Win32:Sirefef-AO, and Win64:Sirefef-A and others?

Hi All,
Need some expert help with this one. :-[

I usually run MBAM weekly, never picks anything up.
Looked at some resume/job sites a few days ago and IE shut down unexpectedly :o
Checked with process explorer, and a couple of SVChost.exes were popping up from nasty looking sources such as:
\.\globalroot\systemroot\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\U
so I would cancel them as soon as they popped up, and went looking for info on net…

checked registry for “globalroot” and found two keys
HKCR and HKLM\software\classes\CLSID[99d6c928-147d-54d5-377f-bd821ed462e7]\InprocServer32
\.\globalroot\systemroot\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\n.

updated MBAM, full scan = nothing?
DL’d AVAST free version and quick scan found nothing, but it would block Win32:Sirefef-AO, and Win64:Sirefef-A from running every 5 minutes.
tried TDSSKiller and it found sptd.sys locked, but nothing else i can remember…

then did a full system scan with AVAST and found:
Win32:Dropper-gen in \local settings\temp\tempfiles.exe
HTML:RedirME-inf in \temp internet files
Win32:Malwae-gen in \program files\Winace\order.exe|>[ASPack]
Win32:Krap-AIL in PSFactoryBuffer.exe (I had already deleted it)
Then the big ones,
Win64:Sirefef-A in \windows\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\U\80000000.@
Win32:Sirefef-AO in \windows\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\U\800000cb.@

Then did a boot-time scan with AVAST and found 2 more:
Win32:Malware-gen in C:\System Volume Information\restore{F3916368-82B8-44E9-A6BE-254B11BEFE11}\RP1807\A014070.exe|>[ASPack]
Win32:Krap-AIL in C:\System Volume Information\restore{F3916368-82B8-44E9-A6BE-254B11BEFE11}\RP1807\A014071.exe
disabled system restore after seeingthat.

Did aswMBR and it found \windows\system32\hkcmd.exe was infected with Win32:Malware-gen

Then did more MBAM/TDSS etc and not really finding anything, but the threats for the two Sirefef’s would come up every 5mins when connected to net, or when opening new browser tab in IE (and maybe Chrome?)

Uninstalled Java (was out of date) and installed new one, and was fine for an hour or so, then the Sirefef threats started poppng up again in AVAST.

Did another boot-time scan in AVAST and this time it found:

Win32:Hoblig-B in \documents and settings\owner\local settings\temp\apart.dll

Now, am getting the two sirefef threats continually popping up every 5 mins with net cable plugged in.

followed log advice here http://forum.avast.com/index.php?topic=53253.0
logs for MBAM, aswMBR and TDSS are attached.

OTL won’t run and gives error:

Exception EReadError in module OTL.exe at 00016A6B
Error reading DIskParttionInfo1.Active: .

what can I do??? any and all help appreciated!!

OTL won't run and gives error:
Try running OTL in safe mode....

malware removers are notified :wink: may be sveral hours waiting time before they arrive

Thanks!

when getting into safe mode, it prompts “press ESC to cancel loading SPTD.SYS”
I pressed ESC and eventually it goes into safe mode.

OTL didn’t run, same error as before. (edit: this was OTL.exe, i did not try .com or .scr versions)

downloaded again from http://www.geekstogo.com/forum/files/file/398-otl-oldtimers-list-it/ but still no go (from desktop or from USB)

you have the Zero Access rootkit infection…and this needs a specialist to remove it

dont run anymore tools…wait for instructions

if you click the “notify” button at top or bottom here…you should get a message when you get a reply here :wink:

notify is on, will wait for further instructions :slight_smile:

bugger, was hoping it wouldn’t be that…

edit: while I remember, when Avast blocks the recurrent sirefef threats, it says the process causing it was explorer.exe

you may check your “explorer.exe” by uploading to http://virusscan.jotti.org/en and testing with 20+ malware scanners
alternative “http://metascan-online.com/” virustotal seems to be under maintenance for the moment
when you have the result, copy the URL in the address bar and post it here for us to see

PC is in safemode now, and I’m hesitant to boot to normal mode and connect to net again…

I tried with hkcmd.exe before to virustotal, but the uploaded file was 0kb (is 160k in explorer) and nothing detected…

If I copy explorer.exe to USB, then send from second PC, is that ok? or danger to second PC? will zeroaccess allow the infected file to be sent, or will send the “spare” real copy?

If I copy explorer.exe to USB, then send from second PC, is that ok? or danger to second PC? will zeroaccess allow the infected file to be sent, or will send the "spare" real copy?
it is not important to do....... just out of curiosity to see if it is infected..... the malware remover will see where the infection is located from the logs.... so just wait. Essexboy should be here in about 4 hours

ok, it will all come out in the wash later :slight_smile:
no worries, i’ll set alarm to wake up around that time then. thanks!

Hi lets try a different OTL scan. If this should fail as well do you have access to a USB stick that we could use or a CD ?
As it is hanging on the Partition inspection you may have more that Sirfef

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Hi Essexboy, (sorry for the late reply, is morning here)

I tried running OTL.exe and OTL.com in safe and normal mode, from desktop and USB, and all get same partition read error :frowning:
.scr is associated with autocad, so changing that now, and finding a CD.

any other listing things we could try?

OTL.exe .com and .scr run from CD, desktop and USB all get error reading DiskPartitionInfo1.Active:
(This is running in normal mode. should I try safemode as well?)

worth trying OTLPENet to boot from CD and run OTL?

edit:
Ran Gmer for a quick look. this came up in red
Library c:\windows\system32\n (*** hidden ***) @ C:\WINDOWS\Explorer.EXE [3528] 0x45670000

Sounds like we’re having very similar troubles. Let me know if you have any luck in beating this thing!

http://forum.avast.com/index.php?topic=98472.0

ran OTL PE version 3.1.48.0 from bootable CD (REATOGO-X-PE desktop)

only OTL.txt was produced, and is attached
edit: default settings were “use safelist” for services/drivers/standard registry, and “none” for extra registry
File scan settings - 30 days/use no-company-name whitelist/ created/modified within “file age”, + LOP check, +purity check

re-ran with extra registry set to “use safelist” and have attached as OTL2.txt (almost same) and Extras2.txt

extras2.txt (didn’t fit in last attachment)

Thanks for that it appears that some systems have problems coping with the partition reading directive so I will remove that from my scans

Run OTL from normal mode please - it will work now

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKLM\..\Toolbar: (jBrowse Toolbar) - {9E5BD40E-6287-11D6-9772-0002A5DD2483} - C:\Program Files\jBrowse\JBO.dll () O3 - HKU\Owner_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (AzbyClub?????(&A)) - {3DB1C21B-A7E0-4C3F-B39E-E00DD8792D90} - C:\Program Files\@nifty toolbar\ntoolbar.dll (NIFTY Corporation) O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (jBrowse Toolbar) - {9E5BD40E-6287-11D6-9772-0002A5DD2483} - C:\Program Files\jBrowse\JBO.dll () O4 - HKLM..\Run: [csclem] C:\Documents and Settings\Owner\Local Settings\Temp\csclem.dll (DT Soft Ltd)

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

MBAM disabled, but OTL still will not run under normal mode.

SHould I try safe mode?
and if that fails, then try OTLPE from the boot disc again, but with the fix code?

No go direct to combofix please

ok, doing now.
Thanks muchly :slight_smile: