Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Sirefef Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 Bokkman

Bokkman

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 17 June 2013 - 04:56 AM

Hi,

 

I'm running 64bit Win7.

 

Yesterday I had a notification about Microsoft Security Essentials, my Firewall and a device driver.

This evening, I've attempted to troubleshoot it to no avail, and after some internet reading, I believe I've contracted Sirefef

I cannot run Microsoft Security Essentials, nor can I uninstall or download pretty much any other AV program. The download box informs me the file is a virus and has been deleted. Malwarebytes ran, found a trojan but it kinda glitched and I'm not sure if it removed it or not.

Other than disabling my security, I haven't noticed anything else.

 

Your help would be much appreciated.

 

 



BC AdBot (Login to Remove)

 


#2 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:05 AM

Posted 17 June 2013 - 09:00 AM

Hi,

 

Lets see what we can find out.

 

Please Download Rkill

    Double-click on the Rkill desktop icon to run the tool.
    If using Vista or Win. 7, right-click on it and Run as administrator.
    A black DOS box will show and then disappear (wait for it to go away).  This is normal and indicates the tool ran successfully.
    If not, delete the file, then download and use the one provided in Link 2.
    If the tool does not run, please let me know.  Or if it seems to have taken too long.


Do not reboot the computer until you have run the applications listed below, otherwise you will have to run Rkill again.
Post the log that Rkill makes, on your desktop, in your next post.
 

 

Along with the Rkill log please also rerun Malwarebytes (aka MBAM) after Rkill and post both the "current" log and the previous MBAM log as well.

 

If you do have sirefef (aka ZeroAccess) you will need elevated help.



#3 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 17 June 2013 - 02:06 PM

Hi Jimbo,

 

Once Rkill finishes downloading, I get 'This file was a virus and has been deleted'.

Am using IE10, if that matters.



#4 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:05 AM

Posted 17 June 2013 - 02:10 PM

If you would please post any logs that you have.  Malwarebytes (aka MBAM) and Microsoft Security Essentials (aka MSE).  If you don't have any logs and there are things in quarantine please post the names of the infections.



#5 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 18 June 2013 - 02:19 AM

Hi Jimbo,

 

MsSE is out of the question at the moment - courtesy of the infection, it won't run at all, won't uninstall nor can I download and install a new copy.

Here is a log of MBAM - full scan, database updated:

****************************************************

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.18.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
Business :: BUSINESS-P [administrator]

18/06/2013 5:56:44 p.m.
mbam-log-2013-06-18 (17-56-44).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 364767
Time elapsed: 1 hour(s), 9 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

***********************************************************************************************



#6 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:05 AM

Posted 18 June 2013 - 07:35 AM

Okay.  Lets see if we can be sneaky and find a way to get Rkill to run.

 

You will NEED to do this from another pc.  If you don't have another pc let me know and try the next option.

  Please see post #2.

  Download Rkill and save it to a flah drive or to a cd.

  When you save it save it as:  0618.com  NOTICE this is NOT the default name this is on purpose.

  Plug your flash drive (or cd) into the infected pc and run the saved version of Rkill from the flash drive\cd.

 

If the above doesn't work try this:

  Open INTERNET EXPLORER

  RUN http://download.bleepingcomputer.com/dl/9f89de3e430b59bb925608af4268dda6/51c052fb/windows/security/security-utilities/f/fixexec/FixExec.com

  This will, if it runs, stop malware and then ask if you want to proceed.

  When it asks if you want to proceed say NO, this will close the program.

 

If either of these work please post the log report that the produce.  They should be on your desktop.



#7 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 18 June 2013 - 01:58 PM

Hi Jimbo,

 

I only have the one computer in my house.

I've tried downloading Rkill to a USB drive as directed, and also tried running and saving FixExec (even saving with a random file name).

 

Both times, IE download box informs me the file was a virus and has been deleted.

 

I should be able to go to a friend's house tonight and download what I need and try running them off the USB drive.

If this is the direction you want me to go in, can you please list all the apps I need to download (as I want to avoid multiple trips).

 

Thanks.



#8 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:05 AM

Posted 18 June 2013 - 02:07 PM

In that case I think it's time to move on to elevated help.  Please be patient as the Malware Response Team is very busy.  You will be in good hands.

 

Please follow the instructions in ==>This Guide<== starting at Step 6.  If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==  Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
 



#9 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 19 June 2013 - 04:29 AM

Hi Jimbo,

 

Just to throw a curve-ball to keep things interesting...

I've proceeded to download DDS as per Step 6 on the linked page, and of course IE10 deleted the file (keep in mind ANY file I download with IE10 is deleted).

I thought I'd fire up Firefox and what do you know, it downloaded and saved. I've also successfully downloaded RKill.

I'll back-track and pick up from your posts above.

 

I kinda considered switching browsers, but didn't think it would work!

Will post logs soon.



#10 Bokkman

Bokkman
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 19 June 2013 - 04:32 AM

Rkill log (Ran from USB stick):

 

Rkill 2.5.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/19/2013 09:30:11 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Program Files\Microsoft Security Client\Backup => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Microsoft Security Client\DbgHelp.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\Drivers => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Microsoft Security Client\en-us => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Microsoft Security Client\EppManifest.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\mpevmsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpOAv.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MSESysprep.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MsMpEng.exe => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\msseces.exe => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\msseoobe.exe => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\msseooberes.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\MsseWat.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\NisLog.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\NisSrv.exe => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\NisWFP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\Setup.exe => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\SetupRes.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\shellext.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\sqmapi.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\SymSrv.dll => c:\windows\system32\config [File]
     * C:\Program Files\Microsoft Security Client\SymSrv.yes => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpClient.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCommu.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpOAV.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpRTP.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpRes.dll => c:\windows\system32\config [File]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 06/19/2013 09:31:17 PM
Execution time: 0 hours(s), 1 minute(s), and 5 seconds(s)



#11 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:05 AM

Posted 19 June 2013 - 07:31 AM

It looks like your assumption of having ZeroAccess (aka ZA) is correct.  At this point you will need help from the Malware Response Team (aka MRT) as we are not allowed to use certain types of tools here.  Please follow the instructions that I posted in post number 8.  Make a link to this topic in your first post there along with a note about being infected with ZA.  Please be patient as the MRT is very busy and best of luck.  You will be in good hands.



#12 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:05:05 AM

Posted 20 June 2013 - 07:53 AM

OP now has help here:  http://www.bleepingcomputer.com/forums/t/498578/sirefefzeroaccess-infected-microsoft-security-essentials-disabled/



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:05 AM

Posted 20 June 2013 - 10:57 AM

As you have help in the MR forum, I closed this to avoid confusion.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users