# Trojan-Dropper.Win32.Sirefef!IK

## 18 posts in this topic

Got one that I can't get. Attaching the requested files. Thanks in advance for your assistance.

0

##### Share on other sites

* IMPORTANT !!! Save Combo-Fix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE for help
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

##### Share on other sites

I ran it. Have the combo fix.txt file but the networking seems to be knocked out and I can't re-enable it. Sending this from my iPad. I will be home tomorrow evening and will post the log file at that time from another machine (traveling). It did run to completion but it took a long time and the PC is now running really slow. Just wanted to let you know I got your message and appreciate the help but I am out of commission right now.

0

##### Share on other sites

Attaching the ComboFix file.

If it helps, when I try to repair the network, after a long time, it shows connected however the pop up message says "Failed to query TCP/IP settings of the connection".

Overall, it's sluggish (old laptop anyway but much more now) and inconsistent. However, the drive is not thrashing.

Please let me know next steps/suggestions. Thanks.

0

##### Share on other sites

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:OTL
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O33 - MountPoints2\{1e116a52-6140-11dc-b6ae-001b775deaea}\Shell - "" = AutoRun
O33 - MountPoints2\{1e116a52-6140-11dc-b6ae-001b775deaea}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1e116a52-6140-11dc-b6ae-001b775deaea}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{38834d7c-20d5-11df-bec4-7a8020000200}\Shell\AutoRun\command - "" = E:\driver\usb\–¼‡‘Š•†‘Í€ŒŽ
O33 - MountPoints2\{38834d7c-20d5-11df-bec4-7a8020000200}\Shell\open\command - "" = E:\driver\usb\–¼‡‘Š•†‘Í€ŒŽ
O33 - MountPoints2\{7a482790-a743-11dc-b7c7-444553544200}\Shell - "" = AutoRun
O33 - MountPoints2\{7a482790-a743-11dc-b7c7-444553544200}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7a482790-a743-11dc-b7c7-444553544200}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{a6b148f5-0a85-11df-be7e-7a8020000200}\Shell - "" = AutoRun
O33 - MountPoints2\{a6b148f5-0a85-11df-be7e-7a8020000200}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a6b148f5-0a85-11df-be7e-7a8020000200}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{a6b148f6-0a85-11df-be7e-7a8020000200}\Shell\AutoRun\command - "" = F:\RECYCLER\install.exe
O33 - MountPoints2\{a6b148f6-0a85-11df-be7e-7a8020000200}\Shell\explore\command - "" = F:\RECYCLER\install.exe
O33 - MountPoints2\{a6b148f6-0a85-11df-be7e-7a8020000200}\Shell\open\command - "" = F:\RECYCLER\install.exe
O33 - MountPoints2\{aca61a4b-97bc-11de-bce8-7a8020000200}\Shell\AutoRun\command - "" = E:\WDSetup.exe
[2011/12/19 19:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2011/12/19 19:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2011/12/19 18:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2011/12/19 18:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2011/12/19 17:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2011/12/19 17:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2011/12/19 16:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2011/12/19 16:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2011/12/19 15:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2011/12/19 15:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2011/12/19 14:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2011/12/19 14:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2011/12/19 13:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2011/12/19 13:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2011/12/19 11:54:06 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2011/12/19 11:54:04 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2011/12/17 10:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2011/12/17 10:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2011/12/17 09:54:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/12/17 09:54:00 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2011/12/17 08:54:58 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2011/12/17 08:54:21 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2011/12/17 07:55:02 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2011/12/17 07:54:26 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2011/12/17 06:54:57 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2011/12/17 06:54:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2011/12/17 05:54:45 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2011/12/17 05:54:25 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2011/12/17 04:55:49 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2011/12/17 04:55:02 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2011/12/16 06:52:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2011/12/16 06:52:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2011/12/16 06:52:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2011/12/16 06:52:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2011/12/16 06:52:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2011/12/16 06:52:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2011/12/16 06:52:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2011/12/16 06:52:37 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2011/12/16 06:52:33 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/12/16 06:52:33 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/12/16 06:52:33 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/12/16 06:52:33 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/12/16 06:52:33 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/12/16 06:52:33 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/12/16 06:52:33 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/12/16 06:52:33 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/12/16 06:52:33 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/12/16 06:52:29 | 000,000,346 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Files
c:\windows\\$NtUninstallKB13984\$

:Commands
[Purity]
[EmptyTemp]
[EmptyFlash]
[EmptyJava]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done

Close all windows

Do the following:

Start -> Run

type cmd

Click "OK"

The Command Console will open

Enter the following commands, at the Command Prompt. Commands must be entered exactly as shown.

Press the Enter Key after each command. Wait for each command to finish before proceeding to the next command.

netsh int ip reset reset.log
netsh winsock reset catalog
ipconfig /flushdns
exit

Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

0

##### Share on other sites

The OTL Script has been running for a while... it just says killing processes do not interrupt. I will let it run. Just letting you know. Thanks.

0

##### Share on other sites

• Double-click on TDSSKiller.exe to run the application.

• Click Change parameters

• Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK

• Click on the Start Scan button to begin the scan and wait for it to finish.
NOTE: Do not use the computer during the scan!
• During the scan it will look similar to the image below:

• When it finishes, you will either see a report that no threats were found like below:

If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
• If any infection or suspected items are found, you will see a window similar to below:

• If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
• If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
• If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

[*]Click Continue to apply selected actions.

[*]A reboot may be required to complete disinfection. A window like the below will appear:

Reboot immediately if TDSSKiller states that one is needed.

[*]Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.

0

##### Share on other sites

Got the log file from the other one (I think this is the correct file). The computer is still really really sluggish like a network conflict but the drive is not thrashing.

The TDSSKiller is running now. I will attach it when it finishes. Thanks.

0

##### Share on other sites

Attaching the TDSSKiller log. Still acting the same. Thanks.

0

##### Share on other sites

Need to get a look at what you have for partitons.

Do the following:

Start -> Run

type diskmgmt.msc

Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

0

##### Share on other sites

I can't upload the word document with the screen print of the disk management run. Is there another format or file type I can use to get it to you? The print to PDF function isn't working either. I am having to take things off the problem machine via a jump drive and post them with another machine. Thanks.

0

##### Share on other sites

Ok, I print screened it to word and painfully got it to publish to PDF. The problem PC is crazy slow... Let me know what you think. Thanks.

0

##### Share on other sites

Take a look at everything you have running in the background. Whatever you absolutely don't need running at system start, eliminate.

I also recommend that you uninstall Symantec Anti-Virus. You don't need it installed along side Emsisoft Anti-Malware. EAM provides both AV/AS protection.

0

##### Share on other sites

Shut off what I can. Somehow the networking is screwed up or conflicted. I show connected but nothing seems to be running. I will keep trying.

0

##### Share on other sites

Let's try repairing some areas of Windows that sometimes can get damaged by malware.

• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
• Reset Registry Permissions
• Reset File Permissions
• Remove Policies Set By Infections
• Set Windows Services To Default Startup

Note: Leave everything else unchecked

[*]Put a checkmark in Restart System When Finished

[*]Now click the Start button (bottom right)

0

##### Share on other sites

I did run it but still nothing. I will check in on Monday and see if there's anything else we can try. Need to take off for the holiday. You have a good one too.

0

##### Share on other sites

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip

0

##### Share on other sites

Reason: Lack of Response

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

0