Please Help with Win32:Sirefef Infection

Help with the following issue would be greatly appreciated.

Yesterday afternoon, on a website I trust and have used many times before, my computer picked up the Win64:Sirefef Trojan and Win32: Sirefef Rootkit. I believe the avenue of attack was an outdated Java plugin in Firefox, which I activated despite the browser’s warning that it had been deactivated for security reasons. The Comodo firewall started giving warnings, but since this was a safe place (or so I thought) and the warnings indicated that the program in question was simply a new version of something run before, I let it run. Big mistake! Avast AV promptly started blocking the trojan and rootkit every five minutes or so.

I ran a full scan using MalwareBytes, which identified and duly quarantined two issues. Once they had been walled off, Avast stopped giving its warnings. But, having read on this forum how insidious this intruder is, I ran a boot scan overnight. Sirefef 32 was found again, in a different location.

I have now followed the instructions in the Log thread on this forum and am attaching the logs. Interestingly, the first time I ran aswMBR, it found nothing. But using the order in the Log thread and running it after OTL, lo and behold our little friend shows up.

At this point I am seriously tempted to wipe the hard drive and start from scratch. However, there are some files that are not backed up that I really want to keep, and I’m not sure it’s safe to even try saving them to a DVD-ROM.

Although I was logged in to my e-mail, and a couple of other places, when the incident occurred, I have avoided logging in to anything personal while the machine’s condition remained doubtful. For all I know, much data has already been compromised.

Many thanks in advance.

Monitoring …

@Rich Mixture
Welcome to avast forum.

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

====== Next ======

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



process;
srinfo;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
C:\Windows\system32\services.exe;i
C:\Windows\SysNative\services.exe;i
auxzjfifszfjtate.exe;z
msimg32.dll;z
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

magna86 - Thank you very much for your advice. I will run the suggested tools and post the logs when I get back from work later today.

I’m afraid to say that I have already broken one of your rules. Following a link in a Microsoft forum thread, I downloaded and ran SpyHunter from Enigma. I realized that this was basically a ploy to get me to purchase their product and uninstalled it. Hope that didn’t mess us up too much. Other than that, nothing else has been attempted since the logs posted yesterday.

Don’t worry, be free to continue. :wink:

Attaching the logs from ComboFix and zoek.

While Avast AV was disabled as instructed (and is now back on!), the Comodo firewall remained on and was very active as both programs did their thing. I hope this did not interfere with them; I allowed everything to run.

zoek has to be extracted from a zip file. The first attempt to install produced error messages, and when it did finally run there was an error. zoek instructed me to try again after a restart; this time, it worked.

Thanks again for your expert help.

Hi,

Re-run Zoek.exe as you did before with this script:


emptyclsid;
c:\windows\E89498D814304A2BA76A4A71326981E9.TMP;f
FFdefaults;
chrdefaults;
resetIEproxy;
netsh int ip reset >> %temp%\log.txt;b
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;

Attach here fresh Zoek.exe log

========== Next ============

Let’s do an extra check for rootkits

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

I have run zoek again and then MBAR. MBAR said no malware was found, so no clean-up was needed.

Web browser was closed while running zoek but open while running MBAR. Avast AV was disabled during both; now going back on.

Attaching new zoek log and the two MBAR logs.

@ Rich Mixture

How is your computer behavior?

The computer is behaving normally in all respects. Only caveat is that I have been avoiding my most important password-protected online activities (e-mail, banking, website admin, etc) until 100% sure this machine is clean.

Yap, logs doesn’t show traces of active malware. Your PC is malware free. :wink:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.


I recommended you to keep Malwarebytes AntiMalware and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

magna86 - Uninstall and cleanup complete. I can’t thank you enough for all your help.

I have been using MBAM (though not often enough) for several years. MCShield has now been added.

I get the impression that the Sirefef rootkit is a bigger problem than the associated Trojan; MBAM seemed to deal with the Trojan successfully, but the rootkit needed all the extra work.

Again, many, many thanks.