Solved Malware sirefef.y and similar found in MSE on Vista HP x86

[Johnny270268]

Hi good people,

This closely relates to a very similar thread on the forums here titled " [Solved] Sirefef.y and Sirefef.b - MSE cannot update and PC shuts itself down" Posted by member By GailMacM
on Jul 1, 2012. The situation was rather deftly resolved by Broni Malware Annihilator. In the spirit of co-operation I've completed the Farbar (x86) & (x64) downloads and installed them to usb. The only way I could access System Recovery Options was the run an old Windows 32bit boot disk. I've successfully created both and FRST.txt and a Search.txt. The Vista machine is not currently connected to the internet and I have limited ability, at the moment of resolving this. I cannot disengage MSE as the computer wants to restart exactly 1 minut after booting into the GUI. Similarly, for this reason, I haven't been able to revert to older Sys restore points. I have attemted Safe Mode, Safe Mode with networking, and Safe Mode with command prompt under the installed OS System recovery options but to no avail. The end result always being the 1 minute reboot issue. I can re-connect to the Internet at some point but have steered clear of this until one of you good people has a chance to view the text files. I wont paste them as yet but will wait your further instruction. I assume from the posting rules that I needed to make this a new post as per the forum rules and guidelines. My humblest apologies if I have misunderstood any of the conditions.

Regards,

John M

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================

Go ahead and post FRST.txt and a Search.txt logs.

 

[Johnny270268]

Thanks Broni,

Here comes FRST.txt first !

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-07-2012
Ran by SYSTEM at 14-07-2012 02:12:24
Running from F:\
Windows (TM) Code Name "Longhorn" Preinstallation Environment (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Winlogon: [Shell] cmd.exe /k start cmd.exe [x ] ()
================================ Services (Whitelisted) ==================
2 EventLog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
3 sacsvr; C:\Windows\System32\sacsvr.dll [13312 2008-01-18] (Microsoft Corporation)
========================== Drivers (Whitelisted) =============
0 FBWF; C:\Windows\System32\DRIVERS\fbwf.sys [69632 2008-01-18] (Microsoft Corporation)
0 Ramdisk; C:\Windows\System32\DRIVERS\ramdisk.sys [22528 2008-01-18] (Microsoft Corporation)
0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [88632 2008-01-18] (Microsoft Corporation)
0 WimFsf; C:\Windows\System32\Drivers\WimFsf.sys [52224 2008-01-18] (Microsoft Corporation)
3 BTHMODEM; C:\Windows\system32\drivers\bthmodem.sys [x]
========================== NetSvcs (Whitelisted) ===========
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
============ One Month Created Files and Folders ==============

============ 3 Months Modified Files ========================
2012-07-13 21:26 - 2008-10-03 17:07 - 00060048 ____A C:\Windows\System32\FNTCACHE.DAT

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe
[2008-01-18 21:42] - [2008-01-18 23:33] - 0314880 ____A (Microsoft Corporation)
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 12%
Total physical RAM: 3070.56 MB
Available physical RAM: 2692.37 MB
Total Pagefile: 2852.55 MB
Available Pagefile: 2694.11 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB
======================= Partitions =========================
1 Drive c: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
2 Drive d: (OS) (Fixed) (Total:450.7 GB) (Free:181.11 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
4 Drive f: () (Removable) (Total:3.73 GB) (Free:3.64 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 Online 3840 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 15 GB 63 MB
Partition 3 Primary 451 GB 15 GB
Partition 4 Primary 1040 KB 466 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 63 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 C RECOVERY NTFS Partition 15 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D OS NTFS Partition 451 GB Healthy
==================================================================================
Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
There is no volume associated with this partition.
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3824 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 3824 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-13 21:21
======================= End Of Log ==========================

 

[Johnny270268]

And here's the Search.txt

Farbar Recovery Scan Tool Version: 10-07-2012
Ran by SYSTEM at 2012-07-14 02:19:29
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-19 00:52] - [2008-01-19 00:52] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\System32\services.exe
[2008-01-18 21:33] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
=== End Of Search ===

 

[Broni]

You have a different issue.

You have infected partition.

WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.
If you have any doubts, ask.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download GETxPUD.exe to the desktop of your clean computer

• Double click on GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Insert blank CD into your CD drive.
• Click on Start and follow the prompts to burn the image to a CD.
• Boot bad computer from the CD
• Click Menu then Terminal Emulator
• Type parted /dev/sda set 3 boot on
• Press Enter
• Type parted /dev/sda rm 4
• Press Enter
• Remove xPUD CD, reboot normally.

===================================================

See if the computer will stay up.

We have some other issues as well.

 

[Johnny270268]

Thank-you,

Completing tasks now

 

[Johnny270268]

Hi again Broni,

Computer not booting. After BIOS it goes to a screen with the following.

No boot device available

SATA0: Installed
SATA1: Installed
SATA2: None
SATA3: None
SATA4: None
SATA5: None
(followed by a blinking cursor line "-")

If I hit enter it just repeats the statement.

I have rebooted and selected to make sure it is booting from HDD but it still displays this screen and goes no further.

Hope this info helps

 

[Broni]

Post new FRST log.

 

[Johnny270268]

New FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 10-07-2012
Ran by SYSTEM at 14-07-2012 11:03:34
Running from J:\
Windows (TM) Code Name "Longhorn" Preinstallation Environment (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Winlogon: [Shell] cmd.exe /k start cmd.exe [x ] ()
================================ Services (Whitelisted) ==================
2 EventLog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
3 sacsvr; C:\Windows\System32\sacsvr.dll [13312 2008-01-18] (Microsoft Corporation)
========================== Drivers (Whitelisted) =============
0 FBWF; C:\Windows\System32\DRIVERS\fbwf.sys [69632 2008-01-18] (Microsoft Corporation)
0 Ramdisk; C:\Windows\System32\DRIVERS\ramdisk.sys [22528 2008-01-18] (Microsoft Corporation)
0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [88632 2008-01-18] (Microsoft Corporation)
0 WimFsf; C:\Windows\System32\Drivers\WimFsf.sys [52224 2008-01-18] (Microsoft Corporation)
3 BTHMODEM; C:\Windows\system32\drivers\bthmodem.sys [x]
========================== NetSvcs (Whitelisted) ===========
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
============ One Month Created Files and Folders ==============

============ 3 Months Modified Files ========================
2012-07-13 21:26 - 2008-10-03 17:07 - 00060048 ____A C:\Windows\System32\FNTCACHE.DAT

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 12%
Total physical RAM: 3070.56 MB
Available physical RAM: 2690.31 MB
Total Pagefile: 2852.55 MB
Available Pagefile: 2691.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.33 MB
======================= Partitions =========================
1 Drive c: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
2 Drive d: (OS) (Fixed) (Total:450.7 GB) (Free:181.11 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
8 Drive j: () (Removable) (Total:3.73 GB) (Free:3.64 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 276 KB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 3840 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 15 GB 63 MB
Partition 3 Primary 451 GB 15 GB
==================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 8 FAT Partition 63 MB Healthy Hidden
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C RECOVERY NTFS Partition 15 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 D OS NTFS Partition 451 GB Healthy
==================================================================================
Partitions of Disk 5:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3824 MB 16 KB
==================================================================================
Disk: 5
Partition 1
Type : 0B
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J FAT32 Removable 3824 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-13 21:21
======================= End Of Log ==========================

 

[Broni]

You will need a USB flash drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD.
• Next download rst.sh to your USB flash drive
• Remove the USB & CD and insert it in the sick computer
• Boot the Sick computer with the CD you just burned
• The computer must be set to boot from the CD
• Gently tap F12 and choose to boot from the CD
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see rst.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash rst.sh
• Press Enter
• After it has finished a report will be located on your USB drive named enum.log
• Remove the USB drive and insert it back in your working computer and navigate to enum.log
  
  Please note - all text entries are case sensitive

Copy and paste the enum.log for my review

 

[Johnny270268]

I can confirm that rst.sh has been saved to thumb drive. However, I cannot see it in the mnt folder under any of the sda1 sda2 or sda3 folders. I selected show hidden files and folders... still no joy

 

[Johnny270268]

Hold on !!
I removed the thumb drive and re-booted. Opened the mnt directory and re-inserted thumb drive and can now confirm the rst.sh !!
Sorry for the scare.

Currently preparing enum.log for your review

 

[Johnny270268]

enum log for you review. Sorry about the delay.

3.8M Jul 14 2012 /mnt/sda2/Windows/System32/config/SOFTWARE
50.8M Jul 13 15:47 /mnt/sda3/Windows/System32/config/software
2.0M Jul 14 2012 /mnt/sda2/Windows/System32/config/SYSTEM
44.8M Jul 13 15:47 /mnt/sda3/Windows/System32/config/system

 

[Broni]

All restore point are just recent so it won't work.

Boot back to System Recovery Options and then access Command Prompt.
Type:
DISKPART
Press Enter.

Type:
LIST DISK
Press Enter.

Let me know which disk has a "*" in front of it.

 

[Broni]

Also post all list you can see on your screen.

 

[Johnny270268]

Hello again and sorry for the delay but have had to use Win 7 image disk to access recovery console.

None of the disks has "*" in front of it

The list is as follows:

Disk 0 Online 465GB 0B (Free)
Disk 1 No Media 0B (Size) 0B (Free)
Disk 2 (as for Disk 1)
Disk 3 (as for Disk 1)
Disk 4 (as for Disk 1)

Hope this helps

 

[Broni]

Type:
SELECT DISK 0 (<-----that's "zero)
Press Enter.


Type:
LIST DISK
Press Enter.

Post what you see on the screen and if "disk 0" has a "*" in front of it.

 

[Johnny270268]

Yes DISK 0 has "*" in front of it.

Apart from this the screen is as it was in previous post.

 

[Broni]

Good

Type:
LIST PARTITION
Press Enter.

Let me know what you see on the screen and if any item has a "*" in front of it.

 

[Johnny270268]

No items have "*" in front of them. List is:

Partition 1 OEM 62MB (Size) 31KB (Offset)
Partition 2 Primary 15GB 63MB
Partition 3 Primary 450GB 15GB

 

[Broni]

Very well.

Type:
SELECT PARTITION 3
Press Enter.

Type:
LIST PARTITION
Press Enter.

Let me know if "Partition 3" has a "*" in front of it.

 

[Johnny270268]

It absolutely does sir

 

[Broni]

Type:
EXIT
Press Enter.

Restart computer.
See if it boots.
If not (it's still possible) let me know what exactly happens.

 

[Johnny270268]

Computer not booting. After BIOS it goes to a screen with the following.

No boot device available

SATA0: Installed
SATA1: Installed
SATA2: None
SATA3: None
SATA4: None
SATA5: None
(followed by a blinking cursor line "-")

If I hit enter it just repeats the statement.

I have rebooted and selected to make sure it is booting from HDD but it still displays this screen and goes no further.

 

[Broni]

Boot back to System Recovery Options and run FRST.
Type the following in the edit box after "Search:".

explorer.exe

Click Search button and post the log (Search.txt) it makes to your reply.