Please help with eliminating Win32 Sirefef virus and trojan

Hi. I am getting pop up messages which happen most of the time telling me I have infections and no amount of Malware programs seem to get rid of them! In the Avast virus chest, they appear as Malware Blocked .C:\Windows\Installer{Cal151163-988e-874b, and trojan blocked and C:\TDSSKiller-Quanrantine\011.2012_1231 . I have installed and run MalwareBytes a couple of times but the popups just keep happening. Any advice that even a real newbie can follow would be much appreciated. Thanks, regards, Jan O

Hi rockgoc, please follow the instructions in this thread http://forum.avast.com/index.php?topic=53253.msg451454#msg451454 and post all logs back here for one of the malware guy’s to look over.

OK here are the logs you have asked for from the scans performed as instructed. I hope I have done it all correctly.
Here’s hoping you can help me.
Regards, Jan O

hi rockgoc,

You did just fine. And now we wait for a malware expert to show up. Might take a bit or two, so…

Here you go

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O3 - HKU\S-1-5-21-4280924619-4266634437-1699241149-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2012/11/10 17:28:35 | 000,004,608 | -HS- | M] () -- C:\Windows\assembly\GAC_32\Desktop.ini
[2012/11/10 17:28:35 | 000,006,144 | -HS- | M] () -- C:\Windows\assembly\GAC_64\Desktop.ini
@Alternate Data Stream - 172 bytes -> C:\Users\Jan O\Desktop\Needles.jpeg:3or4kl4x13tuuug3Byamue2s4b

:Files
C:\Windows\Installer\{ca151163-988e-874b-45c3-a5407a024fba}

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK all done as asked. I did however get another pop up the same as before while waiting for the log from Combofix to complete.
Back to you…

It is 1:35am in the UK, so essexboy will be sleeping now and back later today.

Could you confirm that the popups are still present

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Well, after telling you that I got another pop up, they have not come back since! Should I still go ahead with the last instruction anyway? Regards, Jan O

No, no need for TDSSKiller

What problems are remaining ?

The new popup tells me that the latest update attempt is unsuccessful. When I tried to get an update, the computer just hangs on initialisation. Maybe I should uninstall and try reinstalling to aee if that will fix it?

I just ended up with this type of virus too

A program called asknpavbb.exe which was located in AppData\Local\Temp asked for permission to access the internet, i denied it with my firewall since i didnt recognize it
My explorer.exe then crashed but i was able to restart it immediately without any trouble
Then avast came up with a rootkit blocked message

Avast’s log says this:

* * avast! Real-time Shield Scan Report * This file is generated automatically * * Started on: Monday, November 12, 2012 12:04:02 PM *

11/12/2012 11:24:11 PM C:$Recycle.Bin\S-1-5-18$388782569cbe71350a8581cd48e57334\n [L] Win32:Sirefef-PL [Rtk] (0)
11/12/2012 11:24:11 PM C:$Recycle.Bin\S-1-5-18$388782569cbe71350a8581cd48e57334\n [L] Win32:Sirefef-PL [Rtk] (0)
File was successfully moved to chest…
File was successfully moved to chest…

I checked my temp folder and my recycling bin and neither have anything mentioned by my firewall or avast
I checked my virus chest and 2 files called n are there transferred from the recycling bin, but asknpavbb.exe isnt there, that file just vanished
I checked my task manager and process explorer and everything i have running seems to be as it should be
I used HiJackThis to do a quick scan and everything seems the way it should be there as well

My computer seems to be running normally
I havent had any more messages from anything, although its only been about 30 minutes since this happened and i havent restarted my computer yet
Im not looking for detailed help on how to remove it yet, ill make a new topic if i end up needing help

Right now all i want to know is, since everything looks fine and avast says it moved infected files to the chest, did avast successfully stop Win32:Sirefef before it became a major problem or will i have to go through the hassle of looking for it and removing it myself

EDIT: Just to be safe, and since it only takes a minute, i ran TDSSKiller and it came up with 1 threat, which was a suspicious file called sptd because it was locked, which i looked up and is said to be normal, so i think everything is all good
Ill run a full virus scan with antimalware bytes and avast to be certain

I may end up deleting this as it seems different to what the OP has, so just disregard this post unless something in it caught your attention

What programmme is this in reference to ? If it is Avast then run a repair

@Pat1487 the dropper self deletes once it creates the recycle folder
Avast only removes the files as far as I know
MBAM should delete the folders so run a quickscan with that

OK I ran the repair and everything seems to be good now. Many thanks for your great assistance, it was very much appreciated! Regards from Australia, and Jan O

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Hello Essexboy. Thanks for all the tips on how to stay safe. One thing I need to ask is this…what do I download to have extra protection using Trusteer Report? I can’t see anywhere or anything to download from this site.
Regards, Jan O

You need to fill in the form on that page and they will then e-mail you a download link

Hmmm, been a couple of days waiting for that download to be sent to me but have heard nothing back yet. Meanwhile, I scanned the computer using Max Spyware Detecter, and it said I had two Trojen Generic virus infections! When I hit the “clean” button in the program, it then wanted me to purchase before it would clean anything. I have attached the report for you to see.
Regards, Jan O

wget is a programme that can be used for good or bad as it will download programme updates. If it was bad then Avast will let you know when it tries to connect. I have that on my system

OK So do I really need this thing on my computer? It is performing another scan as I write this and now it has found “22 threats found” and it hasn’t finised scanning yet!. And when I go to have a look at the information on the threats, I get a message saying that I can’t go there because of one reason or another beyond my control. See attachment. Is it really a genuine must have or am I being scammed in some way? I am a little paranoid because of all the fuss the other virus business caused me, plus I use my computer for online banking and purchasing quite a lot, and I still haven’t been able tp get that other program to download (the one recommended by yourself to be really safe for banking etc)