WIN32:Sirefef-ZT Trojan

I am unable to remove whatever this is. I’ve run Malwarebytes both in and out of safe mode as well as running avast in windows and as a boot scan. The boot scan says it can’t be removed. Boot time scan reads: “C:\Windows\System32\Services.exe infected by Win32:sirefef-ZT.” Can anyone help me out? I assume I’ll need to send you guys some scan info, so just let me know what programs you need me to use. Thanks in advance.

MBAM:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.17.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Eric :: ERIC-PC [administrator]

1/17/2013 8:18:28 PM
MBAM-log-2013-01-17 (20-34-05).txt

Scan type: Full scan (C:|D:|E:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 312505
Time elapsed: 14 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer{84d0c35b-ebad-9f78-4026-9a6cd249c143}\U\00000008.@ (Trojan.Dropper.BCMiner) → No action taken.

(end)

I can’t get the OTL scan to finish. It hangs/stops responding every time it gets to “Scanning Firefox Settings”

aswMBR:

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-17 20:50:28

20:50:28.779 OS Version: Windows x64 6.1.7601 Service Pack 1
20:50:28.779 Number of processors: 8 586 0x1E05
20:50:28.779 ComputerName: ERIC-PC UserName: Eric
20:50:29.069 Initialize success
20:50:29.139 AVAST engine defs: 13011701
20:50:31.139 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
20:50:31.149 Disk 0 Vendor: INTEL_SS 2CV1 Size: 76319MB BusType: 3
20:50:31.149 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IAAStorageDevice-2
20:50:31.149 Disk 1 Vendor: ST950042 0002 Size: 476940MB BusType: 3
20:50:31.159 Disk 0 MBR read successfully
20:50:31.159 Disk 0 MBR scan
20:50:31.159 Disk 0 Windows 7 default MBR code
20:50:31.169 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:50:31.169 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 76217 MB offset 206848
20:50:31.179 Disk 0 scanning C:\Windows\system32\drivers
20:50:33.165 Service scanning
20:50:37.125 Modules scanning
20:50:37.135 Disk 0 trace - called modules:
20:50:37.465 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
20:50:37.465 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007636790]
20:50:37.475 3 CLASSPNP.SYS[fffff88001bae43f] → nt!IofCallDriver → [0xfffffa8006d36270]
20:50:37.485 5 ACPI.sys[fffff88000d817a1] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8007404050]
20:50:37.645 AVAST engine scan C:\Windows
20:50:38.105 AVAST engine scan C:\Windows\system32
20:50:53.605 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
20:50:59.295 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
20:50:59.625 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
20:51:11.017 AVAST engine scan C:\Windows\system32\drivers
20:51:13.687 AVAST engine scan C:\Users\Eric
20:51:26.454 AVAST engine scan C:\ProgramData
20:51:28.653 Scan finished successfully
20:52:59.307 Disk 0 MBR has been saved successfully to “C:\Users\Eric\Desktop\MBR.dat”
20:52:59.307 The log file has been saved successfully to “C:\Users\Eric\Desktop\aswMBR.txt”

Hello and welcome to avast. I will be working on your Malware issues. :wink:

For Step#1

follow instructions for running RogueKiller.
http://forum.avast.com/index.php?topic=53253.0

Attach here all RKreport.txt


Step#2

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.


Step#3

Please re-run aswMBR, and attach here fresh aswMBR.txt log.

Thanks Magna. Finally got the OTL logs. Here they are.

RK logs.

DDS logs.

2nd aswMBR:

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-17 20:50:28

20:50:28.779 OS Version: Windows x64 6.1.7601 Service Pack 1
20:50:28.779 Number of processors: 8 586 0x1E05
20:50:28.779 ComputerName: ERIC-PC UserName: Eric
20:50:29.069 Initialize success
20:50:29.139 AVAST engine defs: 13011701
20:50:31.139 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
20:50:31.149 Disk 0 Vendor: INTEL_SS 2CV1 Size: 76319MB BusType: 3
20:50:31.149 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IAAStorageDevice-2
20:50:31.149 Disk 1 Vendor: ST950042 0002 Size: 476940MB BusType: 3
20:50:31.159 Disk 0 MBR read successfully
20:50:31.159 Disk 0 MBR scan
20:50:31.159 Disk 0 Windows 7 default MBR code
20:50:31.169 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:50:31.169 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 76217 MB offset 206848
20:50:31.179 Disk 0 scanning C:\Windows\system32\drivers
20:50:33.165 Service scanning
20:50:37.125 Modules scanning
20:50:37.135 Disk 0 trace - called modules:
20:50:37.465 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
20:50:37.465 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007636790]
20:50:37.475 3 CLASSPNP.SYS[fffff88001bae43f] → nt!IofCallDriver → [0xfffffa8006d36270]
20:50:37.485 5 ACPI.sys[fffff88000d817a1] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8007404050]
20:50:37.645 AVAST engine scan C:\Windows
20:50:38.105 AVAST engine scan C:\Windows\system32
20:50:53.605 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
20:50:59.295 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
20:50:59.625 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
20:51:11.017 AVAST engine scan C:\Windows\system32\drivers
20:51:13.687 AVAST engine scan C:\Users\Eric
20:51:26.454 AVAST engine scan C:\ProgramData
20:51:28.653 Scan finished successfully
20:52:59.307 Disk 0 MBR has been saved successfully to “C:\Users\Eric\Desktop\MBR.dat”
20:52:59.307 The log file has been saved successfully to “C:\Users\Eric\Desktop\aswMBR.txt”

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

I’m posting this from my tablet. I disabled avast then ran combofix. My computer rebooted then the combofix log was generated. Now, nearly anything I try to open comes up with an error that says “illegal operation attempted on a registry key that has been marked for deletion.” I can’t start avast or any of my web browsers. This appears to be a big problem. Any advice?

Update: I restarted and can now open applications. Here’s the combofix.

Hi :slight_smile:


Open notepad and copy/paste the text present inside the code box below:



FileLook::
c:\windows\system32\services.exe

ClearJavaCache:: 

Folder::
c:\users\Eric\AppData\Local\Updater21804
c:\users\Eric\AppData\Local\Coupon Companion Plugin
c:\program files (x86)\Coupon Companion Plugin


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

New CF log.

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[
]When the scan ends, notepad with the report will appears.

[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK

[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]


http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.
[list]
[]Shut down your protection software now to avoid potential conflicts.
[
]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[
]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]Post the contents of JRT.txt into your next message.


Open notepad and copy/paste the text present inside the code box below:



Registry::
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{11111111-1111-1111-1111-110211181104}]

File::
c:\program files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Done!

Step#1

Open notepad and copy/paste the text present inside the code box below:



DeQuarantine::
C:\Qoobox\Quarantine\c\program files (x86)\Common Files\Net4Switch.ico.vir
C:\Qoobox\Quarantine\c\windows\msvcr71.dll.vir
Quit::


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Step#2

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


How’s your computer runnign now? 8)

So, I uninstalled ComboFix before attaching the last log and it seems to have taken the log with it.

The computer appears to be working fine. I ran Avast and MBAM with no infected files found. I haven’t had any Avast warnings about anything either.

Just cause I was curious, I ran RogueKiller again. All of the infections were gone, but I did notice a “Particular File/Folder” listed that was a ZeroRootAccess. Is that still a problem? (log attached)

I also ran aswMBR and that log showed no problems. (log attached)

If everything is fine, then do I just go ahead and uninstall all the programs we installed?

Hm, yes,

¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\Windows\Installer\{84d0c35b-ebad-9f78-4026-9a6cd249c143}\U --> FOUND
Let's run additional scan.

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.


Re-run OTL , just click on QuickScan and attach here fresh OTL.txt log

MBAR did find an infection and cleaned up. Here’s the new logs.