TechSpot

Malware sirefef.y and similar found in MSE on Vista HP x86

Solved
By Johnny270268
Jul 13, 2012
  1. Hi good people,

    This closely relates to a very similar thread on the forums here titled " [Solved] Sirefef.y and Sirefef.b - MSE cannot update and PC shuts itself down" Posted by member By GailMacM
    on Jul 1, 2012. The situation was rather deftly resolved by Broni Malware Annihilator. In the spirit of co-operation I've completed the Farbar (x86) & (x64) downloads and installed them to usb. The only way I could access System Recovery Options was the run an old Windows 32bit boot disk. I've successfully created both and FRST.txt and a Search.txt. The Vista machine is not currently connected to the internet and I have limited ability, at the moment of resolving this. I cannot disengage MSE as the computer wants to restart exactly 1 minut after booting into the GUI. Similarly, for this reason, I haven't been able to revert to older Sys restore points. I have attemted Safe Mode, Safe Mode with networking, and Safe Mode with command prompt under the installed OS System recovery options but to no avail. The end result always being the 1 minute reboot issue. I can re-connect to the Internet at some point but have steered clear of this until one of you good people has a chance to view the text files. I wont paste them as yet but will wait your further instruction. I assume from the posting rules that I needed to make this a new post as per the forum rules and guidelines. My humblest apologies if I have misunderstood any of the conditions.

    Regards,

    John M
  2. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================

    Go ahead and post FRST.txt and a Search.txt logs.
    mcassidy likes this.
  3. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Thanks Broni,

    Here comes FRST.txt first !

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-07-2012
    Ran by SYSTEM at 14-07-2012 02:12:24
    Running from F:\
    Windows (TM) Code Name "Longhorn" Preinstallation Environment (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Winlogon: [Shell] cmd.exe /k start cmd.exe [x ] ()
    ================================ Services (Whitelisted) ==================
    2 EventLog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    3 sacsvr; C:\Windows\System32\sacsvr.dll [13312 2008-01-18] (Microsoft Corporation)
    ========================== Drivers (Whitelisted) =============
    0 FBWF; C:\Windows\System32\DRIVERS\fbwf.sys [69632 2008-01-18] (Microsoft Corporation)
    0 Ramdisk; C:\Windows\System32\DRIVERS\ramdisk.sys [22528 2008-01-18] (Microsoft Corporation)
    0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [88632 2008-01-18] (Microsoft Corporation)
    0 WimFsf; C:\Windows\System32\Drivers\WimFsf.sys [52224 2008-01-18] (Microsoft Corporation)
    3 BTHMODEM; C:\Windows\system32\drivers\bthmodem.sys [x]
    ========================== NetSvcs (Whitelisted) ===========
    NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
    ============ One Month Created Files and Folders ==============

    ============ 3 Months Modified Files ========================
    2012-07-13 21:26 - 2008-10-03 17:07 - 00060048 ____A C:\Windows\System32\FNTCACHE.DAT

    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\winlogon.exe
    [2008-01-18 21:42] - [2008-01-18 23:33] - 0314880 ____A (Microsoft Corporation)
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 12%
    Total physical RAM: 3070.56 MB
    Available physical RAM: 2692.37 MB
    Total Pagefile: 2852.55 MB
    Available Pagefile: 2694.11 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.72 MB
    ======================= Partitions =========================
    1 Drive c: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
    2 Drive d: (OS) (Fixed) (Total:450.7 GB) (Free:181.11 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
    4 Drive f: () (Removable) (Total:3.73 GB) (Free:3.64 GB) FAT32
    9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 Online 3840 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 451 GB 15 GB
    Partition 4 Primary 1040 KB 466 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 FAT Partition 63 MB Healthy Hidden
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 C RECOVERY NTFS Partition 15 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D OS NTFS Partition 451 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 4
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes
    There is no volume associated with this partition.
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3824 MB 16 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F FAT32 Removable 3824 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-07-13 21:21
    ======================= End Of Log ==========================
  4. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    And here's the Search.txt

    Farbar Recovery Scan Tool Version: 10-07-2012
    Ran by SYSTEM at 2012-07-14 02:19:29
    Running from F:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-19 00:52] - [2008-01-19 00:52] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\System32\services.exe
    [2008-01-18 21:33] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
    === End Of Search ===
  5. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You have a different issue.

    You have infected partition.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Click Menu then Terminal Emulator
    • Type parted /dev/sda set 3 boot on
    • Press Enter
    • Type parted /dev/sda rm 4
    • Press Enter
    • Remove xPUD CD, reboot normally.

    ===================================================

    See if the computer will stay up.

    We have some other issues as well.
  6. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Thank-you,

    Completing tasks now
  7. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Hi again Broni,

    Computer not booting. After BIOS it goes to a screen with the following.

    No boot device available

    SATA0: Installed
    SATA1: Installed
    SATA2: None
    SATA3: None
    SATA4: None
    SATA5: None
    (followed by a blinking cursor line "-")

    If I hit enter it just repeats the statement.

    I have rebooted and selected to make sure it is booting from HDD but it still displays this screen and goes no further.

    Hope this info helps
  8. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Post new FRST log.
  9. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    New FRST.txt

    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-07-2012
    Ran by SYSTEM at 14-07-2012 11:03:34
    Running from J:\
    Windows (TM) Code Name "Longhorn" Preinstallation Environment (X86) OS Language: English(US)
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Winlogon: [Shell] cmd.exe /k start cmd.exe [x ] ()
    ================================ Services (Whitelisted) ==================
    2 EventLog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
    3 sacsvr; C:\Windows\System32\sacsvr.dll [13312 2008-01-18] (Microsoft Corporation)
    ========================== Drivers (Whitelisted) =============
    0 FBWF; C:\Windows\System32\DRIVERS\fbwf.sys [69632 2008-01-18] (Microsoft Corporation)
    0 Ramdisk; C:\Windows\System32\DRIVERS\ramdisk.sys [22528 2008-01-18] (Microsoft Corporation)
    0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [88632 2008-01-18] (Microsoft Corporation)
    0 WimFsf; C:\Windows\System32\Drivers\WimFsf.sys [52224 2008-01-18] (Microsoft Corporation)
    3 BTHMODEM; C:\Windows\system32\drivers\bthmodem.sys [x]
    ========================== NetSvcs (Whitelisted) ===========
    NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
    ============ One Month Created Files and Folders ==============

    ============ 3 Months Modified Files ========================
    2012-07-13 21:26 - 2008-10-03 17:07 - 00060048 ____A C:\Windows\System32\FNTCACHE.DAT

    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 12%
    Total physical RAM: 3070.56 MB
    Available physical RAM: 2690.31 MB
    Total Pagefile: 2852.55 MB
    Available Pagefile: 2691.13 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1990.33 MB
    ======================= Partitions =========================
    1 Drive c: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
    2 Drive d: (OS) (Fixed) (Total:450.7 GB) (Free:181.11 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    3 Drive e: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
    8 Drive j: () (Removable) (Total:3.73 GB) (Free:3.64 GB) FAT32
    9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 276 KB
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 Online 3840 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 451 GB 15 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 8 FAT Partition 63 MB Healthy Hidden
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 0 C RECOVERY NTFS Partition 15 GB Healthy
    ==================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 D OS NTFS Partition 451 GB Healthy
    ==================================================================================
    Partitions of Disk 5:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3824 MB 16 KB
    ==================================================================================
    Disk: 5
    Partition 1
    Type : 0B
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 7 J FAT32 Removable 3824 MB Healthy
    ==================================================================================
    ==========================================================
    Last Boot: 2012-07-13 21:21
    ======================= End Of Log ==========================
  10. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    You will need a USB flash drive.

    Download GETxPUD.exe to the desktop of your clean computer
    • Run GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Next download rst.sh to your USB flash drive
    • Remove the USB & CD and insert it in the sick computer
    • Boot the Sick computer with the CD you just burned
    • The computer must be set to boot from the CD
    • Gently tap F12 and choose to boot from the CD
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see rst.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash rst.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named enum.log
    • Remove the USB drive and insert it back in your working computer and navigate to enum.log

      Please note - all text entries are case sensitive
    Copy and paste the enum.log for my review
  11. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    I can confirm that rst.sh has been saved to thumb drive. However, I cannot see it in the mnt folder under any of the sda1 sda2 or sda3 folders. I selected show hidden files and folders... still no joy
     
  12. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Hold on !!
    I removed the thumb drive and re-booted. Opened the mnt directory and re-inserted thumb drive and can now confirm the rst.sh !!
    Sorry for the scare.

    Currently preparing enum.log for your review
  13. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    enum log for you review. Sorry about the delay.

    3.8M Jul 14 2012 /mnt/sda2/Windows/System32/config/SOFTWARE
    50.8M Jul 13 15:47 /mnt/sda3/Windows/System32/config/software
    2.0M Jul 14 2012 /mnt/sda2/Windows/System32/config/SYSTEM
    44.8M Jul 13 15:47 /mnt/sda3/Windows/System32/config/system
  14. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    All restore point are just recent so it won't work.

    Boot back to System Recovery Options and then access Command Prompt.
    Type:
    DISKPART
    Press Enter.

    Type:
    LIST DISK
    Press Enter.

    Let me know which disk has a "*" in front of it.
  15. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Also post all list you can see on your screen.
  16. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Hello again and sorry for the delay but have had to use Win 7 image disk to access recovery console.

    None of the disks has "*" in front of it

    The list is as follows:

    Disk 0 Online 465GB 0B (Free)
    Disk 1 No Media 0B (Size) 0B (Free)
    Disk 2 (as for Disk 1)
    Disk 3 (as for Disk 1)
    Disk 4 (as for Disk 1)

    Hope this helps
  17. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Type:
    SELECT DISK 0 (<-----that's "zero)
    Press Enter.


    Type:
    LIST DISK
    Press Enter.

    Post what you see on the screen and if "disk 0" has a "*" in front of it.
  18. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Yes DISK 0 has "*" in front of it.

    Apart from this the screen is as it was in previous post.
  19. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Good :)

    Type:
    LIST PARTITION
    Press Enter.

    Let me know what you see on the screen and if any item has a "*" in front of it.
  20. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    No items have "*" in front of them. List is:

    Partition 1 OEM 62MB (Size) 31KB (Offset)
    Partition 2 Primary 15GB 63MB
    Partition 3 Primary 450GB 15GB
  21. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Very well.

    Type:
    SELECT PARTITION 3
    Press Enter.

    Type:
    LIST PARTITION
    Press Enter.

    Let me know if "Partition 3" has a "*" in front of it.
  22. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    It absolutely does sir :)
  23. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Type:
    EXIT
    Press Enter.

    Restart computer.
    See if it boots.
    If not (it's still possible) let me know what exactly happens.
  24. Johnny270268

    Johnny270268 TS Rookie Topic Starter Posts: 81

    Computer not booting. After BIOS it goes to a screen with the following.

    No boot device available

    SATA0: Installed
    SATA1: Installed
    SATA2: None
    SATA3: None
    SATA4: None
    SATA5: None
    (followed by a blinking cursor line "-")

    If I hit enter it just repeats the statement.

    I have rebooted and selected to make sure it is booting from HDD but it still displays this screen and goes no further.
  25. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Boot back to System Recovery Options and run FRST.
    Type the following in the edit box after "Search:".

    explorer.exe

    Click Search button and post the log (Search.txt) it makes to your reply.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.