Fighting a Win32:Sirefef-HO

Much like the thread on http://forum.avast.com/index.php?topic0903.0, I am fighting this virus. Avast is stopping the trojan Win32:DNSChanger-VJ from running and Comodo and Malwarebytes are blocking access to web sites. MBAM results:

Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122703

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

12/27/2011 6:55:08 PM
mbam-log-2011-12-27 (18-55-08).txt

Scan type: Full scan (C:|)
Objects scanned: 356694
Time elapsed: 1 hour(s), 2 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) → Quarantined and deleted successfully.

Here is my aswMBR log

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-27 19:27:35

19:27:35.764 OS Version: Windows x64 6.1.7601 Service Pack 1
19:27:35.764 Number of processors: 2 586 0x602
19:27:35.764 ComputerName: RENEE-PC UserName: Renee
19:27:49.200 Initialize success
19:27:49.749 AVAST engine defs: 11122702
19:28:20.973 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
19:28:20.989 Disk 0 Vendor: TOSHIBA_MK3263GSX FG020M Size: 305245MB BusType: 11
19:28:23.048 Disk 0 MBR read successfully
19:28:23.048 Disk 0 MBR scan
19:28:23.064 Disk 0 Windows VISTA default MBR code
19:28:23.095 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
19:28:23.126 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 294603 MB offset 3074048
19:28:23.220 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 9141 MB offset 606420992
19:28:23.235 Service scanning
19:28:24.717 Modules scanning
19:28:24.717 Disk 0 trace - called modules:
19:28:24.748 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
19:28:24.764 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8003bbe060]
19:28:24.764 3 CLASSPNP.SYS[fffff880019cc43f] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004a42060]
19:28:25.591 AVAST engine scan C:\windows
19:28:29.569 AVAST engine scan C:\windows\system32
19:28:46.902 File: C:\windows\system32\consrv.dll INFECTED Win32:Sirefef-HO [Rtk]
19:30:36.764 AVAST engine scan C:\windows\system32\drivers
19:30:53.895 AVAST engine scan C:\Users\Renee
19:31:17.701 File: C:\Users\Renee\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe INFECTED Win32:Malware-gen
19:39:21.180 AVAST engine scan C:\ProgramData
19:40:50.303 Scan finished successfully
19:41:28.180 Disk 0 MBR has been saved successfully to “C:\Users\Renee\Desktop\MBR.dat”
19:41:28.195 The log file has been saved successfully to “C:\Users\Renee\Desktop\aswMBR.txt”

attach the remaining logs by following the link given to the guide below:

http://forum.avast.com/index.php?topic=53253.0

Hi , welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Here is the ComboFix log. I should mention that I cannot use IE or Chrome to get to the Internet on that computer now. ???

did you restart after running combofix ?

I did. The computer restarted automatically. Should I restart again?

Yes try restarting again that should fix it ;D

On the web again, thanks! ;D

Your Welcome! :slight_smile: Now we have to wait until oldman posts back further instructions…how is your pc running now?

Re-run aswmbr and post a fresh log here please…

Here is the new aswMBR log

ok i will ask a malware removal expert to have a look here. hold on! essexboy will arrive soon! :slight_smile:

i have notified him via PM :wink:

Thanks!!

Hi ccdsmith,

The logs seem to conflict on which antivirus program you are using. Combofix shows Norton (Symantec) while OTL shows Avast. Please clarify your antivirus situation.

When you ran OTL there should have been a file named Extra.txt created. Since you ran OTL from your download folder it should have been saved there as well. Please attach it to your next reply.

Next, Right click on OTL.exe and chose Run as Administrator to run it
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:Services

:OTL
IE - HKU\S-1-5-21-2667917663-271404581-2969057250-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092

:Commands
[purity]
[createrestorepoint]

Then click the Run Fix button at the top

[]Let the program run unhindered
[
]Please save the resulting log to be posted in your next reply.

Please post back with the Extra.txt.

How’s the computer?

Thanks for your help.
I do not have an Extra.txt file anywhere. Not certain why not. ???
This computer came with NAV installed, but the virus protection ran out a few months ago. I installed Avast (just a few days ago - this is a friend’s computer) to provide protection, and ran the Norton product uninstaller to remove NAV. Not certain why it is still showing up anywhere…
Ran the fix, and it gave me a log file. Do you need it?
I will restart the virus protection, etc and see if I see any signs of the issue. Should I run something to check?
As an FYI, I am now able to change the settings on Windows Firewall, so that’s a good sign!
I just ran MBAM and it came up clean. I am now going to reboot and see what happens.

Hiccdsmith,

Please move OTL out of the downloads folder to your desktop.

[*]Right click on OTL.exe and click “Run as Administrator” to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]In the Extra Registry section change it to All
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Or you can attach them.

Sorry it took so long to get back to you. My friend has already taken her computer home. I was hoping she would run these and get the results to me, but she hasn’t yet. Thanks for all your help, though. I suspect that if she still was having issues, she would have told me by now…

Hiccdsmith,

Thanks for letting us know. Not much we can do without the computer.

Take care.