Sirefaf

Good day all;

First time posting here. I have done everything I know to try and remove this virus myself. I have my computer mostly up and running again, but Avast still gives me 5 infected files on a full system scan.

C:\Windows\assembly\GAC_32\Desktop.ini Threat: Win32:Sirefef-FQ [Drp]
C:\Windows\assembly\GAC_64\Desktop.ini Threat: Win64:Sirefef-C [Drp]
C:\Windows\System32\consrv.dll Threat: Win64:Sirefef-C [Drp]
C:\Windows\assembly\GAC_32\Desktop.ini Threat: Win32:Sirefef-FQ [Drp]
C:\Windows\System32\consrv.dll Threat: Win64:Sirefef-C [Drp]

I also keep seeing a blocked threat at the bottom of my screen about something in a temp folder called DNSchange or something like that. Also, I can’t get my Avast firewall up and running, says the shield is unreachable. Can anyone help me? I have been trying for a couple days now, and when I do a boot-time scan, my computer won’t boot back up out of safe-mode. This is all related to some Win 7 2012 Antivirus thing that kept popping up which is what I tried to get rid of first. At one point after using Malwarebytes’ program, I had to fix my .exe file associations. I know if I delete all those files I listed again, I will start the cycle all over again. That is what happened yesterday. Please help.

Thank you.

To clarify, I have already run Malwarebytes’ Anti-Malware, and removed all selected items. I JUST ran another quick scan that found no infected items, however Avast is still finding them. Which log do you need? The one where I removed infected items with MBAM? Or the one I just had with no infected files? Thanks again. Also, the thing I was talking about with the temp folder was addressed in another thread:

Object - C:Windows\assembly\tmp\U\80000032.@
Infection - Win32:DNSchanger-VJ[Trj]

but I don’t know if I need a specific fix for my machine or not… :frowning:

UPDATE:

I just ran a full scan with mbam, and it found 1 infected file:

PUP.BitMiner c:\Windows\assembly\temp\kwrd.dll

I have read in a couple of places that deleting that will prevent my computer for booting back up. What do I do? I’m really lost with all this stuff…

This one needs some additional tools:

Object - C:Windows\assembly\tmp\U\80000032.@ Infection - Win32:DNSchanger-VJ[Trj]
  • This needs further analysis by a malware removal specialist:
    Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

You are right not to act in haste on this one as MBAM detects it as a PUP (Potentially Unwanted Program), but I think it is related based on searches on the file name. Probably best to leave that for now.

Unfortunately essexboy who normally investigates these is at work and won’t be on the forums until about 7pm UK time (now 10:30am).

To give you an idea of this problem check this topic; don’t try to do anything without expert guidance and DON’T try to apply any FIX as they are unique to the other users system/problem and could make your system worse.

Thank you for your reply. As soon as I return home from work, I will run those diagnostics and post the logs. Thanks again.

You’re welcome, hopefully essexboy will be on the forums in an hour or so. I have PM’d him about the topic, he will review what you have so far and may well suggest another tool.

I will need to see what variant it is first before I can go forward ;D

Hello again all,

Sorry for the delay, but I had to work. I just ran a full mbam scan, and i will post the results. It came up with no infected files, however, I still see things getting thrown into my avast chest. Should I still run OTL?

Absolutely - I need to determine the variant

Right-o. As soon as my daily Avast scan completes itself, I will run OTL and post that log. Thanks for your continued attention. What a wonderful community.

Here are the results from OTL. Also, I copied and pasted the stuff into the custom scans, but i don’t think CREATERESTOREPOINT made it for some reason…

And, for the record, my latest Avast full scan shows just two infected files:

C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

much better than the 27 files I was at when this whole thing started on Saturday.

It is 12:50pm her in the UK, so essexboy will be in bed now, so it will be a bit of time zone ping pong again.

Okay, well I guess I will try to limit my computer use until he returns and we go at it again, lol. Just not sure if I can make normal use of it with the stuff going on or if I should play it safe.

I’m going to be out for a few hours today, but I will be around mostly.

Alright, I am back for the day, so I’ll be checking periodically on here. :slight_smile:

Hopefully it shouldn’t be too long before essexboy is on-line.

You appear to have run Combofix allready - could you delete the current copy you have and download a fresh copy

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = CE 11 9F 0C B8 56 F2 4F B0 7D 99 D2 EF 5B 45 28 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = CE 11 9F 0C B8 56 F2 4F B0 7D 99 D2 EF 5B 45 28 [binary data] IE - HKU\S-1-5-21-1660330313-4259198909-711937205-1000\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = CE 11 9F 0C B8 56 F2 4F B0 7D 99 D2 EF 5B 45 28 [binary data] [2011/12/11 20:43:32 | 000,012,560 | -HS- | M] () -- C:\Users\Cory\AppData\Local\781282f4y341m488x727r1iou1f7 [2011/12/11 20:43:32 | 000,012,560 | -HS- | M] () -- C:\ProgramData\781282f4y341m488x727r1iou1f7 [2011/12/11 01:09:30 | 000,012,560 | -HS- | C] () -- C:\Users\Cory\AppData\Local\781282f4y341m488x727r1iou1f7 [2011/12/11 01:09:30 | 000,012,560 | -HS- | C] () -- C:\ProgramData\781282f4y341m488x727r1iou1f7

:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-1660330313-4259198909-711937205-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I have included both the OTL logs from those two fixes/scans, as well as the combofix log.

Have the alerts now ceased ?

They have, and I don’t see anything on any scans now. Thank you so much for your help and time.