Jump to content

Change Mode

Wanted To Ask First? (win32-sirefef-k Rtk)


triger49
 Share

Recommended Posts

Please be patient, I'm new here...

 

The first time this thing showed up on my doorstep, I quit counting at 200 + infections,

and at the friends request...did a format / reinstall with Avast and Zonealarm added.. Online

banking had already been compromised by the time it got to me.

 

Fast forward, 45 days later....it comes back, unbootable. Avira rescue disk comes up with

A little over 100 infections. Avira is able to fix all and the system is bootable.

After that, Malware bytes and Spybot S&D find nothing but Avast

full system scan comes up Win32 - sirefef-K RTK.

 

I would really be grateful if somebody would double check me on this computer. Not certain if

just a set of DDS logs is required or if I also need Hijack this Log?? Suggestions??

 

Specs Toshiba W/ Centrino Duo...1 Gig of ram...Windows Xp Media Center Edition.

 

Thanks

Jake

Link to comment
Share on other sites

did you wipe your hard drive the first time with a third party program like Killdisk or Dariks Boot and Nuke?

A standard format might not clean the boot sector of the drive, it may be a possibility that something could reside in memory too, which means removing the memory for a few minutes to clear it out

 

on another note....you might have reinstalled something that contained the rootkit in the first place, often using "freebie softwarez" illegal downloads of other software, music and things of that nature more than often will come with a downloader trojan that you would not be aware of. The downloader trojan will connect on line behind the scenes and re-infect you pc with every and any thing

Edited by Joe C
Link to comment
Share on other sites

did you wipe your hard drive the first time with a third party program like Killdisk or Dariks Boot and Nuke?

A standard format might not clean the boot sector of the drive, it may be a possibility that something could reside in memory too, which means removing the memory for a few minutes to clear it out

 

on another note....you might have reinstalled something that contained the rootkit in the first place, often using "freebie softwarez" illegal downloads of other software, music and things of that nature more than often will come with a downloader trojan that you would not be aware of. The downloader trojan will connect on line behind the scenes and re-infect you pc with every and any thing

 

Hi ;

 

 

Thanks for taking the time to reply....first things first, I don't do Warez...so no danger there.

 

If memory serves, the reinstall was done form the Cd's that came with the computer. As to

 

what kind format took place, it would have been Micorsoft vintage.

 

The Boot sector thing did cross my mind, but both Avira and KAV rescue Cd's both check that.

 

Also, as far as the memory thing goes, at the moment the battery is bad, waiting on a new one. The

 

Machine is unpluged when I am not working on it.

 

My gut instinct tells me this person just started clicking allow to all the dialog boxes from Zonealarm...

 

and that is when the trouble started..... that rootkit was in all the system restore points except the first

 

one after the format / reinstall.....

 

Jake

Link to comment
Share on other sites

Not sure what you mean by Windows Vintage.

 

Many antivirus software programs can not detect new rootkits, it's the main reason I don't attempt to fix systems with rootkits, (imho) I wipe the entire drive to all zero's. using Killdisk. Dariks boot and nuke is another and there are a couple more out there that preform the same function. They all get the job done.

I did not mean to intend that you use warez, just trying to cover all the bases of possibilities. If the manufacture of this pc has a hidden partition of the operating system on the hard drive, it's possible that this partition could have gotten infected too. Often in many cases, the rootkit/virus will move the bootsector to the last part of the drive, opposite of the first part of the drive where windows orginally places it

 

If you zero out the drive and remove this hidden partition, you might need a windows disk to reinstall windows, the restore disk from the manufacture might not work

 

 

 

 

.

Edited by Joe C
Link to comment
Share on other sites

Not sure what you mean by Windows Vintage.

 

Many antivirus software programs can not detect new rootkits, it's the main reason I don't attempt to fix systems with rootkits, (imho) I wipe the entire drive to all zero's. using Killdisk. Dariks boot and nuke is another and there are a couple more out there that preform the same function. They all get the job done.

I did not mean to intend that you use warez, just trying to cover all the bases of possibilities. If the manufacture of this pc has a hidden partition of the operating system on the hard drive, it's possible that this partition could have gotten infected too

 

If you zero out the drive and remove this hidden partition, you might need a windows disk to reinstall windows, the restore disk from the manufacture might not work

 

 

 

 

.

 

 

 

 

Hi Joe...

 

 

Sorry bout that, I should have been a tad more cautious in my reply...I knew you meant no harm.

 

The vintage thing was actually wrong, I went back and looked and it was done from Toshiba System

 

restore Cd's. I did not pay particular attention to the format utility , but they have their own...I can only guess

 

thatis what was used. But a format was done, of that I am certain.

 

Also, Avast, after finding the Rootkit...did request and do what it calls a "BootScan" where it takes control of

 

thesystem like chkdisk and does it's thing.

 

I figure, if nothing else, I might go around my router firewall here and let zone alarm report anybody trying phone

 

home.

 

Whatever the case, I sure do appreciate any help...much obliged!

 

Jake

Link to comment
Share on other sites

triger49,

 

Sirefef is also known as the ZeroAccess Rootkit.

 

Please follow the instructions Joe C has given you, however, instead of a HijackThis log, please download DDS from this link:

Mirror 1

 

  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two logs:
    • DDS.txt
    • Attach.txt (minimized, and on your taskbar)
  • Save both reports to your Desktop.

Please post the contents of both reports when you start a new topic in the HijackThis Forum.

 

If you title your topic as follows, I will be glad to help you:

Sirefef Rootkit, attn: aaflac

 

Thanks!

Link to comment
Share on other sites

triger49,

 

Sirefef is also known as the ZeroAccess Rootkit.

 

Please follow the instructions Joe C has given you, however, instead of a HijackThis log, please download DDS from this link:

Mirror 1

 

  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two logs:<ol class="bbcol decimal">
  • DDS.txt
  • Attach.txt (minimized, and on your taskbar)
<li>Save both reports to your Desktop.

 

Please post the contents of both reports when you start a new topic in the HijackThis Forum.

 

If you title your topic as follows, I will be glad to help you:

Sirefef Rootkit, attn: aaflac

 

Thanks!

 

 

 

 

I will certainly do that....thanks for your kind offer of assistance

 

 

Jake

Link to comment
Share on other sites

tiger49, your system has been compromised. You can spend hours and hours and probably more than several days cleaning this thing up. It would save you a lot of time and effort to just wipe the drive clean (zero it out) and start fresh and new. Most folks can get a windows oem disk from a friend and reinstall the operating system. As long as you have the license key on a sticker that's placed somewhere on the pc, you can use that. Then go to the toshiba web site and download all your drivers. We have folks here that can help you do that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...