sirefef-PL files crypted

This morning Avast has detected a virus named “Sirefef-PL” and then it freezed completely while trying to fix. Then I killed it (Maybe I should have not) in order to plan a scan when windows start. When I restarted my computer, avast detected some malware.

Now I realize that the virus have converted all my files (images, txt, videos, everything) into crypted html files making it impossible to read :(.
I don’t know if the virus is still there but how can I recover my files? I really need to recover some of these important files.

Thank you in advance for your help.

follow guide and attach logs. http://forum.avast.com/index.php?topic=53253.0

Hi,
Thank you for your answer.
I have been assisted early by an professional who remotely connected and installed all these tools (combofix, malwarebytes and TDSkiller) and probably removed the virus. I plan to reinstall completely my system to make sure everything is cleaned, but actually I am very afraid about my files. When I open any files I am redirected to the website http://mblpcblock.in/ , where the virus ask me to pay to have a decryptor. I don’t know what to do :(.

As Pondus said, attach your logs.

I have been assisted early by an professional who remotely connected
the removal experts here are pro....they do this all day long Essexboy is also a teacher / trainer in malware removal at geeks to go forum

attach the requestet logs and essexboy may save you from a reinstall

we need logs from

  1. AdwCleaner
  2. Malwarebytes
  3. OTL
  4. aswMBR

if you have run combofix and TDSSkiller attach those logs also

Hi,

I understand your point. For sure, it will be good that I get assisted again to avoid reinstalling my system, but what does this going to help me if I will not able to recover my files? As I said, everything has been crypted ( images, pdf, text files, C, videos, …) on my computer, and additionally, some programs refuse now to start.

It is very very sad for me. I don’t know if I have to pay ransom, go to police or if there is a way to recover my files with external tools.

and this is what Essexboy will find out when you attach the requested logs.

Normally Sirfef does not encrypt files so if I could see the OTL log I may be able to determine what the infection is

I got OTL log files, can I send it to you as private message?

Thank

Here is the OTL report.

Thank

I see you have run Combofix could you attach that log please. Also what form is the encryption taken ? Are you totally unable to access any files ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3943886371-291125763-3237842302-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.delta-search.com/?q={searchTerms}&affID=119370&babsrc=SP_ss&mntrId=aa092a610000000000004a0f6ef9e591
[2013/03/06 19:31:41 | 000,001,294 | ---- | M] () -- C:\Users\Boris\AppData\Roaming\mozilla\firefox\profiles\o3cgbinl.default\searchplugins\delta.xml
[2013/03/06 19:31:25 | 000,006,484 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2012/02/14 18:38:11 | 000,002,515 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\Search_Results.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O2 - BHO: (SearchPredictObj Class) - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files (x86)\SearchPredict\SearchPredict.dll (SpeedBit Ltd.)
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WIA6EB~1\Datamngr\ToolBar\searchqudtx.dll File not found
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\WIA6EB~1\Datamngr\ToolBar\searchqudtx.dll File not found
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
[2013/01/14 12:57:44 | 000,009,628 | -HS- | C] () -- C:\Users\Boris\AppData\Local\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl
[2013/01/14 12:57:44 | 000,009,628 | -HS- | C] () -- C:\ProgramData\1pb78m8n6he1l1565b3k36w7o7of8ksb88y53s63tpqg0vl

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi,

Find attached the report.

To reply:
I am not able to access any of my files (images, txt, pdf, …) , please take a look into the attached file “code_test.txt” to see how the encryption looks like (extension manually changed by me from .txt.html to .txt for upload reasons). The original file was “code_test.txt” and it contained around 10 characters, now it has been renamed into code_test.txt.html and completely impossible to read, if opened it redirects me to the ransom website.

Thank

OK I am not sure what the name of this encryptor is, but it appears to be the Spamhaus one http://www.bleepingcomputer.com/virus-removal/remove-spamhaus-ransomware

Could you confirm that it looks like this ? Meanwhile I will ask around to see if anyone hgas beaten it yet

Yes it is exactly the same, or a little bit different variant.

Thank

OK the only apparent way around this is to do a system restore from safe mode. Then take it back to before the infection

Starting here Removal Option 1-Safe Mode with Command Prompt Restore
Could you follow the steps on this page… http://forums.anvisoft.com/viewtopic-54-4644-0.html

There is only one restore point available and it was automatically done when I ran combofix. My disk space is almost full, it is probably the reason for which windows didn’t keep previous restoration points.

Until now I didn’t find anything that could help me recover my files. All king of things I saved from the beginning of my life.


Sorry for mistakes, English is not my main language.

Unfortunately I have been unable to locate anything approaching a cure for this, it may well be a month or so before one of the labs cracks it and then they will probably need to be very lucky.

This is the only option offered at the moment

10.Unfortunately, at this time there is no decryptor for the files that have been encrypted by this malware. This means that you will need to restore from a backup or attempt to restore from a previous version using Windows. To restore from a previous version when there is no backup available, please rename the file to its original filename. Then right-click on it and select Properties. When the Properties window opens, click on the Previous Versions tab. You will now be shown a screen screen that lists any previous versions you may have of this file. If you find any, backup the existing encrypted file and then restore the previous version. Windows will then restore the older file and overwrite the encrypted one.

It looks like the first thing I can do is to rename all files to the original name, by removing extra .html extension? Do you know a script that can do that?

This may work

http://www.addictivetips.com/windows-tips/batch-change-rename-file-extensions-in-windows/
http://download.cnet.com/Extension-Changer/3000-2072_4-10394272.html