Got infected by Win32:Sirefef-HO

Hi,
I recently got infected by Win32:Sirefef-HO, I tried to remove it using all the existing antimalawares without any success.
I saw on this forum some thread regarding the Win32:Sirefef-HO infection but I wasn’t sure I could apply the steps described in my case as well.
Now I’m running all the scan described in this trhead http://forum.avast.com/index.php?topic=53253.0 and I will post the logs, then could somebody help me?

thanks a lot

Malawarebytes log:

Malwarebytes Anti-Malware (Prova) 1.60.1.1000
www.malwarebytes.org

Versione database: v2012.03.22.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
en :: MELO-PORTATILE [amministratore]

Protezione: Disattivata

22/03/2012 11:39:17
mbam-log-2012-03-22 (11-39-17).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File system | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 233521
Tempo impiegato: 4 minuti, 50 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MozillaAgent (Spyware.Sniffer) → Dati: C:\Windows\Temp_ex-68.exe → Spostato in quarantena ed eliminato con successo.

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 2
C:\Windows\System32\abRCrx.com_ (Trojan.Agent) → Spostato in quarantena ed eliminato con successo.
C:\Windows\SysWOW64\abRCrx.com_ (Trojan.Agent) → Spostato in quarantena ed eliminato con successo.

(fine)

aswMBR logs:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-22 12:21:24

12:21:24.355 OS Version: Windows x64 6.1.7601 Service Pack 1
12:21:24.355 Number of processors: 8 586 0x1E05
12:21:24.355 ComputerName: MELO-PORTATILE UserName: en
12:21:25.977 Initialize success
12:21:26.040 AVAST engine defs: 12030600
12:21:51.951 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
12:21:51.951 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
12:21:51.967 Disk 0 MBR read successfully
12:21:51.967 Disk 0 MBR scan
12:21:51.998 Disk 0 unknown MBR code
12:21:52.014 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
12:21:52.029 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 456858 MB offset 409600
12:21:52.076 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 19778 MB offset 936054784
12:21:52.092 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
12:21:52.154 SubSystem.Windows: C:\Windows\system32\consrv.dll SUSPICIOUS
12:21:52.154 Disk 0 scanning C:\Windows\system32\drivers
12:21:58.347 Service scanning
12:22:11.514 Modules scanning
12:22:11.514 Disk 0 trace - called modules:
12:22:11.560 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
12:22:11.560 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004d4a790]
12:22:11.560 3 CLASSPNP.SYS[fffff8800180143f] → nt!IofCallDriver → [0xfffffa8004c52a50]
12:22:11.576 5 hpdskflt.sys[fffff88001b95289] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004b14050]
12:22:13.900 AVAST engine scan C:\Windows
12:22:17.566 AVAST engine scan C:\Windows\system32
12:22:29.892 File: C:\Windows\system32\consrv.dll INFECTED Win32:Sirefef-HO [Rtk]
12:23:51.932 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-FQ [Drp]
12:23:54.163 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-HO [Rtk]
12:24:59.933 File: C:\Windows\assembly\temp\U\80000004.@ INFECTED Win64:ZAccess-A [Trj]
12:24:59.964 File: C:\Windows\assembly\temp\U\80000032.@ INFECTED Win32:DNSChanger-VJ [Trj]
12:25:00.915 AVAST engine scan C:\Windows\system32\drivers
12:25:13.021 AVAST engine scan C:\Users\en
12:25:56.873 Disk 0 MBR has been saved successfully to “C:\Users\en\Documents\Antivirus\rimuovi\MBR.dat”
12:25:56.873 The log file has been saved successfully to “C:\Users\en\Documents\Antivirus\rimuovi\aswMBR.txt”

Hi,

Have you had a chance to run OTL yet as well? If not please do so and post the logs. :slight_smile:

yes, but the log is too big and I can’t upload it. Now I try to split it in smaller files and I’ll upload it.

Thanks

Since I can’t upload it on the forum I used mediafire.
Here you have the link to the file: http://www.mediafire.com/?a2edzciaw3ldtdu

Thank you. That was what I would have had you do anyway. :slight_smile: I will return shortly.

Hi,

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

Ok, this is the log from Combofix

http://www.mediafire.com/?6j0b9q8ndhe5nbo

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

AtJob::

File::
c:\windows\system32\dds_trash_log.cmd
C:\Windows\SysNative\vds.dll
C:\ProgramData\4AicM5Uyn.dat
C:\Users\en\AppData\Local\9e7168ec
C:\Users\en\AppData\Roaming\ba24d031
C:\ProgramData\22cd857d

Netsvc::
kbstuff

Driver::
kbstuff

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Hi,

Do you still need help? :slight_smile: