Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with 64:sirefef/ad and unable to connect to domain


  • This topic is locked This topic is locked
3 replies to this topic

#1 midiean

midiean

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 26 March 2013 - 05:16 PM

Pretty much sums it up. Have ran ms secess and still have problems with connecting to the domain and slow system speeds.

Have run combofix and seems to hang after completed stage_4. Problem occurred on clients system last night or this morning. System is not receiving any AD data and mapped drives aren't connecting.

BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:50 PM

Posted 29 March 2013 - 09:30 AM

Hello midiean and welcome to BleepingComputer forums.
 

Backdoor trojan warning:ZeroAccess / Sirefef
This system has some serious backdoor trojans. ZeroAccess / Sirefef


This is a point where you need to decide about  whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
You are strongly advised to do the following immediately.
1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

See this article on creating strong passwords   http://www.microsoft.com/security/online-privacy/passwords-create.aspx

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.
While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan?  http://www.geekstogo...backdoor-trojan
Danger: Remote Access Trojans  http://www.microsoft...o/virusrat.mspx
Consumers Identity Theft   http://www.ftc.gov/b...mers/index.html
When should I re-format? How should I reinstall?  http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?  http://www.dslreports.com/faq/10451

Let me know what you decide.

If you still wish to see if we can cure this, then start with the following.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.
  • Link 2
    Link 3
    Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 or 8, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL
  • IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

    When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

    More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html


    Task 2
    • Download & SAVE to your Desktop Tigzy's RogueKiller >> from here << or
      >> from here <<
    • Quit all programs that you may have started.
    • Please disconnect any USB or external storage drives from the computer before you run this scan!
    • For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
      For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on Scan button at upper right of screen.
    • Wait until the Status box shows "Scan Finished"
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Do NOT press any Fix button.
    • Exit/Close RogueKiller

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 midiean

midiean
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 29 March 2013 - 11:59 AM

I've gone ahead and rebuilt te system. Virus had dumped approximately 250gig of file in temporary inet files and scanning became too prolonged for te client. Spent a day and a half working to simply remove the files to make scanning the system less time consuming.

Thanks for the advice, same instructions I give to my clients when they get hit by a nasty.

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:50 PM

Posted 30 March 2013 - 09:13 AM

I wish you well.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users