Sirefef won't go away - please help!

Solved
By cschrille
Jun 2, 2012
  1. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    I waited about 30 minutes, I will go out in about an hour and wont be home for 3 more hours after that, I can start it then and see if its running when im home. Also what do I do if the program runs? My friend told me he had tried it before and it says like stage 1 complete and such, how many stages are there?
  2. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Status: Disinfected (events: 4)
    2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe//PE_Patch.RLPack//RLPack High
    2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe//PE_Patch.RLPack High
    2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip/DEViATED.exe High
    2012-06-06 19:25:48 Disinfected Trojan program Trojan.Win32.Fraudpack.csbs C:\Documents and Settings\Ägaren\Downloads\dr2v10p9.dvt.zip High
    Status: Deleted (events: 1)
    2012-06-06 19:34:24 Deleted malware DoS.Perl.BBDoS.c C:\Perl64\bin\udp3.pl Medium
    Status: Absent (events: 1)
    2012-06-06 20:34:20 Not found Trojan program Trojan-Ransom.Win32.Birele.omn X:\Nedladdat\City Drive Demo.rar//City drive demo Setup.exe//IC.exe High
    Status: Detected (events: 1)
    2012-06-06 20:52:16 Detected virus IRC-Worm.Win32.Jane.f X:\Program\physics game.rar//game//ProcMan.exe High

    This is what the scan found, the Trojan-Ransom.Win32.Birele.omn was deleted, thats why it says "Not found".
  3. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Also, I noticed that desktop.ini comes up everytime I start windows, and it says in mbam, nod etc that desktop.ini contains the Sirefef.
  4. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    When you say Combofix is stuck is the computer clock still running?
    If yes, that means that Combofix is still doing its thing.
    I'd leave it running overnight.
  5. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Well my computer clock still works, no window has popped up yet, and I cant find any process like cmd.exe, combofix.exe. What would the process for combofix be called?
  6. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Are you re-running Combofix AFTER completing Kaspersky tool?

    As for Combofix you may see one or more of these processes:
    * CF19313.cfxxe
    * PEV.exe
    * NirCmd.cfxxe
    * PEV.cfxxe

    I'll be gone for couple of hours.
  7. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Yes, I disable my AV any programs that could interfere with it. I have tried restarting, booting in safe mode, running rkill, re-downloading the combofix.exe nothing helps.
  8. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Also I opened taskmgr when I started it, and during extraction of files I saw pev.exe or something like that, then after a few seconds task manager closes and it seems like explorer.exe is reset cause everything flashes and my theme on the taskbar.
  9. Broni

    Broni Malware Annihilator Posts: 46,433   +252

  10. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    I let I run overnight and I have no signs that its completed now. Its been about 12 hours, what to do?
  11. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\Windows\assembly\GAC_64\Desktop.ini
    - C:\Windows\assembly\GAC_32\Desktop.ini
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  12. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    I cant find any fodlers inside the assembly folder. I managed to open the other folder in which nod32 find Sirefef and such. It was called 80000032.@ but it does not seem to attack anymore since its only been blocked once. It was inside installer folder in windows, there are a bunch of other files there that have been blocked over 1000 times but I cant see them at all.
  13. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Scan from the file I could find.

    AntivirusResultUpdate
    AhnLab-V3 -
    AntiVir TR/ATRAPS.Gen2
    Antiy-AVL - 20120607
    Avast Win32: DNSChanger-VJ [Trj]
    AVG Generic_r.AWX
    BitDefender -
    ByteHero -
    CAT-QuickHeal -
    ClamAV -
    Commtouch -
    Comodo UnclassifiedMalware
    DrWeb BackDoor.Maxplus.5209
    Emsisoft Trojan.Win32.Alureon!IK
    eSafe -
    F-Prot -
    F-Secure -
    Fortinet -
    GData Win32: DNSChanger-VJ
    Ikarus Trojan.Win32.Alureon
    Jiangmin -
    K7AntiVirus Riskware
    Kaspersky -
    McAfee Artemis!F2A0C085F4A2
    McAfee-GW-Edition Heuristic.BehavesLike.Win32.Spyware.J
    Microsoft Trojan:Win32/Sirefef.AK
    NOD32 probably a variant of Win32/Sirefef.EU
    Norman -
    nProtect -
    Panda Trj/CI.A
    PCTools -
    Rising -
    Sophos Sus/Behav-1010
    SUPERAntiSpyware -
    Symantec Suspicious.Cloud.5
    TheHacker -
    TotalDefense -
    TrendMicro -
    TrendMicro-HouseCall TROJ_GEN.R47H1F5
    VBA32 -
    VIPRE Trojan.Win32.Generic!BT
    ViRobot -
    VirusBuster -
  14. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Found where exactly since you said:
  15. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    C:\Windows\Installer\{6ccbf812-07b7-4726-bef0-b612a153384e}\U

    Also found another one that has been picked up by Nod, called 000000008.@ or something like that, but it dissapeared when I highlighted it. If I see it coming back I can scan it in virustotal.
  16. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    What happens when ask NOD to remove it?
  17. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    It quarantines it but it just keeps coming back, ill give you picture in some minutes after scan is done of that file.
  18. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Scan results from 00000008.@

    AhnLab-V3 -
    AntiVir SPR/BitCoinMiner.A
    Antiy-AVL -
    Avast Win32:BitCoinMiner-U [PUP]
    AVG PSW.KeyLogger.AXD
    BitDefender Trojan.Sirefef.GA
    ByteHero -
    CAT-QuickHeal -
    ClamAV PUA.Win32.Packer.Upx-44
    Commtouch -
    Comodo -
    DrWeb Tool.BtcMine.26
    Emsisoft Win32.Trojan!IK
    eSafe -
    F-Prot -
    F-Secure Trojan.Sirefef.GA
    Fortinet W32/Agent.WHI!tr
    GData Trojan.Sirefef.GA
    Ikarus Win32.Trojan
    Jiangmin -
    K7AntiVirus Riskware
    Kaspersky -
    McAfee Generic.dx!b2qj
    McAfee-GW-Edition -
    Microsoft -
    NOD32 Win64/Agent.BA
    Norman W32/Suspicious_Gen4.AGIPS
    nProtect Trojan.Sirefef.GA
    Panda -
    PCTools -
    Rising -
    Sophos Troj/Agent-WHI
    SUPERAntiSpyware -
    Symantec -
    TheHacker -
    TotalDefense -
    TrendMicro -
    TrendMicro-HouseCall -
    VBA32 -
    VIPRE -
    ViRobot -
    VirusBuster -
  19. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    There you can see what I mean, look at the insane number of times its been quarantined, it seems like that whole folder is just filled with bad files.[​IMG]
  20. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Download Kaspersky Rescue Disk 10
    Burn downloaded .iso file to CD. How to: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

    Boot from Kaspersky Rescue Disk 10. How to boot from CD: http://www.hiren.info/pages/bios-boot-cdrom

    A loading wizard will start (you will see the menu to select the required language). See screenshots here: http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286086
    If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
    Select the required interface language using the arrow-keys on your keyboard.
    Press the Enter key on the keyboard.
    In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
    Click Enter.
    Click 'A' to accept the agreement.
    Select operating system from dropdown menu.
    In Objects Scan tab checkmark:
    • Disk boot sectors
    • Hidden startup objects
    • C:
    Click My Update Center tab and update if any available
    Go back to other tab and click Start Object Scan.
    NOTE. Be patient. It will take a while.

    When scan has completed save a report:
    • On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
    • On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
    • On the upper right hand corner of the Detailed report window, click on the Save button.
    • After clicking Detailed Report and 'SAVE', a browse window opens.
    • Double-click on the \
    • Click 'Disks'.
    • All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
    • Click on the Save button.
    • The report has been saved to the file.
    Remove the disk from the drive (or disconnect USB) and reboot normally.

    Post the content of the file for my review.
  21. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    The scan got bugged and kept scanning the same folder over and over. For some reason it only found one virus.

    Objects Scan: stopped 2 minutes ago (events: 4, objects: 1664257, time: 03:41:17)
    6/7/12 10:20 PM Task stopped
    6/7/12 7:26 PM Untreated: Backdoor.Win32.ZAccess.oun C:/Windows/assembly/GAC_32/Desktop.ini Postponed
    6/7/12 7:26 PM Detected: Backdoor.Win32.ZAccess.oun C:/Windows/assembly/GAC_32/Desktop.ini
    6/7/12 6:39 PM Task started

    Thats what it found, also I checked my harddrive with the Rescue Disk and I found the GAC folders in assembly. But it said that the desktop.ini was "DOS/Windows executable", last I checked ini files weren't exe files, were they?
  22. Broni

    Broni Malware Annihilator Posts: 46,433   +252

  23. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    Also I could see the combofix folder instead of just my drives, so I extracted all the files to a seperate folder and I can now see them in regular Windows. How do I run combofix from the files?
  24. cschrille

    cschrille TechSpot Enthusiast Topic Starter Posts: 181

    It said it removed it but NOD keeps detecting it, I would take it as it wasn't removed.
  25. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    You can't.
    What about my previous reply?


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.