There is a new Sirefef variant that has shown itself as of recently. It uses similar techniques as before, but this time you will find a bunch of .TLB files in the Temp directories. These are extremely hard to get rid of and will require an external boot environment, such as BartPE or Hiren’s.
The TLB files themselves will look like this:
consrv, from the post below, may exist on the system as well. Please make sure to check for the sirefef junction!
(please note that performing this incorrectly will make your system cease to boot correctly)
You will need to open regedit and go to:
HKLM\System\ControlSet002\Control\Session Manager\Subsystems
and modify the Windows REG_EXPAND_SZ, which will look like this:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 You will see that it lists basesrv, winsrv, consrv, sxssrv
This should be changed to: basesrv, winsrv, winsrv, sxssrv
example:
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 Once you have changed it, open the Windows REG_EXPAND_SZ back up to make sure the virus has not changed the entry back. If it still says winsrv instead of consrv, you can leave it and move on to the next step. If it still says consrv, you may have to try ControlSet003
When the above is done, please go to:
HKLM\System\Select
and change Default to whatever controlset number that you changed to winsrv. When that is done, you can reboot normally, and it will go to the cleaned up control set by default. At that point, you can go remove consrv.dll, but your AV will probably remove it before you get the chance.
The most comprehensive, efficient removal instructions for sirefef, hands down, on the entire internet. Shouts go out to tammy the antimalware goddess, pound madness, colin dee, secresp crew, and the security kids that didn’t make it. enjoy.
Find the service that the numeric process is attached to and either delete or disable it. Deleting would be recommended, as this virus monitors its files at the kernel level. This can be done by one of the following:
A) (easy/recommended) Download Gmer (www.gmer.net) and open it to the Serivces tab. The service will be identifiable mainly by the numeric executable it’s attached to. Please right-click and choose Delete.
Special Note: depending on the variant of this threat, it may not let you open gmer
B) (more involved) Open regedit.exe and go to HKLM\System\CurrentControlSet\Serivces – Once there, either look for a service name that seems like it’s 2 service names pushed together, or go through each service folde, one by one, and look for the numeric executable name. When found, you can delete or disable it.
There will be a junction in the Windows directory where the main core of the virus is located. This can be found, neutralized, and removed by one of two methods:
A) (easy/recommended) Using junction.exe (http://technet.microsoft.com/en-us/sysinternals/bb896768) from a command line, type:
junction /accepteula -s c:\ > junctions.txt
Then press enter. This process should take a few minutes, so if it doesn’t finish right away, leave it alone. When it completes, open junctions.txt and look for a line that looks like this:
Failed to open \\?\c:\\WINDOWS\$NtUninstallKB46089$: Access is denied.
B) (more involved) Using Gmer again, if you can run it, go to the Files tab, then proceed to C:\WINDOWS making sure to click the Windows folder in the left pane, rather than on the right. Once it finishes loading the Windows directory on the right side, there will either be one, or upwards of 40, $NtUninstallKB directories. If there is only one, it’s more than likely the one you are looking for, which can be confirmed by entering the directory (inside Gmer) and seeing some numeric files that show red writing (Gmer flags malware files in red text). If there are a good amount of the $NtUninstall directories, you can find the malicious one by comparing the name lengths of these files. The malicious directory will Always have one less digit than the rest. This can be confirmed in the same manner as listed above.
You have found the junction, now to neutralize and remove it by using the following [built-in] Windows commands:
####################################
On some systems, mainly Vista/7 systems, the above will say it processed the directory, but the kernel-level monitoring for this rootkit will change the permissions directly back to what they were, so fsutil will say Access Denied. To get around this, you will need to use
Inherit.exe (sirefef.com/inherit.exe)
which will force inheriting permissions from the parent directory.
This can be done one of two ways:
###################################
After changing the permissions on the windows junction, use the following combination of commands to neutralize it:
fsutil reparsepoint delete c:\WINDOWS\$NtUninstallKB46089$
rmdir /s c:\WINDOWS\$NtUninstallKB46089$ 
To remove the loader.tlb, a reboot is necessary, BUT DON’T REBOOT YET!!!!!!
If junctions.txt lists
c:\\Windows\assembly\GAC_MSIL\Desktop.ini (there may be more than one)
this needs removed as well. To do so:
To make sure they are all gone out of this directory, type:
dir *.ini && dir /a:h *.ini
File not found is what we are looking for here. If you find any desktop(2).ini files or anything that looks like that, they can be deleted using the above method.
There should still be a piece of the infection left in:
C:\Windows\system32\drivers which will cause everything to come back if not caught. It seems that this rootkit picks .sys files out of this directory at random, and I have seen up to 2 infected at the same time. To find this infection, we will want to use:
TDSSkiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)
For this, you simply download the executable file, run it, then click Scan Now. After it finishes, it should present you with the results, and actions associated with those results. If any of these actions are set to Skip, then TDSSkiller is not able to remediate that file.
Common drive files sirefef infects are:
These files CANNOT be simply replaced, as the rootkit monitors the infected file(s) at the kernel level and will replace it the millisecond that it is modified
###############################
A word of caution:
TDSSkiller only catches the driver infection about 70% of the time.
With newer variants, even the newest version of this utility isn’t picking up the infection. I have provided the above list for you to do your own troubleshooting if TDSSKiller comes up clean. Do Not Trust It.
It’s a bit time-consuming, but you can upload these files, one at a time, to one of the following websites:
Virus, Spyware, and Malware Removal Guides Malware Protection Center Sweet Upgrade Bleeping Computer Forums: Am I infected? What do I do?