[Inactive]Recurring Sirefef.D/B/E Trojan

[nadavr]

Hello,

I am on windows 7. A few ago, my computer became infected with a trojan of some sort, detected by Microsoft Security Essentials. The malware found by MSSE is usually called Trojan:Win64/Sirefef.E or Sirefef.D or Sirefef.B. Additionally, Backdoor:Win32/Cycbot.G is found.

I used MSSE to remove the offending files, but they come back with alarming regularity. I have also downloaded MBAM, which also finds the trojans, removes them, and restarts, but the malware is present on a subsequent search. The "bad" files are typically found in a phantom directory at users/AppData/Local/*phantom directory that I cannot see*.

I also removed and reinstalled Adobe Reader, since it appeared to me that the trojan infected this program.

Some of the other symptoms are: Google Chrome is switched to proxy mode (and I have to manually switch it back), and I am infrequently redirected to strange websites.



Here is the text of the HijackThis log is below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:00:56 PM, on 11/14/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\OEM04Mon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\Nadav\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Users\Nadav\AppData\Local\Akamai\netsession_win.exe
C:\Users\Nadav\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Users\Nadav\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:57293
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GBMLite8AgentLaCie] C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [OEM04Mon.exe] C:\Windows\OEM04Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Nadav\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [F.lux] "C:\Users\Nadav\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKCU\..\Run: [iCloudServices] C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
O4 - HKCU\..\Run: [ApplePhotoStreams] C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] C:\Users\Nadav\AppData\Local\Akamai\netsession_win.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1426348316-2583770832-3688548621-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'postgres')
O4 - HKUS\S-1-5-21-1426348316-2583770832-3688548621-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'postgres')
O4 - Startup: Dropbox.lnk = Nadav\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe

--
End of file - 9573 bytes

Thanks for any help!

[PCBruiser]

Hi,

You will be assisted by 1972vet of our Staff.

[1972vet]

Greetings nadavr and Welcome to our Forums,
Please do this for me...

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here. Next, please download the free utility DDS from any of these locations...Here, Here...or Here.
Note - Some infections may prevent certain executable files from running on your computer. If one of these download locations results in a failed run of the utility, please try the next location until you find one that will work on your machine
Double click dds.scr to run the tool

• When it completes, DDS will open two (2) logs:
• DDS.txt
• Attach.txt
• Save both reports to your desktop.

Next, please open an elevated command prompt:
Click start-->type CMD in the "Search programs and files" search box. The search will return it's findings in a listing at the top. Right-click on the cmd.exe icon and select "Run as administrator". When the command prompt opens, copy/paste the following lines, one at a time at the command prompt, and press the "Enter" key after each one you paste in:
cd %programfiles%\Microsoft Security Essentials

MpCmdRun.exe –getfiles


...The application will run for 5 minutes and will create a zipped file called MPSupportFiles.cab.

That file will be saved automatically to %ProgramData%\Microsoft\Microsoft Antimalware\Support\ folder.

Please navigate to, or search for and Attach that zipped file to your next reply and copy/paste the information contained within these text files:

• DDS.txt
• Attach.txt

Thanks!

[nadavr]

Oddly, my Program Files folder doesn't have a "Microsoft Security Essentials" folder. Should I follow the instructions in the "Microsoft Security Client" folder?

[nadavr]

Actually,  let me amend my question to: "what should I do?"

Thanks for the help. I completed the first steps succesfully, but don't know where to run the -getfiles command, since I have no "Microsoft Security Essentials" folder.

[1972vet]

Impossible, sorry to argue a point but what you said is impossible. If you have Micrisoft Security Essentials installed, then you have a Microsoft Security Essentials folder. The statement is moot for now...the instruction calls for the zipped data file contained within the support folder located in this file path:

...%ProgramData%\Microsoft\Microsoft Antimalware\Support\ folder.

Note...it's the "ProgramData" folder you need to look for, not the "program files" 

[nadavr]

hmm. I was referring to your instruction to enter

cd %programfiles%\Microsoft Security Essentials

into CMD. The result of this is "The system cannot find the path specified." I looked at my "Program Files" Folder and there is not a subfolder called "Microsoft Security Essentials". There is, however, an 'MpCmdRun' located at programfiles\Microsoft Security Client\Antimalware. Should I use this?

[1972vet]

hmm. I was referring to your instruction to enter

cd %programfiles%\Microsoft Security Essentials

into CMD. The result of this is "The system cannot find the path specified." I looked at my "Program Files" Folder and there is not a subfolder called "Microsoft Security Essentials". There is, however, an 'MpCmdRun' located at programfiles\Microsoft Security Client\Antimalware. Should I use this?

My apologies. Certainly, I thought, "Microsoft Answer's" forum's technical engineers provided accurate information these days...since I've complained about this for nearly a year now. I grabbed that parameter from instructions there...not to mention, I also beta tested MSE and had it installed myself for quite some time. I can attest, the file path was accurate but when the folder's name changed, I can't say. I also can't find where google knows either.

Anyway, you have serious problems. You can set aside the review of MSE's logs for now. I doubt they would be helpful since I've determined the most dire consequence of your current issue is a compromise to your entire hard disk.

I should let you moll over what your options are at this point:
IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and Backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer...not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

Although sometimes, and under certain circumstances, some rootkit infections can be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because some rootkits can be removed, the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let us know how you wish to proceed.

[nadavr]

Wow, thank you for being so clear. A few questions:

(1) Since "infection" (I know what caused it), I have intentionally only logged into my email (I use 2-factor authentication, so I figured that was ok). Should I be worried about any passwords that the computer might have stored inside it?

(2) I am comfortable with the reformat. Can I safely backup files to a hard drive, without contaminating the hard drive?

[nadavr]

Lastly, are the other computers on my network safe?

[nadavr]

One more question: can I burn a windows reinstall DVD from the infected computer, or should I find a different computer to burn I from?

[1972vet]

Wow, thank you for being so clear. A few questions:

(1) Since "infection" (I know what caused it), I have intentionally only logged into my email (I use 2-factor authentication, so I figured that was ok). Should I be worried about any passwords that the computer might have stored inside it?
You bet. Nothing about that system can be considered safe...period. You say you know what caused this infection. Can you share with me for education's sake?


(2) I am comfortable with the reformat. Can I safely backup files to a hard drive, without contaminating the hard drive?
??
If you mean "external hard drive", you should only try it if you can afford to lose it.

Lastly, are the other computers on my network safe?
What network? Home? Business? It depends...


One more question: can I burn a windows reinstall DVD from the infected computer, or should I find a different computer to burn I from?
No need to...These new Windows 7 machines all come with the reinstallation DVD. Just use that one. Either "Windows" or the one supplied by the manufacturer should do the job.

Did you buy that laptop new or used? If used, do you know if it was rebuilt or just reformatted and reinstalled?

[nadavr]

I don't have a windows CD. I installed Win 7 myself by downloading a (legal) copy and mounting the disc image.  So I think I need to burn a disc image of the win7 disc to completely reformat. 

I was downloading some software to extract some stats from a large data set on my computer and things began to go haywire when I installed the (slightly suspicious) software.

How do I make sure that the other computers on my home network are not infected?

[1972vet]

I don't have a windows CD. I installed Win 7 myself by downloading a (legal) copy and mounting the disc image.  So I think I need to burn a disc image of the win7 disc to completely reformat.
No such thing as a working "legal" copy of Windows 7 available for download. Not to my knowledge that is. If I knew where you downloaded it, I can take a look to see if it would be sufficient from which to reformat and reinstall. I would burn a copy myself and test it for you.

I was downloading some software to extract some stats from a large data set on my computer and things began to go haywire when I installed the (slightly suspicious) software.
Hmmm...I also use data extraction software quite often. I also don't know of any "slightly suspicious" software from that category. Again, can you fill me in so at least I can avoid the same problem you ran into?

How do I make sure that the other computers on my home network are not infected?
I now hesitate to answer that since we still don't know whether or not you will even be able to reinstall that thing. The whole thing may just have to be scrapped...

...but then again, that may depend on how you answer those few questions above. Also, please answer this one from last posting:
"Did you buy that laptop new or used? If used, do you know if it was rebuilt or just reformatted and reinstalled?"

[nadavr]

I bought it new with windows vista.  I downloaded a copy of windows 7 thru my university, which comes as a disc image file. I'd now like to reformat and reinstall, but I can't just mount the file and reformat, so I guess I have to burn it.

As far as the data extraction goes, I needed a very specific function and downloaded a .exe which claimed it would work ( honestly I don't even know the name of the software at this point--it was late an clearly a poor decision.)

Thanks very much for all your help. Any advice on my networked computers  ?