Redirect Virus (Win32/Sirefef.B)

I’m back again, though for once its my own mistakes that are causing me grief ::slight_smile:
More or less, I downloaded a file I figured would be malware, ran it anyways after my currently-installed AV didn’t detect anything. I’m ashamed to admit I don’t have avast! installed at the moment due to recently reformatting after my last HDD went bad. I guess Windows XP decided I needed Microsoft Security Essentials since I didn’t have another AV installed. Needless to say, I’m gonna ditch MSE for avast! as soon as this is resolved.

Here’s some details of what the virus did:

  • The scan results of the file I downloaded: Click Here

           (I don't even have Mass Effect  :-\ )
    
  • It immediately disabled Task Manager (“…disabled by an Administrator…”)

  • MSE was disabled within seconds, running but not active, although it did detect something for a split second before dying on me

  • I did a System Restore to a couple days back, Task Manager works now, as does MSE (though did it really work in the first place? :wink: )

  • IE was set as my default browser

  • IE redirects if I click any search results on Bing or Google

  • IE has started on its own a couple times

  • I glanced at my taskbar and noticed IE had started itself, and that my mom’s Facebook page was open, soon afterwards I saw it on the Facebook page of someone I didn’t know. I clicked the back arrow to see what other sites it had decided to visit on its own. Random sites like the ones IE redirects to from Google or Bing

  • I saw that it had opened Outlook or w/e email client came with Windows XP, two instances at the same time, and it had an email in the “To:” field. Sadly I can’t remember what that email was

An MBAM scan came up with two results, both located in System Restore, MSE has gotten a couple hits as well (the ones detected by MBAM plus a couple more)

MSE Results: Click Here
The two results dated 7/9/11 are unrelated, results from scanning an external media backup of the C: drive of a computer that isn’t mine.

I’m not really sure what to do at the moment, so any help would be appreciated. Let me know if you need any more details. Thanks in advance.

Hello

Please download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm

1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

Is it required for me to be in Safe Mode before running the scan?
If you don’t reply before I head to bed for the night, I’ll just run it regularly while I sleep.

There is no reason to run it in safe mode.

Good because I ran the scan overnight regularly :stuck_out_tongue:
Also when I checked in the morning, Outlook was open, composing a message to “Security@twitter.com” with no subject or body.
aswMBR.txt is attached, I saw a couple red lines but didn’t take the time to see what they were.

EDIT:
06:29:01.546 File: C:\System Volume Information_restore{D307284D-9EFF-4B8A-9406-CBF1DCFE4F9F}\RP56\A0012471.sys INFECTED Win32:Rootkit-gen [Rtk]
06:29:04.781 File: C:\System Volume Information_restore{D307284D-9EFF-4B8A-9406-CBF1DCFE4F9F}\RP57\A0012549.sys INFECTED Win32:Rootkit-gen [Rtk]

Those lines stand out, they are the two restore points created after infection, and before I did a system restore back to two days before infection.

EDIT:
A0012471.sys is described as “Usb Bus for Microsoft ACPI-Compliant System” under properties.
A0012549.sys is as well. I read on Microsoft’s website that Sirefef replaces a random driver file with the virus.

Is the “fix” option available?

FixMBR is available, but Fix is greyed out. Does the log mention anything being wrong with the MBR? Can you explain MBR.dat to me? I’m assuming that if there isn’t anything wrong with the MBR, using FixMBR won’t harm anything, right?

Follow the instructions here http://forum.avast.com/index.php?topic=53253.0
Make sure to post your MBAM and OTS log.

I’m not sure if its actually sending any emails or if its just attempting to and failing…
Most recent one I saw didn’t have anything in the “To:” field but the subject was Credit Card and the body was hxxp://www.retradio.com/shows/2011/07/08/credit-cards/
Is that a malicious site, anyone willing to take a look?
This is the first time I’ve actually seen anything in the body of an email-attempt.

This site seems to be unrated/clean,i wouldn’t trust it.Try to change your password.
Post the MBAM and OTS logs,please.

I just noticed 16 instances of mpcmdrun.exe running on my computer. I hear a beep every now and again, maybe an hour apart or so each time. I get the feeling these are related.
Attached is the MBAM log showing the malware located in two Restore points. Future logs were clean.
Haven’t had the opportunity to run OTS yet, I will tonight probably when I’m asleep.

http://www.processlibrary.com/directory/files/mpcmdrun/27087/

mpcmdrun.exe is a process belonging to Microsoft Windows Defender Antispyware which protects your computer against Internet-bound threats such as spyware and trojans which can be distributed through e-mail or attack directly to the computer allowing unauthorized access.

Though why there are so many instances running is another issue.

I have Microsoft Security Essentials but I do not have Microsoft Windows Defender Antispyware.

MpCmdRun.exe file information http://www.file.net/process/mpcmdrun.exe.html

The process Command Line Utility or Windows Defender Command Line Utility or MpCmdRun.exe or Microsoft Malware Protection Command Line Utility belongs to the software Windows Defender or MpCmdRun.exe or Microsoft Malware Protection or Microsoft Security Essentials by Microsoft Corporation (www.microsoft.com).

I think they probably have shared/common components.