Sirefef Trojan - Site redirects and more damage to my laptop

Hi Experts,

My laptop (running on Windows XP) has been infected with a Sirefef Trojan and none of the softwares (Avast, McAffe, Spyware doctor, Microsoft Security Essentials, BitDefender) I have tried so far helped in removing this Trojan while they have been able to detect and protect everytime a new malicious dll gets into the C:\WINDOWS\System32 folder. This trojan is seriously affecting web browsing by site redirects and also affecting my wireless connectivity. I have currently disabled internet connections because when I am connected to the internet the Trojan is more active. I ran the TDSSKiller.exe but it did not detect the trojan. Please advise.

Regards,
Srisa

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Given you have now thrown the kitchen sink of AVs at it, if there were installed versions (not web based scans) you have to ensure that you have all remnants of these AVs or they in themselves could lead to conflict leaving your system less well protected.

Monitoring

Thank you. I have been having trouble connecting to internet with the affected laptop. I will have to download these files on a different laptop and transfer it to the affected laptop to run the scan. Please do not close the thread as it might take 6 to 8 hrs for me to post the required files.

We never close - Prior to transfering files from one computer to the other disinfect the flash drive with Panda Vaccinate http://www.pandasecurity.com/homeusers/downloads/usbvaccine/
Instructions are on the page

Thanks. I have attached logs of Malwarebytes’ Anti-Malware and OTL here. Malwarebytes’ Anti-Malware found few issues and they got fixed.
aswMBR.exe showed 3 defects and a FIX option. I have shared logs of the same. Pls suggest me on handling/fixing it.

P.S:- I am attaching the logs in the next few messages due to upload limit

OTL first log

OTL extras log and aswMBR log

you said Mawarebytes found a some bugs and fixed it!
you should attach that log also…

Here it is. The log obtained when MalwareBytes’ Anti-Malware was run the first time …

Any help? Please.

You’ve to wait until essexboy returns. :wink:

remeber that we are not all on same time zone
http://www.timeanddate.com/worldclock/city.html?n=136

Essexboy is located in UK

OK it looks to be TDL3/Zero access attached to the afd sys file

Could you confirm that you set this proxy setting proxy-phoenix.aexp.com

Anyways three programmes to run now in sequence

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O33 - MountPoints2\{a7be5ea0-7566-11e0-9b73-0026c6d908ae}\Shell\AutoRun\command - "" = nasmejana//sharmira.exe O33 - MountPoints2\{a7be5ea0-7566-11e0-9b73-0026c6d908ae}\Shell\Explore\command - "" = nasmejana//sharmira.exe O33 - MountPoints2\{a7be5ea0-7566-11e0-9b73-0026c6d908ae}\Shell\Open\command - "" = nasmejana//sharmira.exe

:Files
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

AND FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks for the reply, essexboy.

The proxy is a known proxy and I had it in the browser settings.

I started executing the OTL. How long would it execute? Last time when I ran OTL, it didn’t take this much time.

Is it stuck on the empty temp command ? If so then stop OTL and proceed with the other bits ;D

After i executed OTL, the laptop has frozen. No response whatsoever.

OK reboot and proceed direct to to TDSSKiller

After I rebooted, I can’t see the desktop icons and the laptop freezes again. Can’t do any action.

OK can you get to safe mode ?

All OTL did was remove some references to an infected USB drive