Trojan.Sirefef

View previous topic View next topic Go down

Trojan.Sirefef

Post by dapits on Thu 12 Jul 2012, 8:39 am

Hello, I noticed a problem with my computer today. I was getting some redirects when accessing the internet. I did an update on my Malwarebytes and then ran a quick scan. it showed 19 items which it quarantined and deleted but then I ran a second complete scan and got the messeage of the torjan.sirefef. The two scans are attached.
Thanks!!
1. Malwarebytes Anti-Malware 1.61.0.1400
[You must be registered and logged in to see this link.]
Database version: v2012.07.10.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
davidcore2 :: DAVIDCORE2-PC [administrator]
7/10/2012 9:21:04 AM
mbam-log-2012-07-10 (09-21-04).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241538
Time elapsed: 7 minute(s), 56 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 17
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\4479 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044444479} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055445579} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4479 (PUP.CrossFire.SA) -> Data: Giant Savings -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Program Files (x86)\Giant Savings\Giant Savings.dll (PUP.GamePlayLab) -> Quarantined and deleted successfully.
(end)



2. Malwarebytes Anti-Malware 1.61.0.1400
[You must be registered and logged in to see this link.]
Database version: v2012.07.10.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
davidcore2 :: DAVIDCORE2-PC [administrator]
7/10/2012 12:55:08 PM
mbam-log-2012-07-10 (12-55-08).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1123773
Time elapsed: 2 hour(s), 48 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
D:\My Old 60GB Drive\WINDOWS\SYSTEM32\DRIVERS\NVAX9X.SYS (Trojan.Sirefef) -> Quarantined and deleted successfully.
(end)


dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Thu 12 Jul 2012, 8:46 am

Also, here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:45:22 PM, on 7/11/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\PrinterShare\paConsole.exe
C:\Users\davidcore2\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Program Files (x86)\Tango\Tango.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\EasySetPackage.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files (x86)\Nova Development\Photo Explosion\4.0\ReminderApp.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.] 21:47:12&v=11.1.0.12&sap=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {bde6f3a2-2ce8-4430-94e0-cd4ce39eeb0d} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AddressBookReminderApp] C:\Program Files (x86)\Nova Development\Photo Explosion\4.0\ReminderApp.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [PrinterShare] C:\Program Files (x86)\PrinterShare\paConsole.exe -minimized
O4 - HKCU\..\Run: [SmileboxTray] "C:\Users\davidcore2\AppData\Roaming\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Tango] C:\Program Files (x86)\Tango\Tango.exe -r
O4 - HKCU\..\Run: [Google Update] "C:\Users\davidcore2\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ElevatedDiagnostics] rundll32.exe
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ElevatedDiagnostics] rundll32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1142693848-1022031478-3082097540-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1142693848-1022031478-3082097540-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [ElevatedDiagnostics] rundll32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ElevatedDiagnostics] rundll32.exe (User 'Default user')
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\davidcore2\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: EasySetPackage.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Se&nd to OneNote - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O16 - DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13708 bytes

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Thu 12 Jul 2012, 11:40 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:



Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Thu 12 Jul 2012, 1:11 pm

Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AntiVir Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
VAT-Spy
Malwarebytes Anti-Malware version 1.61.0.1400
Java(TM) 6 Update 30
Java version out of Date!
Adobe Reader X (10.1.3)
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Combofix log to follow in next post

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Thu 12 Jul 2012, 1:45 pm

Combofix log:

ComboFix 12-07-11.03 - davidcore2 07/11/2012 22:16:23.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2111 [GMT -4:00]
Running from: c:\users\davidcore2\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-12 to 2012-07-12 )))))))))))))))))))))))))))))))
.
.
2012-07-12 02:21 . 2012-07-12 02:21 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-12 02:21 . 2012-07-12 02:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-11 21:45 . 2012-07-11 21:45 388096 ----a-r- c:\users\davidcore2\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-11 21:45 . 2012-07-11 21:45 -------- d-----w- c:\program files (x86)\Trend Micro
2012-07-08 01:53 . 2012-07-08 01:58 -------- d-----w- c:\users\davidcore2\AppData\Roaming\Nero
2012-07-08 01:51 . 2012-07-10 13:45 -------- d-----w- c:\program files (x86)\AskTBar
2012-07-08 01:50 . 2012-07-08 01:51 -------- d-----w- c:\program files (x86)\Nero
2012-07-08 01:50 . 2012-07-08 01:52 -------- d-----w- c:\program files (x86)\Common Files\Nero
2012-07-08 01:50 . 2012-07-08 01:51 -------- d-----w- c:\programdata\Nero
2012-07-08 01:45 . 2012-07-08 01:45 -------- d--h--w- c:\programdata\Common Files
2012-07-08 01:45 . 2012-07-08 01:45 -------- d-----w- c:\users\davidcore2\AppData\Local\Giant Savings
2012-07-08 01:45 . 2012-07-10 13:43 -------- d-----w- c:\program files (x86)\Giant Savings
2012-06-21 22:21 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 22:21 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 22:21 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 22:21 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 22:21 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 22:21 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 22:21 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 22:21 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 22:21 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 21:37 . 2012-05-27 06:50 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-11 21:37 . 2011-07-01 13:27 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-31 04:04 . 2012-07-10 13:14 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{55957BA4-E16E-40B3-B6D2-5A8BF5F78242}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-06 39408]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"PrinterShare"="c:\program files (x86)\PrinterShare\paConsole.exe" [2011-09-08 1124352]
"SmileboxTray"="c:\users\davidcore2\AppData\Roaming\Smilebox\SmileboxTray.exe" [2012-05-15 325448]
"Tango"="c:\program files (x86)\Tango\Tango.exe" [2011-11-04 13489992]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"AddressBookReminderApp"="c:\program files (x86)\Nova Development\Photo Explosion\4.0\ReminderApp.exe" [2009-09-04 144672]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\davidcore2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PMCRemoteLauncher.lnk - c:\users\davidcore2\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe [2011-7-9 54544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
EasySetPackage.lnk - c:\program files (x86)\LG Soft India\EasySetPackage\bin\EasySetPackage.exe [2011-9-12 159744]
Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2011-2-23 323584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 136176]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 136176]
R3 HP8207_8307;HP-HP8207_8307;c:\windows\system32\DRIVERS\HP8207_8307.sys [2010-02-05 15360]
R3 LGDDCDevice;LGDDCDevice;c:\windows\system32\LGI2CDriver.sys [x]
R3 LGII2CDevice;LGII2CDevice;c:\windows\system32\LGPII2CDriver.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-02 1255736]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 DCamUSBVM;Lenovo Q350 USB PC Camera;c:\windows\system32\Drivers\usbVM31b.sys [2005-09-19 142336]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]
S3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys [2011-09-07 70016]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-27 21:37]
.
2012-07-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 14:15]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 14:15]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1142693848-1022031478-3082097540-1000Core.job
- c:\users\davidcore2\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 02:34]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1142693848-1022031478-3082097540-1000UA.job
- c:\users\davidcore2\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 02:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = [You must be registered and logged in to see this link.] 21:47&v=11.1.0.12&sap=hp
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bde6f3a2-2ce8-4430-94e0-cd4ce39eeb0d} - (no file)
Wow6432Node-HKCU-Run-ElevatedDiagnostics - (no file)
Wow6432Node-HKU-Default-Run-ElevatedDiagnostics - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BDE6F3A2-2CE8-4430-94E0-CD4CE39EEB0D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
c:\program files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2012-07-11 22:32:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-12 02:32
.
Pre-Run: 310,215,426,048 bytes free
Post-Run: 311,054,241,792 bytes free
.
- - End Of File - - 00EA742DD108A9047FA274E095A84F09

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Fri 13 Jul 2012, 6:38 am

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*****************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**********************************************
Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    DDS::
    Trusted Zone: intuit.com\ttlc
    Firefox::
    Trusted Zone: intuit.com\ttlc
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see the log from this action.

********************************************************
Please download Rooter and Save it to your desktop.

  • Double click it to start the tool.Vista and Windows7 run as administrator.
  • Click Scan.
  • Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Sat 14 Jul 2012, 11:10 am

I can't seem to post the log. Everytime I try I get an HTTP interal server error and now the machine is running super slow!

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Sat 14 Jul 2012, 11:12 am

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 07/13/2012 at 01:33 AM

Application Version : 5.5.1012

Core Rules Database Version : 8892
Trace Rules Database Version: 6704

Scan type : Complete Scan
Total Scan Time : 07:13:33

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 652
Memory threats detected : 0
Registry items scanned : 68650
Registry threats detected : 0
File items scanned : 1346989
File threats detected : 1785

Adware.Tracking Cookie
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\EIBKN8GW.txt [ /accounts.google.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\V4PF135I.txt [ /statcounter.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0JHDQFSV.txt [ /ad.yieldmanager.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1WZAA6YO.txt [ /counters.gigya.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HXQ7FZCM.txt [ /adtech.de ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZRH4NO4G.txt [ /apmebf.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZO07RNQ2.txt [ /tribalfusion.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\LMCI4OX1.txt [ /media6degrees.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CW0TYEZT.txt [ /ads.saymedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CS3UE5ET.txt [ /ads.pubmatic.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\F5MXFJGP.txt [ /yadro.ru ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\G6V5SLIR.txt [ /intermundomedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\99J37AAJ.txt [ /potomacfallsexpresslube.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\TBS7GWK3.txt [ /adserver.adtechus.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\TT9UFEOI.txt [ /tripod.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\R4MA2GBI.txt [ /kanoodle.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\MDRYBP32.txt [ /ad.360yield.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1HNIY0IV.txt [ /pro-market.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QLV6ZNMO.txt [ /specificclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\BJ5A4VXC.txt [ /insightexpressai.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HEFVK1G6.txt [ /fastclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KBNDA4QH.txt [ /clickbooth.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\871CASU8.txt [ /www.burstnet.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CM1FYF5J.txt [ /ads.nba.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HXTOHQTD.txt [ /dc.tremormedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\5J19RTH0.txt [ /a1.interclick.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\A9T2GYPX.txt [ /adinterax.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\LMXQB9QR.txt [ /adviva.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\XFR2N21O.txt [ /gntbcstglobal.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\XWZVMFZ2.txt [ /1sadx.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\BCOXD4MR.txt [ /legolas-media.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\6ZZWTT68.txt [ /atdmt.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1UWW8QF8.txt [ /yieldmanager.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WYQ5SUA9.txt [ /ads.pointroll.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\N27BE01R.txt [ /revsci.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8NJMUAEJ.txt [ /ru4.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\14DYRGCO.txt [ /ads.undertone.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1GFY9J61.txt [ /traveladvertising.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZV1DKUE2.txt [ /adserver.twitpic.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\3M4KCKFC.txt [ /invitemedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QE3WZD9Z.txt [ /interclick.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QWPKLW2H.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\FECWECF3.txt [ /realmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\J7SWUK6O.txt [ /bs.serving-sys.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\C64MHLGT.txt [ /247realmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\69E98FPH.txt [ /a.intentmedia.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CFBM5G4M.txt [ /in.getclicky.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\129DYFCC.txt [ /statse.webtrendslive.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KQDCTYTP.txt [ /d.mediaforge.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\008POVL5.txt [ /burstnet.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\N4TE20M6.txt [ /doubleclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\BFSZTVBZ.txt [ /2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\625QS854.txt [ /network.realmedia.com ]

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Sat 14 Jul 2012, 11:13 am

C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\R3IYCPSQ.txt [ /advertising.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\5BFFI2AD.txt [ /imrworldwide.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WS5VFBNP.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WHG0M479.txt [ /ads.meredithads.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\V32WMEU7.txt [ /ad.wsod.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\YIT00Q3I.txt [ /atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CBV8Z60T.txt [ /tacoda.at.atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\073KKXOR.txt [ /ihg.db.advertising.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QHBOGZP9.txt [ /ads.as4x.tmcs.ticketmaster.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\NL0WBKQ5.txt [ /c.atdmt.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\R54ZW1DB.txt [ /zedo.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\Y7BS4P8P.txt [ /serving-sys.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\2ARPD5GV.txt [ /questionmarket.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\V0AIBTGU.txt [ /mediaplex.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8WIR6751.txt [ /gsimedia.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\E97ODK58.txt [ /adbrite.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\LEQ08PVS.txt [ /at.atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0H8T1E7J.txt [ /collective-media.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\H13BRADL.txt [ /tradedoubler.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\P1F6R1YD.txt [ /pointroll.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\H6PI3M3Y.txt [ /amazon-adsystem.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\O3B1DYQ2.txt [ /lucidmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WAQ8MVND.txt [ /casalemedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8L55NCKJ.txt [ /adfarm1.adition.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZHWK0GIL.txt [ /e-2dj6wjnyaiczslo.stats.esomniture.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\FRPV8RKG.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\X6OMNDXR.txt [ /caloriecount.about.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\RDX2ES6M.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\B6DY43IP.txt [ /www.peoplefinders.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\PSYA06OS.txt [ /dsw.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\F5X1YK70.txt [ /findnsave.macon.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\RK8YNBFS.txt [ /mediacast.hcbe.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\SX55EZB9.txt [ /kontera.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KJPT322B.txt [ /ad2.adfarm1.adition.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KNB3OE6Z.txt [ /overture.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\OEAFSEK9.txt [ /ox-d.mediaforge.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\U4S55O8L.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\SLD0WV8G.txt [ /otterproducts.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0VATS8BC.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\JKG3KMMP.txt [ /adxpose.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZBQ20U6E.txt [ /houstoncountyga.org ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\J74R3O18.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\U09BPOED.txt [ /usatoday1.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\Y1US8ESB.txt [ /ar.atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8NRJLQZE.txt [ /mediaservices-d.openxenterprise.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8IFMU502.txt [ /warnerbros.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\DFOYAF7E.txt [ /lfstmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\PW19TZS1.txt [ /www.dynastats.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\F3YIN97C.txt [ /nextag.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\I89L3YL6.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\J9ME5FKK.txt [ /ewscripps.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0SMZMNTI.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\283H2CBK.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\SCFR8MYP.txt [ /ussearch.122.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\9MJBHILW.txt [ /traffic.prod.cobaltgroup.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\132CCEG0.txt [ /trafficmp.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\7GB37CHF.txt [ /media.adfrontiers.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HPTJTTOV.txt [ /overtons.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\9XCI4RRO.txt [ /ad-g.doubleclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\H35KIU2Q.txt [ /peoplefinders.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\RT8DIEOT.txt [ /mediaforge.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\70L672ID.txt [ /eyewonder.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\2ETHB5XN.txt [ /tracking.quisma.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\GXG2NC8L.txt [ /ads.eqads.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\XZ5X5NOM.txt [ /adlegend.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\09XH9YPV.txt [ /www.nextag.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ID0JLSRQ.txt [ /ads.bridgetrack.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\18MPTXZH.txt [ /saymedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\3KV5NL4S.txt [ /limaconsulting.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WZ23WQEH.txt [ /timeinc.122.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\X5SILSFK.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\Z613UG49.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\IJY6MS0Y.txt [ /www.googleadservices.com ]
C:\USERS\DAVIDCORE2\AppData\Roaming\Microsoft\Windows\Cookies\Z1KBSW42.txt [ Cookie:davidcore2@delivery.ctasnet.com/adserver/www/delivery/ ]
C:\USERS\DAVIDCORE2\Cookies\EIBKN8GW.txt [ Cookie:davidcore2@accounts.google.com/ ]
C:\USERS\DAVIDCORE2\Cookies\V4PF135I.txt [ Cookie:davidcore2@statcounter.com/ ]
C:\USERS\DAVIDCORE2\Cookies\0JHDQFSV.txt [ Cookie:davidcore2@ad.yieldmanager.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1WZAA6YO.txt [ Cookie:davidcore2@counters.gigya.com/ ]
C:\USERS\DAVIDCORE2\Cookies\HXQ7FZCM.txt [ Cookie:davidcore2@adtech.de/ ]
C:\USERS\DAVIDCORE2\Cookies\ZRH4NO4G.txt [ Cookie:davidcore2@apmebf.com/ ]
C:\USERS\DAVIDCORE2\Cookies\ZO07RNQ2.txt [ Cookie:davidcore2@tribalfusion.com/ ]
C:\USERS\DAVIDCORE2\Cookies\CW0TYEZT.txt [ Cookie:davidcore2@ads.saymedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\F5MXFJGP.txt [ Cookie:davidcore2@yadro.ru/ ]
C:\USERS\DAVIDCORE2\Cookies\G6V5SLIR.txt [ Cookie:davidcore2@intermundomedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\99J37AAJ.txt [ Cookie:davidcore2@potomacfallsexpresslube.com/ ]
C:\USERS\DAVIDCORE2\Cookies\TBS7GWK3.txt [ Cookie:davidcore2@adserver.adtechus.com/ ]
C:\USERS\DAVIDCORE2\Cookies\TT9UFEOI.txt [ Cookie:davidcore2@tripod.com/ ]
C:\USERS\DAVIDCORE2\Cookies\R4MA2GBI.txt [ Cookie:davidcore2@kanoodle.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1HNIY0IV.txt [ Cookie:davidcore2@pro-market.net/ ]
C:\USERS\DAVIDCORE2\Cookies\QLV6ZNMO.txt [ Cookie:davidcore2@specificclick.net/ ]
C:\USERS\DAVIDCORE2\Cookies\BJ5A4VXC.txt [ Cookie:davidcore2@insightexpressai.com/ ]
C:\USERS\DAVIDCORE2\Cookies\HEFVK1G6.txt [ Cookie:davidcore2@fastclick.net/ ]
C:\USERS\DAVIDCORE2\Cookies\KBNDA4QH.txt [ Cookie:davidcore2@clickbooth.com/ ]
C:\USERS\DAVIDCORE2\Cookies\HXTOHQTD.txt [ Cookie:davidcore2@dc.tremormedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\5J19RTH0.txt [ Cookie:davidcore2@a1.interclick.com/ ]
C:\USERS\DAVIDCORE2\Cookies\A9T2GYPX.txt [ Cookie:davidcore2@adinterax.com/ ]
C:\USERS\DAVIDCORE2\Cookies\XFR2N21O.txt [ Cookie:davidcore2@gntbcstglobal.112.2o7.net/ ]
C:\USERS\DAVIDCORE2\Cookies\XWZVMFZ2.txt [ Cookie:davidcore2@1sadx.net/ ]
C:\USERS\DAVIDCORE2\Cookies\BCOXD4MR.txt [ Cookie:davidcore2@legolas-media.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1UWW8QF8.txt [ Cookie:davidcore2@yieldmanager.net/ ]
C:\USERS\DAVIDCORE2\Cookies\WYQ5SUA9.txt [ Cookie:davidcore2@ads.pointroll.com/ ]
C:\USERS\DAVIDCORE2\Cookies\N27BE01R.txt [ Cookie:davidcore2@revsci.net/ ]
C:\USERS\DAVIDCORE2\Cookies\8NJMUAEJ.txt [ Cookie:davidcore2@ru4.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1GFY9J61.txt [ Cookie:davidcore2@traveladvertising.com/ ]
C:\USERS\DAVIDCORE2\Cookies\ZV1DKUE2.txt [ Cookie:davidcore2@adserver.twitpic.com/ ]
C:\USERS\DAVIDCORE2\Cookies\QE3WZD9Z.txt [ Cookie:davidcore2@interclick.com/ ]
C:\USERS\DAVIDCORE2\Cookies\QWPKLW2H.txt [ Cookie:davidcore2@liveperson.net/hc/75520543 ]
C:\USERS\DAVIDCORE2\Cookies\FECWECF3.txt [ Cookie:davidcore2@realmedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\J7SWUK6O.txt [ Cookie:davidcore2@bs.serving-sys.com/ ]
C:\USERS\DAVIDCORE2\Cookies\C64MHLGT.txt [ Cookie:davidcore2@247realmedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\69E98FPH.txt [ Cookie:davidcore2@a.intentmedia.net/ ]
C:\USERS\DAVIDCORE2\Cookies\CFBM5G4M.txt [ Cookie:davidcore2@in.getclicky.com/ ]
C:\USERS\DAVIDCORE2\Cookies\129DYFCC.txt [ Cookie:davidcore2@statse.webtrendslive.com/ ]

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Sat 14 Jul 2012, 11:38 am

Please post the Rooter log.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Sun 15 Jul 2012, 1:15 pm

is it suppose to take a while to run the Rooter? It just says please wait at the bottom and seems to be stuck

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Mon 16 Jul 2012, 12:06 am

So I let it run all night and I still that the screen where at the top it says
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
.
C:\Rooter$\Rooter_3.txt - (15/07/2012 | 09:05.18)

and at the bottom it says
Please wait....

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Mon 16 Jul 2012, 9:10 am

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Tue 17 Jul 2012, 11:13 am

The scan ran for more than 24 hours and this is what it got...

C:\Users\davidcore2\AppData\Local\Google\Chrome\User Data\Default\Default\aahkpjhhkcigepgfchakibcojeoafbec\background.html Win32/BHO.OEI trojan cleaned by deleting - quarantined
C:\Users\davidcore2\Downloads\Nero9.4.12.3d_free.exe Win32/Toolbar.AskSBar application deleted - quarantined

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Tue 17 Jul 2012, 12:04 pm

So, how's your computer working now? Any other issues?

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Tue 17 Jul 2012, 8:30 pm

this is my most recent mbam log Does it look ok? Do you think we are clean now?

Malwarebytes Anti-Malware 1.62.0.1300
[You must be registered and logged in to see this link.]

Database version: v2012.07.16.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
davidcore2 :: DAVIDCORE2-PC [administrator]

7/16/2012 9:30:05 PM
mbam-log-2012-07-16 (21-30-05).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1120845
Time elapsed: 3 hour(s), 12 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Giant Savings (PUP.GamePlayLabs) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files (x86)\Giant Savings\Giant Savings.exe (PUP.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Giant Savings\Giant SavingsGui.exe (PUP.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Giant Savings\Uninstall.exe (PUP.GamePlayLabs) -> Quarantined and deleted successfully.

(end)

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Wed 18 Jul 2012, 9:15 am

We should not be seeing those same infections this late in the game.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Wed 18 Jul 2012, 9:55 am

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-17 18:27:18
-----------------------------
18:27:18.531 OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:18.531 Number of processors: 2 586 0xF0B
18:27:18.531 ComputerName: DAVIDCORE2-PC UserName: davidcore2
18:27:19.311 Initialize success
18:28:16.490 AVAST engine defs: 12071701
18:29:28.889 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
18:29:28.905 Disk 0 Vendor: WDC_WD5000AAVS-14N7B0 01.00A01 Size: 476940MB BusType: 3
18:29:28.905 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5
18:29:28.905 Disk 1 Vendor: ST3500630AS 3.AAK Size: 476940MB BusType: 3
18:29:28.952 Disk 0 MBR read successfully
18:29:28.952 Disk 0 MBR scan
18:29:28.967 Disk 0 Windows 7 default MBR code
18:29:28.999 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
18:29:29.014 Disk 0 scanning C:\Windows\system32\drivers
18:29:40.948 Service scanning
18:30:07.343 Modules scanning
18:30:07.343 Disk 0 trace - called modules:
18:30:07.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:30:07.889 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c24060]
18:30:07.889 3 CLASSPNP.SYS[fffff8800198c43f] -> nt!IofCallDriver -> [0xfffffa800473a520]
18:30:07.889 5 ACPI.sys[fffff88000f137a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800473b680]
18:30:10.167 AVAST engine scan C:\Windows
18:30:14.161 AVAST engine scan C:\Windows\system32
18:34:25.088 AVAST engine scan C:\Windows\system32\drivers
18:34:48.098 AVAST engine scan C:\Users\davidcore2
18:52:05.490 AVAST engine scan C:\ProgramData
18:53:15.910 Scan finished successfully
18:54:45.485 Disk 0 MBR has been saved successfully to "C:\Users\davidcore2\Desktop\MBR.dat"
18:54:45.485 The log file has been saved successfully to "C:\Users\davidcore2\Desktop\pitsenbarger virus scan.txt"



dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Wed 18 Jul 2012, 10:13 am

Please update and run MBAM again and post the log. Also, please run ESET again.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Thu 19 Jul 2012, 10:41 am

It looks like we are ok now. Here is my AVSCAN from today:


Avira Free Antivirus
Report file date: Wednesday, July 18, 2012 12:00

Scanning for 3897622 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 Home Premium
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DAVIDCORE2-PC

Version information:
BUILD.DAT : 12.0.0.1125 41829 Bytes 5/2/2012 17:40:00
AVSCAN.EXE : 12.3.0.15 466896 Bytes 5/2/2012 04:48:51
AVSCAN.DLL : 12.3.0.15 54736 Bytes 5/2/2012 19:31:39
LUKE.DLL : 12.3.0.15 68304 Bytes 5/2/2012 05:31:47
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 5/2/2012 04:13:36
AVREG.DLL : 12.3.0.17 232200 Bytes 7/13/2012 23:43:08
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 05:23:21
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 05:32:24
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 15:58:50
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 16:43:53
VBASE005.VDF : 7.11.34.116 4034048 Bytes 6/29/2012 23:42:42
VBASE006.VDF : 7.11.34.117 2048 Bytes 6/29/2012 23:42:42
VBASE007.VDF : 7.11.34.118 2048 Bytes 6/29/2012 23:42:42
VBASE008.VDF : 7.11.34.119 2048 Bytes 6/29/2012 23:42:42
VBASE009.VDF : 7.11.34.120 2048 Bytes 6/29/aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-17 18:27:18
-----------------------------
18:27:18.531 OS Version: Windows x64 6.1.7601 Service Pack 1
18:27:18.531 Number of processors: 2 586 0xF0B
18:27:18.531 ComputerName: DAVIDCORE2-PC UserName: davidcore2
18:27:19.311 Initialize success
18:28:16.490 AVAST engine defs: 12071701
18:29:28.889 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
18:29:28.905 Disk 0 Vendor: WDC_WD5000AAVS-14N7B0 01.00A01 Size: 476940MB BusType: 3
18:29:28.905 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5
18:29:28.905 Disk 1 Vendor: ST3500630AS 3.AAK Size: 476940MB BusType: 3
18:29:28.952 Disk 0 MBR read successfully
18:29:28.952 Disk 0 MBR scan
18:29:28.967 Disk 0 Windows 7 default MBR code
18:29:28.999 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
18:29:29.014 Disk 0 scanning C:\Windows\system32\drivers
18:29:40.948 Service scanning
18:30:07.343 Modules scanning
18:30:07.343 Disk 0 trace - called modules:
18:30:07.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
18:30:07.889 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c24060]
18:30:07.889 3 CLASSPNP.SYS[fffff8800198c43f] -> nt!IofCallDriver -> [0xfffffa800473a520]
18:30:07.889 5 ACPI.sys[fffff88000f137a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800473b680]
18:30:10.167 AVAST engine scan C:\Windows
18:30:14.161 AVAST engine scan C:\Windows\system32
18:34:25.088 AVAST engine scan C:\Windows\system32\drivers
18:34:48.098 AVAST engine scan C:\Users\davidcore2
18:52:05.490 AVAST engine scan C:\ProgramData
18:53:15.910 Scan finished successfully
18:54:45.485 Disk 0 MBR has been saved successfully to "C:\Users\davidcore2\Desktop\MBR.dat"
18:54:45.485 The log file has been saved successfully to "C:\Users\davidcore2\Desktop\pitsenbarger virus scan.txt"


2012 23:42:43
VBASE010.VDF : 7.11.34.121 2048 Bytes 6/29/2012 23:42:43
VBASE011.VDF : 7.11.34.122 2048 Bytes 6/29/2012 23:42:43
VBASE012.VDF : 7.11.34.123 2048 Bytes 6/29/2012 23:42:43
VBASE013.VDF : 7.11.34.124 2048 Bytes 6/29/2012 23:42:43
VBASE014.VDF : 7.11.34.201 169472 Bytes 7/2/2012 23:42:44
VBASE015.VDF : 7.11.35.19 122368 Bytes 7/4/2012 23:42:45
VBASE016.VDF : 7.11.35.87 146944 Bytes 7/6/2012 23:42:46
VBASE017.VDF : 7.11.35.143 126464 Bytes 7/9/2012 23:42:47
VBASE018.VDF : 7.11.35.235 151552 Bytes 7/12/2012 23:42:48
VBASE019.VDF : 7.11.36.45 118784 Bytes 7/13/2012 23:42:49
VBASE020.VDF : 7.11.36.107 123904 Bytes 7/16/2012 13:32:47
VBASE021.VDF : 7.11.36.147 238592 Bytes 7/17/2012 13:32:49
VBASE022.VDF : 7.11.36.148 2048 Bytes 7/17/2012 13:32:49
VBASE023.VDF : 7.11.36.149 2048 Bytes 7/17/2012 13:32:49
VBASE024.VDF : 7.11.36.150 2048 Bytes 7/17/2012 13:32:49
VBASE025.VDF : 7.11.36.151 2048 Bytes 7/17/2012 13:32:49
VBASE026.VDF : 7.11.36.152 2048 Bytes 7/17/2012 13:32:49
VBASE027.VDF : 7.11.36.153 2048 Bytes 7/17/2012 13:32:49
VBASE028.VDF : 7.11.36.154 2048 Bytes 7/17/2012 13:32:49
VBASE029.VDF : 7.11.36.155 2048 Bytes 7/17/2012 13:32:50
VBASE030.VDF : 7.11.36.156 2048 Bytes 7/17/2012 13:32:50
VBASE031.VDF : 7.11.36.176 45056 Bytes 7/18/2012 13:32:50
Engine version : 8.2.10.114
AEVDF.DLL : 8.1.2.10 102772 Bytes 7/13/2012 23:43:05
AESCRIPT.DLL : 8.1.4.32 455034 Bytes 7/13/2012 23:43:05
AESCN.DLL : 8.1.8.2 131444 Bytes 2/16/2012 22:11:36
AESBX.DLL : 8.2.5.12 606578 Bytes 7/13/2012 23:43:06
AERDL.DLL : 8.1.9.15 639348 Bytes 1/21/2012 05:22:40
AEPACK.DLL : 8.3.0.14 807287 Bytes 7/13/2012 23:43:04
AEOFFICE.DLL : 8.1.2.40 201082 Bytes 7/13/2012 23:43:02
AEHEUR.DLL : 8.1.4.72 5038455 Bytes 7/13/2012 23:43:01
AEHELP.DLL : 8.1.23.2 258422 Bytes 7/13/2012 23:42:54
AEGEN.DLL : 8.1.5.32 434548 Bytes 7/13/2012 23:42:54
AEEXP.DLL : 8.1.0.62 86389 Bytes 7/13/2012 23:43:07
AEEMU.DLL : 8.1.3.2 393587 Bytes 7/13/2012 23:42:53
AECORE.DLL : 8.1.27.2 201078 Bytes 7/13/2012 23:42:53
AEBB.DLL : 8.1.1.0 53618 Bytes 1/21/2012 05:22:35
AVWINLL.DLL : 12.3.0.15 27344 Bytes 5/2/2012 04:59:21
AVPREF.DLL : 12.3.0.15 51920 Bytes 5/2/2012 04:44:31
AVREP.DLL : 12.3.0.15 179208 Bytes 5/2/2012 04:13:35
AVARKT.DLL : 12.3.0.15 211408 Bytes 5/2/2012 04:21:32
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 5/2/2012 04:28:49
SQLITE3.DLL : 3.7.0.1 398288 Bytes 4/17/2012 03:11:02
AVSMTP.DLL : 12.3.0.15 63440 Bytes 5/2/2012 04:51:35
NETNT.DLL : 12.3.0.15 17104 Bytes 5/2/2012 05:33:29
RCIMAGE.DLL : 12.3.0.15 4450000 Bytes 5/2/2012 06:03:52
RCTEXT.DLL : 12.3.0.15 96720 Bytes 5/2/2012 19:40:44

Configuration settings for the scan:
Jobname.............................: Local Hard Disks
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\alldiscs.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Wednesday, July 18, 2012 12:00

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarUser_32.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'agent.exe' - '1' Module(s) have been scanned
Scan process 'isuspm.exe' - '1' Module(s) have been scanned
Scan process 'daemonu.exe' - '1' Module(s) have been scanned
Scan process 'IntuitUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'TestDDCCI.exe' - '1' Module(s) have been scanned
Scan process 'TestDDCCI.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'GarminLifetime.exe' - '1' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'EasySetPackage.exe' - '1' Module(s) have been scanned
Scan process 'distnoted.exe' - '1' Module(s) have been scanned
Scan process 'ubd.exe' - '1' Module(s) have been scanned
Scan process 'paConsole.exe' - '1' Module(s) have been scanned
Scan process 'NBService.exe' - '1' Module(s) have been scanned
Scan process 'E_S30RP1.EXE' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'armsvc.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '2370' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Users\davidcore2\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db
[WARNING] The archive header is damaged
C:\Windows.old.000\Program Files\Microsoft Games\Microsoft Flight Simulator X\SimObjects\Airplanes\FSX Realair spitfire\RealAir\spit08\AutoPlay\Config Panel.cdd
[WARNING] The file is password protected
C:\Windows.old.000\Program Files\Microsoft Games\Microsoft Flight Simulator X (new)\SimObjects\Airplanes\FSX Realair spitfire\RealAir\spit08\AutoPlay\Config Panel.cdd
[WARNING] The file is password protected
C:\Windows.old.000\Users\Scott\Documents\VFAT2008_720p.zip
[WARNING] Possible archive bomb: the maximum unpack size has been reached.
C:\Windows.old.000\Windows\SoftwareDistribution\Download\ce5287396485f886a3051ac552cbdb2f08681033
[0] Archive type: Portable Executable Resource
--> P39564799
[1] Archive type: CAB (Microsoft)
--> WriterProdLang.7z
[2] Archive type: 7-Zip
--> WriterProdLang.cab
[3] Archive type: CAB (Microsoft)
--> writerprodlang.msi
[WARNING] The file could not be read!
--> P7563067
[1] Archive type: CAB (Microsoft)
--> LanguageSelector64.7z
[2] Archive type: 7-Zip
--> LanguageSelector64.cab
[3] Archive type: CAB (Microsoft)
--> LanguageSelector64.msi
[WARNING] The file could not be read!
Begin scan in 'D:\'
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-02 083059\Backup files 215.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-02 083059\Backup files 224.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-02 083059\Backup files 281.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-02 083059\Backup files 283.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-02 083059\Backup files 391.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-02 083059\Backup files 396.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-23 080118\Backup files 11.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-23 080118\Backup files 16.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-23 080118\Backup files 25.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2011-10-23 080118\Backup files 8.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2011-09-25 082521\Backup Files 2012-02-26 100408\Backup files 1.zip
[WARNING] Unsupported archive version
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-05-20 020003\Backup files 245.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-05-20 020003\Backup files 254.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-05-20 020003\Backup files 311.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-05-20 020003\Backup files 313.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-05-20 020003\Backup files 440.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-05-20 020003\Backup files 445.zip
[WARNING] The archive header is damaged
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-06-03 020004\Backup files 3.zip
[WARNING] Invalid end of file
D:\DAVIDCORE2-PC\Backup Set 2012-05-20 020003\Backup Files 2012-06-03 020004\Backup files 7.zip
[WARNING] The archive header is damaged
D:\My Old 130GB Drive\Download\NRN_SIT.HQX
[WARNING] Error file CRC
D:\My Old 130GB Drive\Games\Install-Spades-Free.exe
[WARNING] Invalid compressed data
D:\My Old 130GB Drive\My Documents\BIN2HEX.ZIP
[WARNING] The file is password protected
D:\My Old 130GB Drive\Program Files\IM\Uninstall.exe
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\3fc2\f4373dc\_bwfindx.zip
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\3fc2\f4373e6\_bwfindx.zip
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\3fc2\f4373e8\_bwfindx.zip
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\3fc2\f4373ef\_bwfindx.zip
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\3fc2\f437428\_bwfindx.zip
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\3fc2\f437448\_bwfindx.zip
[WARNING] Invalid end of file
D:\My Old 130GB Drive\Program Files\Netscape\Netscape Browser\NSUninst.exe
[WARNING] Unsupported archive version
D:\My Old 250GB Drive\PITS1 (250GB)\Documents and Settings\Owner\Application Data\eRoom\eRoom Client\V7\~Temp\ERTemp081815daf9990029.pdc
[WARNING] Invalid end of file
D:\My Old 250GB Drive\PITS1 (250GB)\Documents and Settings\Owner\Application Data\Juniper Networks\Setup\uninstall.exe
[WARNING] Invalid end of file
D:\My Old 250GB Drive\PITS1 (250GB)\Documents and Settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
[WARNING] Invalid end of file
D:\My Old 250GB Drive\PITS1 (250GB)\Documents and Settings\Owner\Application Data\Move Networks\uninstall.exe
[WARNING] Invalid end of file
D:\My Old 250GB Drive\PITS1 (250GB)\Program Files\eRoom 7\Help\webhelp.jar
[WARNING] Error multiple volume
D:\My Old 250GB Drive\PITS1 (250GB)\Program Files\WinRAR\rarnew.dat
[WARNING] Error no files to extract
D:\My Old 60GB Drive\Program Files\Common Files\Adobe\ESD\uninst.exe
[WARNING] Unsupported archive version
D:\My Old 60GB Drive\Program Files\Jummpa Software\OggDS0991.exe
[WARNING] Unsupported archive version
D:\My Old 60GB Drive\Program Files\Microsoft FrontPage\temp\cm98.zip
[WARNING] Invalid end of file
D:\My Old 60GB Drive\Program Files\Net Nanny\nn_uninstall.exe
[WARNING] Invalid compressed data
D:\My Old 60GB Drive\Program Files\NetZero\qs\uninst.exe
[WARNING] Unsupported archive version
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\DRIVER5.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\DRIVER6.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\DRIVER7.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\NET3.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\NET4.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_10.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_11.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_12.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_13.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_14.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_15.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_16.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_17.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_18.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_19.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_20.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_21.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_8.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\OPTIONS\INSTALL\WIN_9.CAB
[WARNING] Error multiple volume
D:\My Old 60GB Drive\WINDOWS\TEMP\NetNanny\Downloads\dao36.exe
[WARNING] Unsupported archive version
D:\My Old 60GB Drive\WINDOWS\TEMP\NetNanny\Downloads\NN5-0-3-05_nn_setup_files.exe
[WARNING] Unsupported archive version
D:\My Old 60GB Drive\WINDOWS\TEMP\RarSFX0\NN5-0-3-05_nnsetup.exe
[WARNING] Invalid compressed data
D:\My Old 60GB Drive\WINDOWS\Temporary Internet Files\Content.IE5\81QJ45AF\AdbeRdr60_DLM_enu_full[1].exe
[WARNING] Unsupported archive version


End of the scan: Wednesday, July 18, 2012 16:15
Used time: 4:15:02 Hour(s)

The scan has been done completely.

100136 Scanned directories
3279818 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
3279818 Files not concerned
21507 Archives were scanned

And here is my Mbam log
Malwarebytes Anti-Malware 1.62.0.1300
[You must be registered and logged in to see this link.]

Database version: v2012.07.18.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
davidcore2 :: DAVIDCORE2-PC [administrator]

7/17/2012 9:19:27 PM
mbam-log-2012-07-17 (21-19-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240930
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Fri 20 Jul 2012, 9:45 am

It looks like we are ok now.
Does that mean your computer is running normally now?

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by dapits on Fri 20 Jul 2012, 9:51 am

I believe it is better. All of the scans seems to be coming back ok.

dapits

Rookie Surfer
Rookie Surfer

Posts : 128
Joined : 2009-03-30
Operating System : XP

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Superdave on Fri 20 Jul 2012, 10:57 am

Ok. We can do some cleanup. If anything else comes up, please let me know.

To uninstall ComboFix


  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall




(Note: Make sure there's a space between the word ComboFix and the forward-slash.)


  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Sirefef

Post by Sponsored content Today at 7:34 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum