Sirefef spyware

Hi there ,

A friend of mine has the Sirefef spyware. Removed it with many tools but it keeps coming back.

Could use some help :slight_smile: Not sure where to start so if someone could assist me? That would be nice, thanks :slight_smile:

Please attach your/his logs.
http://forum.avast.com/index.php?topic=53253.0

Yeah :slight_smile: My bad , i just read that after posting :stuck_out_tongue: 2 quick.

Is it ok to log in the forum from the infected computer? I’ve heard about password stealers so I dont want to take any risk. What do you suggest?

I’d use my usb flash drive but i’m afraid that might get infected aswell.

Wanted to start te computer to get the logs, but I’m getting this BSOD :S

STOP: C0000135 The program can’t start because %hs is missing. Try resintalling the program

Dont have any working recovery points :frowning:

Try to start in safe mode.

Same problem. Also tried booting with the Win7 CD and try repair. Same problem.

Chkdsk doest work either. I’ve had this problem before when i tried to delete it, but i could always restore it with the system recovery. For some reason they are all gone now.

Does anyone know whats being edited when you delete the virus , by lets say, MS Security essentials?

Maybe I can manually restore it with a reg-editor or some other tool.

Thanks in advance :slight_smile:

As you already used “many tools”, it’s very hard to tell without any logs.
Maybe essexboy can help you, I’ll inform him about this thread.

I’ll do my best to retrace my steps :slight_smile:

First I looked in these forums for a case similar to mine.

I used ASWMBR to scan and it deleted some files :

c:\windows\system32\consrv.dll
C:\Windows\assembly\GAC_64\Desktop.in
C:\Windows\assembly\GAC_32\Desktop.ini

Combofix did the same.

Then I ran MBAM, which found files in my temp folder. (dont remember sorry )

After that I wanted to reboot and saw in a flash that Windows update was installing 2 updates.
After that I saw ( very quickly ) something about registry, windows rebooted and now I got this problem with the %hs thingy.

only recovery point i got is from the windows update, but when I try to restore that, it wont work.

Managed to recover some MBAM logs, they found these :

C:\Windows\Temp\qvxqjy\setup.exe

HKLM\system\CurrentControlset\Services\AMService

Trojan vupx tp2 ( will be deleted on reboot )

C:\windows\Assembly\temp\twl.dll

pup.bitminer

hope its useful

OK first lets try to get you rebooted

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Managed to get in with editing the reg key : HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control|Session Manager\Subsystems

It was saying consrv instead of winsrv.

Now finally, here are the logs :slight_smile:

ASWMBR log

Was it hitmanpro that was the last tool used ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV:64bit: - [2009-07-14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\SE26mdfl.dll -- (zpaction) NetSvcs:64bit: zpaction - C:\Windows\SysNative\SE26mdfl.dll (Oak Technology Inc.) [2012-02-18 13:13:38 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd [2012-02-07 13:45:54 | 000,000,112 | ---- | M] () -- C:\ProgramData\5V8tDVG.dat

:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Run the MSFixit on this page http://support.microsoft.com/kb/811259 (about halfway down)

Yes I ran Hitmanpro in an earlier stage.

Logs comming up

That destroyed my windows :slight_smile: resulting in BSODs. Any other ideas ? :wink:

Can you select system restore please from the safe boot menu

Then we will try a different way

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Combofix deleted somethings…But this happened before, so not sure if I’m clean.

Going to install a fresh install of Avast Antivirus free to see what happens.

The reason Combofix does not appear to work is because it misses the protection driver, that needs to be removed manually

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\SE26mdfl.dll C:\Windows\SysNative\dds_trash_log.cmd

NetSvc::
zpaction

Driver::
zpaction

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Log as requested

OK could you run the same combofix script please for a second time…

Once that has completed could you let me know what problems remain