Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Sirefef.gen!C


  • Please log in to reply
7 replies to this topic

#1 sayakb

sayakb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bentonville AR
  • Local time:06:53 AM

Posted 21 June 2013 - 02:46 AM

Hey guys,

 

I'm Sayak and I'm currently residing in the US. My company sent me here from India to work for a client. Obviously they spent a lot on me so the fact that uninterrupted work is more important to them on anything else goes without saying!

 

After a rough day at work, I got my hands on a video that wouldn't play. Frustrated, I did two things I never do: 1. Installed something on my work laptop and 2. Got that installer off the internet. It was supposed to be a codec pack. Turned out to be packed with a ZeroAccess RootKit program - pleasant surprise. Now I wasn't completely insane, I did scan it before running, but the geniuses at my office have shoved Symantec Endpoint Security down our throats - which is as effective as a potato.

 

I started noticing that SSL sites stopped opening in Chrome, so I quickly did some research, downloaded MS Security Essentials and managed to kill the virus. Or so I thought!! I could no longer use the internet on my laptop.  :axe:

 

After 3 hours of reading surprisingly accurate threads on the forum (on my phone btw, and it was so tedious thanks to the awesome codec pack that I installed), I finally managed to get everything up and running.

 

So thanks to you guys at bleeping computer, I am not losing my job!! Kudos guys, you made my day!  :wub:

 

Sayak


Edited by hamluis, 23 June 2013 - 08:36 AM.
Merged with AII topic - Hamluis.


BC AdBot (Login to Remove)

 


#2 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:06:53 AM

Posted 21 June 2013 - 03:02 AM

I, along with many other bleepin members here are honored, and feel warm and fuzzy that we've been able to help another person in our quest to slay all bugs and foibles that plague us computer users. ~Zestypanda

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#3 sayakb

sayakb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bentonville AR
  • Local time:06:53 AM

Posted 23 June 2013 - 03:08 AM

Hi Guys,

 

A few days back, I was infected with this nasty RootKit malware. I wasn't able to open SSL pages on chrome. I installed security essentials which essentially removed it, but the malware had corrupted my afd.sys file so I had no internet. Walking through some posts here, I fixed them.

 

But today again, I am not able to download anything using the browsers as the virus scan reports that "it failed" in chrome and "virus detected" in IE. I have attached my FSS logs below. Can you guys tell me how bad it is? Do I have any options but to wait for my office to ship me a Windows setup CD and purge everything on my hard drive?

 

Also, I backed up some data from this laptop to my phone. Does this malware do anything to android (I hope it cant replicate in a linux based environment)? And when I copy those files back to my laptop later, do I have chances of re-infecting? I have some PDFs, images and an outlook PST file in my backup.

 

So, the logs:

 

Farbar Service Scanner Version: 16-06-2013
Ran by Sayak_Banerjee (administrator) on 23-06-2013 at 03:04:05
Running from "C:\Users\sayak_banerjee\Documents\Setups\Utils"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.
 
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
 
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
 
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
 
Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
 
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
 
 
Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to open SharedAccess registry key. The service key does not exist.
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-04-16 04:56] - [2011-04-24 22:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
 
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
 
ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll Reparse point on file detected.
 
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 

I removed that reparse point before once. The malware injected that again.. :(

I have Symantec Endpoint protection and MS Security essentials running on my laptop right now.


Edited by sayakb, 23 June 2013 - 04:49 AM.


#4 sayakb

sayakb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bentonville AR
  • Local time:06:53 AM

Posted 23 June 2013 - 04:41 PM

Some updates here:

 

1. I ran ESET service repair

2. I uninstalled security essentials

3. I scanned my pc with malwarebytes anti rootkit - which found 15 malware infected files and removed them

 

Here's my latest FSS log:

 

Farbar Service Scanner Version: 16-06-2013
Ran by Sayak_Banerjee (administrator) on 23-06-2013 at 16:39:36
Running from "C:\Users\sayak_banerjee\Documents\Setups\Utils"
Windows 7 Enterprise Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2012-04-16 04:56] - [2011-04-24 22:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5
 
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****

 

So guys, what else can I do to ensure that the nasty malware is gone?



#5 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:06:53 AM

Posted 24 June 2013 - 12:50 PM

Well, it looks like it tampered with your system restore, and security center.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#6 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:06:53 AM

Posted 24 June 2013 - 12:57 PM

"I have Symantec Endpoint protection and MS Security essentials running on my laptop right now." It is never a good idea to run more than one antivirus program on your pc, this can cause system instability. ~Zestypanda

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#7 sayakb

sayakb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bentonville AR
  • Local time:06:53 AM

Posted 25 June 2013 - 01:18 AM

"I have Symantec Endpoint protection and MS Security essentials running on my laptop right now." It is never a good idea to run more than one antivirus program on your pc, this can cause system instability. ~Zestypanda

 

I know.. hence I removed it! i just installed it once to do a full scan.



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:53 AM

Posted 25 June 2013 - 08:42 AM

Hello sayakb,

 

You were infected with the ZeroAccess rootkit, and this latest variant will create symbolic links on the Windows Defender folder. The ESET service repair seems to have repaired the services, but we'll need to check on the junctions that may still be present.

 

Rkill has been updated to detect the symbolic links, so let's run a scan with that and post the log here.

 

Please download Rkill by Grinler and save it to your desktop.

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

bloopie






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users