Win32:Sirefef-PL [Rtk] and Win32:Malware-gen

Hello,

I’m having problems since a couple of days with some virus that just won’t get off my computer. I already tried several of scanning tools (Kaspersky, Avast!, Avast! Anti Rootkit). The Avast! Bootscan was able to get Win32:DNSChanger-VJ [Trj] off my computer, and I used Comodo to block all communications that this virus uses. Most of the IPs are on global blacklists, so I figured it would be best to block them. I can’t seem to find the .exe that causes all this, all I see is services.exe making a lot of traffic and CPU/RAM Load.

The Avast! Antiroot (aswMBR.exe) crashes after a couple of minutes (screenshot). My computer is up-to-date, but I just can’t install the last Windows Update (which is for Windows Defender. Update Nr.: KB915597).

This is all that Avast currently finds:

http://puu.sh/vYGG

Malwarebytes-Log:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.21.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andre Meyer :: ANDRESPC [administrator]

21.05.2012 17:32:54
mbam-log-2012-05-21 (17-32-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 224998
Time elapsed: 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thanks in advance.

Both resident malware experts (killers) have been notified. Please be patient.

Hi there let me know what problems you are having after this run please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=108921&babsrc=SP_ss&mntrId=6c6df38500000000000000ff790982ad [2012.03.19 23:21:10 | 000,002,310 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml @Alternate Data Stream - 972 bytes -> C:\ProgramData\Microsoft:0M0aB7DRMQqtwweQ9MMakYa @Alternate Data Stream - 950 bytes -> C:\ProgramData\Microsoft:aJHIR6GKERPYvzaoAZG8PyG @Alternate Data Stream - 1108 bytes -> C:\ProgramData\Microsoft:qpLQKhKakD20XF5A2JEsKWMcnrC3I @Alternate Data Stream - 1075 bytes -> C:\ProgramData\Microsoft:STap8JBNmlrBywdozLyck @Alternate Data Stream - 1071 bytes -> C:\Program Files\Common Files\System:jBBlIshD99QfpoPDrMk6 @Alternate Data Stream - 1056 bytes -> C:\ProgramData\Microsoftes3FbiwWTwSzsiK5VTe6H71N @Alternate Data Stream - 1053 bytes -> C:\Users\Andre Meyer\AppData\Local\Temp72dkFyeXVHSmRqB10AU84QaqDEn @Alternate Data Stream - 1040 bytes -> C:\ProgramData\Microsoft:Z59KvY4rIgEoWm1p8oLnHn8 @Alternate Data Stream - 1039 bytes -> C:\Program Files (x86)\Common Files\microsoft shared:Vo5xBHbWzXI6gOWesLg @Alternate Data Stream - 1006 bytes -> C:\Users\Andre Meyer\AppData\Local\Temp:TZSkeIYb7n89VpQngNaufcA8Bc @Alternate Data Stream - 1005 bytes -> C:\Program Files\Common Files\System:T3wLOoaBfWGhwCz9Em1

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the OTL.txt.

After Running Combofix:

Also there is no “C:\ComboFix.txt”. But "C:\Combofix" exists.
There were some Problems while Running Combofix.

I made screenshots of the Errors:

Screenshot1

Screenshot2
Says: “Nircmd.exe” not found. Check the name and repeat etc.

Screenshot3
Pev.3ex crashed

Screenshot4

And the Computer is running a bit faster now. Well, all autostart Programs like Skype, Steam and Dropbox start instantly and not like before after a ~1 minute. (Overall Computer speed is the same, fast. Or its not noticeable)
Also services.exe is still trying to connect to weird mostly blacklisted IPs:

Screenshot
(Blocked about 950 tries in 30 minutes.)

I tested some of the IPs with this site: http://whatismyipaddress.com/blacklist-check

Also thanks for helping out!

Could you disable Comodo please as it is blocking Combofix from running -

I did. Like described I Right-clicked the Comodo icon and clicked Exit.

Should I try to run Combofix again? (Of course with all protection disabled.)

Yes please, or failing that run it from safe mode

Okay!

I had to run it in safe mode. Combofix said, that Comodo is running but I looked in the Tray, Task manager under Processes and Services and there was no sign of Comodo Running anything.
Everything went smoothly without any errors.

Computer is running fine. But services.exe is still acting weird.

Combofix.txt attached.

Yes there is a size disparity I will get combofix to do a switch, also do you want the Babylon tool bar ?

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe|c:\windows\system32\services.exe
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

I don’t want the Babylon tool bar.

Combofix Log attached.

Everything seems to be running fine.
Services.exe is clean now. But it’s still acting weird. I used Process Explorer to find out why services.exe is using 15% of CPU (all the time, not just on startup) and found out that it’s actually svchost.exe (Startup Parameters: -k netsvcs) is the process that’s using up so much CPU. I asked some of my friends to check their taskmanager and tell me how much their services.exe (or svchost processes) are using.
They all said it’s at 1% at max.

I’m not sure if this is a normal behavior, because other than that, everything’s good now.

Thanks again, by the way. :slight_smile:

OK Combofix is now happy with services ;D

Say goodbye to babylon, let me know of any remaining problems on completion

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?AF=109958&babsrc=HP_ss&mntrId=6c6df3850000000000007a79050da338 O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO) O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. [2012.05.21 23:38:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BabylonToolbar [2012.05.21 23:38:02 | 000,000,000 | ---D | C] -- C:\Users\Andre Meyer\AppData\Local\Babylon [2012.05.21 23:37:59 | 000,000,000 | ---D | C] -- C:\Users\Andre Meyer\AppData\Roaming\Babylon [2012.05.21 23:37:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon @Alternate Data Stream - 1056 bytes -> C:\ProgramData\Microsoftes3FbiwWTwSzsiK5VTe6H71N @Alternate Data Stream - 1053 bytes -> C:\Users\Andre Meyer\AppData\Local\Temp72dkFyeXVHSmRqB10AU84QaqDEn

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Could you tell me what you think about the CPU-Usage of Services.exe? I really think it shouldn’t be that way.

OTL Log attached.

You do have a lot of drivers etc… running and they are controlled by that programme

But lets take a deeper look to be sure, when this completes could you upload the zip folder to a file sharing site like mediafire and post the sharing link so that I can get it

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://dl.dropbox.com/u/73555776/Kas%20front.JPG

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://dl.dropbox.com/u/73555776/kas%20manual.JPG

On completion click the link to locate the zip file to upload and attach to your next post

http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG