Win64:Sirefef Infection

[Blade81]

Hi,

Do you remember what was the last thing you did before connection problem? Has it occured again?


Please run ComboFix with this cfscript:

Code:

DeQuarantine::
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir
Quit::

[dinosaur58]

Ran CF with script. Proceeded same as previous runs. Connection problem occurred again. After CF run - DeQuarantine log opens in Notepad. I searched for Normal CF log using Win Explorer but couldn't find one. I then double clicked on the Firefox icon on my desktop. Firefox opened normally and I clicked on the link to this website in the 'History' dropdown menu, but got the connection reset message. To be sure that it was a global problem I tried to connect to another website and got the same message.
As mentioned above, no CF log - DeQuarantine log follows:

c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir -> c:\windows\system32\Bass.dll ( 92216 bytes )

[Blade81]

Hi,

Has the problem occured only after these two previous ComboFix run where CFScript.txt was used?

If Files_for_submission.zip still exists on your desktop delete it. Then open notepad and copy/paste the text in the codebox below into it:

Code:

@echo off
for %%g in (
c:\windows\system32\Bass.dll
) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.



Please upload that zip file to this website. Kindly include a link to this topic in the message.

[dinosaur58]

Problem also occured before first CF run, when infection had been acitve for several days. On that occurrence the loss of internet access recieved 'the server cannot be found' messages for all sites rather than 'Connection Reset'.
File submitted to bleepingcomputer. Also submitted to Virustotal [I use that site to check suspicious files] to see how they measure up: 0/42 detections.

[Blade81]

Hi,

But during fix process connection issue has occured only with two latest CFScript.txt run, yes?

[dinosaur58]

Correct.

[Blade81]

Ok, please download fresh copy of ComboFix to your desktop (replace the old one). Then run it in safe mode. Post back the log.

[dinosaur58]

CF run proceeded the same in safe mode. Not sure if problem recurred, since Safe Mode [no networking] required reboot, and reboot solved internet access problem last time.
CF log follows:

ComboFix 12-07-18.04 - Administrator 07/18/2012 10:34:02.22.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3169 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\Desktop\Country11.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-18 to 2012-07-18 )))))))))))))))))))))))))))))))
.
.
2012-07-18 09:59 . 2012-07-18 09:59 92216 ----a-w- c:\windows\system32\Bass.dll
2012-07-17 06:26 . 2012-07-17 06:26 -------- d-----w- c:\windows\system32\Filters
2012-07-17 05:07 . 2012-07-17 06:27 -------- d-----w- C:\Country10
2012-07-16 14:49 . 2012-07-16 14:49 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\PrivacIE
2012-07-16 14:43 . 2012-07-16 14:43 -------- d-sh--w- c:\documents and settings\Administrator.COMPUTER\IETldCache
2012-07-16 14:37 . 2012-07-16 14:38 -------- dc-h--w- c:\windows\ie8
2012-07-16 14:34 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-07-16 14:34 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2012-07-16 14:34 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-07-16 14:34 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2012-07-16 14:34 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2012-07-16 14:34 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-07-16 14:34 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2012-07-15 20:07 . 2012-07-15 20:07 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-15 20:07 . 2012-07-15 20:07 772592 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-15 20:07 . 2012-07-15 20:07 -------- d-----w- c:\program files\Java
2012-07-15 20:04 . 2012-07-15 20:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-15 19:42 . 2012-07-15 19:42 -------- d-----w- c:\program files\Foxit Software
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 20:07 . 2010-07-04 16:11 687600 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2012-07-15 19:49 . 2012-07-15 19:49 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-17_12.16.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-18 16:37 82750 c:\windows\system32\perfc009.dat
+ 2007-10-23 22:42 . 2012-07-18 16:37 466606 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\DRIVERS\MDP100_XP.sys --> c:\windows\system32\DRIVERS\MDP100_XP.sys [?]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
S3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [7/15/2012 01:49 PM 129976]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-18 10:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,50,86,4d,6e,6e,cd,af,4b,b0,38,0b,\
.
Completion time: 2012-07-18 10:41:46
ComboFix-quarantined-files.txt 2012-07-18 16:41
ComboFix12.txt 2012-07-17 12:18
ComboFix13.txt 2012-07-16 14:03
ComboFix14.txt 2012-07-15 17:49
ComboFix15.txt 2012-07-18 09:53
.
Pre-Run: 411,279,839,232 bytes free
Post-Run: 411,304,819,200 bytes free
.
- - End Of File - - 838021B7BD7DAAA916BCAF738BD18092

[dinosaur58]

It's probably not important, but for some reason CF detects Avast realtime shields as active in safe mode. No processes for Avast show up in Task Mgr [only 15 total processes]. I started Avast just to be sure, and it showed shields off. I then closed Avast and checked using process explorer [no avast processes]. I clicked to proceed with scan anyway.

[Blade81]

Hi,

Nothing in logs indicate remaining infection. Those two latest runs with CFScript were different compared to earlier ones. I believe that's why connection went off. I suggest to monitor situation for a few days now. If symptoms stay away then we can have a look at the final steps.