIN\S-1-5-1\...\00000001.@ which contains TR/Sirefef.A.61.

I ran ESET smartinstaller. It reported:
Operating memory Win32/Sirefef.EV trojan

Windows firewall is also not working anymore

Plattform : Windows Vista ™ Home Premium
Windowsversion : (Service Pack 1) [6.0.6001]

Would very much appreciate your help.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 26 December 2012 - 04:32 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive. (Choose the correct version depending on which architecture operating system you are using, 32bit (x86) or 64 (x64) bit)

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 vorzsaka

vorzsaka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 28 December 2012 - 08:59 AM

Thanks, that was fast!. New Info: When I stated the computer, AVIRA detected ATRAPS.GEN /ATRAPS.GEN2. So they are looming somewhere.

I attached both files

Attached File  FRST.txt   15.88KB   11 downloads
Attached File  Search.txt   594bytes   6 downloads

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 28 December 2012 - 04:11 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\n. ATTENTION! ====> ZeroAccess
1 eabfiltr;  [x]
C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888
C:\$Recycle.Bin\S-1-5-21-2950035393-1782402527-456179780-1000\$ff24043d55f85ce9a20a8337d9b4b888
C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 vorzsaka

vorzsaka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 29 December 2012 - 03:09 AM

Thanks again. This time there have been some (minor?) deviations to the plan:
- Combofix installed the german version, some remarks in the log are in german. If necessary I can translate.
- I deactivated AVIRA (Umbrella folded together) but Combofix reported that it is still active. So I tried to deactivate it using task manager but wasn't successful and ran Combofix nevertheless.
- Combofix rebooted the computer and AVIRA was active again during the final stage.

Attached File  Fixlog.txt   804bytes   4 downloads
Attached File  Combofix_log.txt   15.99KB   3 downloads

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 29 December 2012 - 10:03 AM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 vorzsaka

vorzsaka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 29 December 2012 - 04:15 PM

Looking good. ESET found nothing so I couldn't obtain a report. The other files are attached.
Attached File  JRT.txt   2.4KB   1 downloads
Attached File  AdwCleaner-report.txt   2.88KB   1 downloads
Attached File  mbam-log-2012-12-29 (19-09-45).txt   2.22KB   1 downloads

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 29 December 2012 - 05:03 PM

let's make sure there are no broken services, please run the folowing:

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 vorzsaka

vorzsaka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 30 December 2012 - 02:36 AM

Did it.
Attached File  Result.txt   6.61KB   2 downloads
Attached File  FSS.txt   4.28KB   20 downloads

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 30 December 2012 - 02:38 PM

yes, there are a couple of broken services, let's see if the ESET services repair tool can fix them, run the tool, then run another Farbar Service Scanner scan afterwards and post the new log. Java and Adobe reader need updating too:

please do the following:


Please download the ESET services repair tool, extract the file to your desktop.
  • Double-click ServicesRepair.exe,
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • a log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply
 


now post a new FSS log too


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version XI)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u10
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u10-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are three options in the window to clear the cache - Leave these two Checked

    Trace and Log Files
    Cached Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 vorzsaka

vorzsaka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 30 December 2012 - 04:04 PM

First two steps were OK, the logs are attached. Arcrobat update OK.

I tried to deinstall Java™Updates 5 and 21 but I couldn't (no administrator rights !?). Any suggestions?


Also download of JRE very slow and broke up once (estimated download time 8h)!

Attached Files


Edited by vorzsaka, 30 December 2012 - 04:19 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 30 December 2012 - 04:28 PM

looks as though ESET services repair did what we needed it to do

try Javara for the old Java

Please download JavaRa to your desktop and unzip it to its own folder.
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Oracle Java's Website then click Search and click on the Open Webpage button.
  • Scroll down to the Java SE Runtime Environment (JRE) option.
  • Download and install the latest Java Runtime Environment (JRE) version for your computer.


if Javara doesn't uninstall the old Java, try Revo uninstaller

Download and install the Revo Uninstaller
  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.



Let me know how that goes and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 vorzsaka

vorzsaka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 30 December 2012 - 05:00 PM

javara didnt work. Revo got rid of the old javas. Meanwhile jre-7u10-windows-i586 downloaded but didnt run. Message: jre-7u10-windows-i586 not allowed for a win32 application!

Update: downloaded jre-7u10-windows-i586 from another (reliable) source and will run it.

Edited by vorzsaka, 30 December 2012 - 05:05 PM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 30 December 2012 - 05:04 PM

delete the copy you have and download another from here

http://www.java.com/en/download/manual.jsp

make sure all other windows are closed and try it again

Edited by CatByte, 30 December 2012 - 05:05 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:09 AM

Posted 30 December 2012 - 05:06 PM

ok, let me know how it goes

if all is ok, then we can clean up our tools

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users