[A] Win32/sirefe.ab infection

BaBoRains · Oct 19, 2012

Farbar Service Scanner Version: 19-10-2012
Ran by Stephen D. Rains (administrator) on 19-10-2012 at 11:53:44
Running from "G:\"
MicrosoftÆ Windows Vistaô Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
Other Services:
==============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-10 02:28] - [2012-06-01 20:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****

BaBoRains · Oct 19, 2012

# AdwCleaner v2.005 - Logfile created 10/19/2012 at 11:56:07
# Updated 14/10/2012 by Xplode
# Operating system : Windows Vista (TM) Home Basic Service Pack 2 (32 bits)
# User : Stephen D. Rains - BABO-PC
# Boot Mode : Normal
# Running from : G:\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Program Files\Mozilla FireFox\searchplugins\Search_Results.xml
File Deleted : C:\Users\Stephen D. Rains\AppData\Roaming\Mozilla\Firefox\Profiles\fkndfmis.default\searchplugins\Search_Results.xml
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Stephen D. Rains\AppData\Local\Ilivid Player
Folder Deleted : C:\Users\Stephen D. Rains\AppData\Local\OpenCandy
Folder Deleted : C:\Users\Stephen D. Rains\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Stephen D. Rains\AppData\LocalLow\MyWebSearch
***** [Registry] *****
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1066435
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{08858AF6-42AD-4914-95D2-AC3AB0DC8E28}
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
[OK] Registry is clean.
-\\ Mozilla Firefox v6.0 (en-US)
Profile name : default
File : C:\Users\Stephen D. Rains\AppData\Roaming\Mozilla\Firefox\Profiles\fkndfmis.default\prefs.js
Deleted : user_pref("browser.search.defaultenginename", "Search Results");
Deleted : user_pref("browser.search.order.1", "Search Results");
Deleted : user_pref("browser.search.selectedEngine", "Search Results");
Deleted : user_pref("browser.startup.homepage", "hxxp://www.searchqu.com/405");
Deleted : user_pref("keyword.URL", "hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=405&sr=0&q=");
*************************
AdwCleaner[S1].txt - [2654 octets] - [19/10/2012 11:56:07]
########## EOF - C:\AdwCleaner[S1].txt - [2714 octets] ##########

BaBoRains · Oct 19, 2012

I ran everything but the Online Scanner. Still no wifi connection. My ethernet cable got damaged also (italian greyhound puppy)........my computer is running better it seems, just the internet connection.

Broni · Oct 19, 2012

Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.
Post new FSS log.

BaBoRains · Oct 19, 2012

Farbar Service Scanner Version: 19-10-2012
Ran by Stephen D. Rains (administrator) on 19-10-2012 at 20:41:37
Running from "G:\Tech Fixes"
MicrosoftÆ Windows Vistaô Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2012-10-10 02:28] - [2012-06-01 20:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Oct 19, 2012

Did the commands execute successfully?

BaBoRains · Oct 20, 2012

It said the both did.

Broni · Oct 20, 2012

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box and paste it into the main textfield:
Code:
:filefind
cryptsvc.dll
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

BaBoRains · Oct 21, 2012

SystemLook 30.07.11 by jpshortstuff
Log created at 21:51 on 20/10/2012 by Stephen D. Rains
Administrator - Elevation successful
========== filefind ==========
Searching for "cryptsvc.dll"
C:\Windows\erdnt\cache\cryptsvc.dll--a---- 133120 bytes[02:09 19/10/2012][00:02 02/06/2012] F1E8C34892336D33EDDCDFE44E474F64
C:\Windows\System32\cryptsvc.dll--a---- 133120 bytes[06:28 10/10/2012][00:02 02/06/2012] F1E8C34892336D33EDDCDFE44E474F64
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\cryptsvc.dll--a---- 128000 bytes[02:34 21/01/2008][02:34 21/01/2008] 6DE363F9F99334514C46AEC02D3E3678
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18005_none_77eb127097f11935\cryptsvc.dll--a---- 129024 bytes[17:32 12/09/2009][06:28 11/04/2009] FB27772BEAF8E1D28CCD825C09DA939B
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18618_none_77e34ec697f67015\cryptsvc.dll--a---- 133120 bytes[10:21 13/06/2012][16:00 23/04/2012] 75C6A297E364014840B48ECCD7525E30
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.18643_none_77bddd9098134535\cryptsvc.dll--a---- 133120 bytes[06:28 10/10/2012][00:02 02/06/2012] F1E8C34892336D33EDDCDFE44E474F64
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22840_none_78447b63b1339621\cryptsvc.dll--a---- 135168 bytes[10:21 13/06/2012][14:48 23/04/2012] C979AEA8C4D8F875CD25507D08980006
C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6002.22869_none_7837de25b13bb212\cryptsvc.dll--a---- 135168 bytes[06:28 10/10/2012][11:09 02/06/2012] DD9CCF40ED80DD0D62F1B607A1EA4449
-= EOF =-

Broni · Oct 21, 2012

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

Go to Step 4 and under "System Restore" click on Create button:

Go to Start Repairs tab and click Start button.

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

Click on box next to the Restart System when Finished. Then click on Start.

BaBoRains · Oct 22, 2012

Attempted to run the above program. it kept giving me a "execute processes has stopped working" error.

Broni · Oct 22, 2012

What is the EXACT wording of that error and at what exact point does it happen?

BaBoRains · Oct 22, 2012

"Execute process remotely stopped working. Windows searching for a solution" then "execute processes has stopped working". Starts at the Reset File Permissions and continues all the way through

Broni · Oct 22, 2012

Do you have/can borrow Vista DVD?

BaBoRains · Oct 22, 2012

I think I have the original disks. I will check

Broni · Oct 22, 2012

Try repair installation: http://www.vistax64.com/tutorials/88236-repair-install-vista.html

Broni · Oct 28, 2012

Still with me?

Broni · Nov 1, 2012

This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.

TechSpot

Welcome to TechSpot

[A] Win32/sirefe.ab infection

BaBoRains Newcomer, in training Posts: 36

BaBoRains Newcomer, in training Posts: 36

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

BaBoRains Newcomer, in training Posts: 36

Broni Malware Annihilator Posts: 39,206 +175

Broni Malware Annihilator Posts: 39,206 +175

Broni Malware Annihilator Posts: 39,206 +175

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.