[NealH]

I am running Windows 7 64-bit and need help to remove trojan:win64/sirefef.P

I have attached my FRST.txt file for review.  FRST.txt   59.45KB   121 downloads

[Advertisements]

Hello NealH and welcome to my office here at G2G!

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

• Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\n
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\00000004.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\1afb2d56
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\201d3dde
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000004.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\000000cb.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000000.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000032.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000064.@
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\@
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\L
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

Step 2

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply

Step 3

Please don't forget to include these items in your reply:

• FRST log
• Combofix log

It would be helpful if you could post each log in separate post using "Add Reply" button

[maliprog]

Hello NealH and welcome to my office here at G2G!

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Step 1

• Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it on the flashdrive as fixlist.txt

C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\n
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\00000004.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\1afb2d56
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\201d3dde
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000004.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\000000cb.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000000.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000032.@
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000064.@
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\@
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\L
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

Step 2

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply

Step 3

Please don't forget to include these items in your reply:

• FRST log
• Combofix log

It would be helpful if you could post each log in separate post using "Add Reply" button

[NealH]

Thanks for the help. Here is the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-07-2012
Ran by SYSTEM at 2012-07-16 21:52:39 Run:1
Running from H:\

==============================================

C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7} moved successfully.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\n not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\00000004.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\1afb2d56 not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\L\201d3dde not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000004.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\000000cb.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000000.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000032.@ not found.
C:\Windows\Installer\{daa67205-89ac-97bf-4211-027d13a226e7}\U\80000064.@ not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7} moved successfully.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\@ not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\L not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U not found.
C:\Users\Neal\AppData\Local\{daa67205-89ac-97bf-4211-027d13a226e7}\U\00000008.@ not found.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

[NealH]

I have a question on the ComboFix step.

My computer that is infected reboots within a minute or so of booting. So I downloaded ComboFix to a USB drive from a non-infected PC, then copied ComboFix off the USB drive to the desktop of the infected PC. I then ran ComboFix from the desktop of the infected PC. It seemed to run to completion (the progress bar went all the way across and it seemed to finish.) However, there was no ComboFix.txt file created on C:\. Per your instructions, I stopped there and did not attempt to re-run it.

Edited by NealH, 16 July 2012 - 11:20 PM.

[maliprog]

Does your PC restarts after you run Combofix? Let's try this step.

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan/Fixes box paste this in
  
  

  /md5start
  services.*
  /md5stop
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open OTL.txt. This file is also saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it here to me

[NealH]

I am away from my computer tonight on business. Tomorrow night I will follow the latest steps you provided and report back to you.

[NealH]

OK, I'm back. I followed your instructions and ran OTL. Unfortunately, the infected PC shuts down by itself before the scan can complete, using the Quick Scan option in OTL.

[NealH]

Just to be clear on what happens - maybe I didn't provide as much detail as I should have. When I boot the infected PC, it boots normally. Then my Windows Essentials antivirus software detects the virus, and at about that time a dialog pops up saying "Windows has encountered a critical problems and will restart in one minute. Save your work now." And then it shuts down and reboots in about 60 seconds or so. The total time from Windows boot to auto shutdown is short; around 120 seconds total.

[maliprog]

Now you make it clear. Let's stop that.

Download

 stayON.bat   11bytes   168 downloads

to your desktop and when you see that 60s countdown double click on this program to run it and it should stop shutdown progress. After that start OTL scan and post log here for me.

[NealH]

I copied the batch file to the desktop of the infected machine. As soon as I saw the dialog box telling me the machine will be shut down, I closed the dialog box and ran the batch you provided from the desktop. However, the machine still shuts down by itself and reboots.

[NealH]

I also tried doing a manual shutdown /a DOS command at a command prompt after the dialog appears, and it just says that a shutdown is in progress and doesn't abort the shutdown. The shutdown and reboot still occurs. So whether we use your batch file with shutdown -a or my manual shutdown /a it makes no difference and the machines still shuts down and reboots too quickly for the Quick Scan to finish.

[maliprog]

We will use FRST as you have problem running OTL. Run Farbar Recovery Scan Tool as you did before.

Type the following in the edit box after "Search:".

services.*

Click Search File(s) button and post the log (Search.txt) it makes to your next reply.

[NealH]

Hello,

I am traveling now and will be away from the infected computer until July 29th. Please keep this troubleshooting thread open and I will pick up with you on the 29th and we can resume the troubleshooting. Thanks for your help so far.

[maliprog]

Thank you for letting us know. I'll be here. Hear you soon.

[NealH]

OK, I'm back from vacation. I did as you requested -- I ran FRST on the infected machine and put in services .* in the edit box and clicked on search files. Before FRST completes this activity, the computer shuts down. This is all that was in the text file it created:

Farbar Recovery Scan Tool Version: 15-07-2012
Ran by Neal at 2012-07-28 17:55:33
Running from N:\

================== Search: "services .*" ===================