Need guidance with Win32:Sirefef-AHF [Trj] Malware/Trojan 80000032.@

Hello Im working on a friends computer and ive gotten this far but every 5 minutes or so the Trojan Horse and Malware keeps popping up with THREAT DETECTED and its the 0000004 & 0000008 Malware\Trojan Please help when you can would be greatly appreciated :smiley:

we need the logs from malwarebytes / OTL / aswMBR http://forum.avast.com/index.php?topic=53253.0

Malwarebytes Logs

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.23.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tilo :: TILO-PC [administrator]

Protection: Enabled

8/23/2012 1:18:05 AM
mbam-log-2012-08-23 (01-18-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 224602
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\Tilo\Downloads\LimeWireSetup.exe (Adware.Hotbar) → Quarantined and deleted successfully.
C:\Windows\Installer{256fafff-9b71-5c3c-765f-b7f1e8557917}\n (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{256fafff-9b71-5c3c-765f-b7f1e8557917}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{256fafff-9b71-5c3c-765f-b7f1e8557917}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.

(end)

OTL log must be attached

and just from looking at your MBAM log, it confirms the Siref rootkit infection

malware removers are notified. it may take hours before one arrive so be patient

Otl.txt I hope this helps :smiley:

Heres the other

Extras.txt

Thank you very much for you time :smiley:

Heres the aswMBR.exe Log.

Once again thank you for your time

From the aswmbr It showed

02:43:47.873 File: C:\Windows\system32\services.exe INFECTED Win32:Patched-AKC [Trj]
02:44:10.790 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
02:44:12.537 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]

im sure that is the culprit :wink:

They are the problem… Soon to be history

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"Last Counter"=dword:00000fc8
"Last Help"=dword:00000fc9
"First Counter"=dword:00000fb8
"First Help"=dword:00000fb9
"Object List"="4024"
"1008"=hex(b):50,94,22,ad,0d,ad,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,94,00,00,00,a4,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,\
  00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00

:Files
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer\{256fafff-9b71-5c3c-765f-b7f1e8557917}
C:\Users\Tilo\AppData\Local\{256fafff-9b71-5c3c-765f-b7f1e8557917}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Heres the otl.exe quick scan log

Heres the combofix.exe log - Things have actually been running smoothly

I Enabled Avast Anti Virus and its been almost 30 minutes without any THREAT DETECTED LOL

But for the most part I think its cleared up… The main issue though other than the virus/malware was he was trying to get on his verison wifi hotspot that
he bought for himself but wasn’t able to get on. Is there any other kind of software that will scan his little hotspot for infections?

Is there any kind of probing questions you can ask me that would also help the computers performance and or also tell if any kind of viruses are still present?

Once Again, I think you so VERY MUCH for your time :smiley:

well,the main problem is that these rootkit programs are changing everyday so no antivirus is immune with them…this is one thing i dont like about the malware creators…they just keep changing their programming ;D

Hi true indian,

Worse even, the changes to their malcreations are being made automattically. But there are certain patterns to flag,and that protection is called IDS,
see urlquery.net scans…

polonus

When he tries to log on to the Hotspot what error is displayed ?

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.


http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[
] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[
] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
[I]Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

[i]-- If you encounter any problems, try running GMER in safe mode.
– If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning

I couldn’t get Gmer launch properly… the System, Sections, IAT/EAT, Devices, Modules, Processes, Threads, Libraries were grayed out and I extracted, to the desktop several times. I tried with Avast on and off, I tried in safe mode and it still didn’t work, I even turned off UAC and it didn’t work, and I tried both links and got the same outcome… Not sure if im doing something wrong but I kept trying for about an hour and just couldn’t get it goinn… Whats the dealio?

Well, I got the Wireless Hotspot to work properly, so I no longer need help with the gmer.exe issue, thank you for your time and if I need any other help I will get back with you Computer Defenders :smiley: THANK YOU!

Could you run GMER as it appears … Different windows systems only allow certain elements to be checked