Another Sirefef Infection

Not “another” as in I’ve gotten it before, but because I’m noticing that this forums and other places are having a lot of request for help with this. Was pretty stupid in getting this one. Not going to go into how because it’s embarrassing to my ego. lol

Very sure I have this one. PING.EXE was running before I started a boot scan. avast!'s boot scan found desktop.ini and Consrv.dll to be infected. Being as stupid as I am, I let the boot scan delete the two desktop.ini files it found. Not sure if that was a bad thing or not just yet. Haven’t restarted my computer. Planning on stopping the boot scan and letting you guys help me from here on out.

Sorry, I don’t know where to start on this one as far as logs go. I’m fairly stumped here. Sorry. Could someone please help me out?

Edit: Should explain that I’m on a different laptop and I can boot into Safe Mode on the infected desktop. Would it be safe to try and boot into Safe Mode with Networking?

Running: Windows 7 Professional 64-Bit, AMD Athlon II X2 250 3.01 GHz, 8GB RAM
Scanners: Spybot, avast! free, CCleaner

yes i should explain and if you want help please do follow the insrtuctions on this link… essexboy will take a look at it :slight_smile:

http://forum.avast.com/index.php?topic=53253.0

Done. These are my logs.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.26.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
DJ Ryudo :: TEHAWESOME [administrator]

2/27/2012 4:57:21 AM
mbam-log-2012-02-27 (04-57-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206137
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\regfile\shell\open\command| (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Sorry to cut this short, but I must sleep now. It’s 6AM where I am and I must rest. Way past my bed time. :stuck_out_tongue: Please post all information that I must know for the next step and I will do it ASAP when I wake up. Thank you all so much.

you would have to wait for essexboy to analyze these logs and help you through… im not a malware removal expert so yeah can’t help you… all i can help is to inform you what to do then let the malware removing to another guy

That’s fine. :slight_smile: I meant that anyone who could help to leave the next step here on the forums. I’m awake now, so I’m ready to start killing this thing whenever someone else (essexboy, lol) is ready to help me.

Edit: Oh yes, I’m running in Safe Mode with Networking at this moment. I’m a bit too afraid to run my computer normally right now. When all of this started, the Trojan started screwing with Windows Firewall and tried to open Internet Explorer. Thankfully, I don’t use IE so it wasn’t set up correctly. Before it could open IE, IE was asking me to set up something. Forgot what it was.

Sorry for bumping and seeming impatient, but I didn’t get help all day. I just want to make sure I’m not forgotten because I want to get my computer fixed up. Very bored without it. :stuck_out_tongue: I won’t bump after this unless it’s been two days of not receiving help.

I know someone will help when they can, but as I said, just don’t want to be forgotten. :slight_smile:

i’m sorry bro im sure some experts will come to help soon… i can’t help you cause im not qualified and if i do i’ll get another warning which is embarassing… furthermore if i prescribe the wrong tools your computer may end up unbootable

It deepends what time sone the hjelper are in…we vant be online 24 hours

Essexboy arrive late uk time

Ah, nah it’s all good. I really do understand. :stuck_out_tongue: Just miss my computer. It looks like you’re all doing awesome of this forum.

akama1, if it makes you feel any better, I’m glad you told me to get those logs ready. I can’t stand not being ready and holding certain things back. I rather be ready now and get things over with ASAP. :slight_smile:

I can wait, just getting antsy.

OK lets get the show on the road - we may require two or three runs with combofix to kill it fully

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysWow64\OGqA41.com.d C:\Windows\SysWow64\OGqA41.com C:\ProgramData\peE6B2OF.dat C:\Windows\SysNative\dds_trash_log.cmd C:\Windows\SysWow64\OGqA41.com_ C:\Windows\SysNative\procmon10.dll

ATJob::

NetSvc::
VAIOMediaPlatform-PhotoServer-UPnP

Driver::
VAIOMediaPlatform-PhotoServer-UPnP

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Is it alright if ComboFix is done in Safe Mode? Just making sure if I need to run this normally.

It works better from normal mode - but yes you can do that as we will probably need to run it a few times

Here’s the log for the first run of Combo Fix. Waiting on orders.

Oh yes, and in case you notice, it says Chrome was running. I have no idea why it says that. It was not up at all when everything was running.

Looks like Combofix has been updated as it has appeared to have marmalised it in one

Could you run a new OTL scan please. Using the original search script (there will only be one log this time )

Here’s the second OTL log. I love the name for this program. lol

That looks good - what problems remain ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421; O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found. O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found. O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found. [2012/02/28 14:03:16 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Run the fixit on this page http://support.microsoft.com/kb/811259 (about halfway down )

I don’t see anymore issues. Been running normally (non-Safemode) ever since ComboFix. Been smooth.

Here’s the next OTL log.

Looks good - if all is well tomorrow let me know and I will remove my tools ;D

Everything seems fine… though my primary HDD might be crapping out one me. I’m not too sure right now. All S.M.A.R.T. tests came back OK and my Write/Read tests are normal. I’m not going to worry about it too much at this time though.

Thank you so much for your help, essexboy. Before we end this thread, I would like your opinion on something. I use both Spybot and avast! for scanning. I don’t use TeaTimer all that much because it uses too many resources, but there are times when it’s useful.

In your personal opinion, would Spybot or MWB be a better Malware/Spyware remover?