also @ TechSpot: 'Supercapacitor' could fully charge your phone in less than 30 seconds

Malware sirefef.y and similar found in MSE on Vista HP x86

Discussion in 'Virus and Malware Removal' started by Johnny270268, Jul 13, 2012.

Post New Reply
Page 3 of 5

  1. Johnny270268 Newcomer, in training Posts: 81

    Hi Broni,

    The screens gone black but HDD light on PC is flickering in pulses. Does this sound OK? I've moved mouse around so I don't think it's a hibernate issue. This is a relative's computer.
    Johnny270268, Jul 14, 2012
    #41

  2. Broni Malware Annihilator Posts: 39,288   +175

    Give it some more time.
    Broni, Jul 14, 2012
    #42

  3. Johnny270268 Newcomer, in training Posts: 81

    OK
    Johnny270268, Jul 14, 2012
    #43

  4. Johnny270268 Newcomer, in training Posts: 81

    Hi again Broni,

    No change as yet.... :confused:
    Johnny270268, Jul 14, 2012
    #44

  5. Johnny270268 Newcomer, in training Posts: 81

    Broni,

    The scan was till going after several hours so I did a reboot, set the display,sleep and hibernate to 'Never' and am currently re-running the scan.
    Johnny270268, Jul 15, 2012
    #45

  6. Johnny270268 Newcomer, in training Posts: 81

    Hey Broni,

    ComboFix has failed to run both times as well as In SafeMode. Will now run ComboFix.exe (as John_M.exe) simultaneously with Rkill.com in normal mode. TBC....
    Johnny270268, Jul 15, 2012
    #46
     

  7. Johnny270268 Newcomer, in training Posts: 81

    Hi again Broni,

    Combo fix refuses to run. I've tried all Rkill variants in normal and safe mode as per instructions but to no avail.

    HELP!!!!!
    Johnny270268, Jul 15, 2012
    #47

  8. Broni Malware Annihilator Posts: 39,288   +175

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =====================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
    Broni, Jul 15, 2012
    #48

  9. Johnny270268 Newcomer, in training Posts: 81

    Gidday Broni,

    RK Report below

    RogueKiller V7.6.3 [07/08/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User: Greg [Admin rights]
    Mode: Scan -- Date: 07/16/2012 03:49:42
    ¤¤¤ Bad processes: 0 ¤¤¤
    ¤¤¤ Registry Entries: 5 ¤¤¤
    [SUSP PATH] RunAsStdUser Task.job @ : C:\Users\Greg\AppData\Local\RavenBleuSA\bin\1.0.11.0\RavenBleuSA.exe -> FOUND
    [SUSP PATH] Facebook Messenger.lnk Greg : C:\Users\Greg\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe -> FOUND
    [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:5577) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver: [LOADED] ¤¤¤
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost
    ::1 localhost
    188.119.151.111 www.google-analytics.com.
    188.119.151.111 ad-emea.doubleclick.net.
    188.119.151.111 www.statcounter.com.
    108.163.215.51 www.google-analytics.com.
    108.163.215.51 ad-emea.doubleclick.net.
    108.163.215.51 www.statcounter.com.

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: SAMSUNG HD502IJ ATA Device +++++
    --- User ---
    [MBR] ff3d2aa61c158a3ec6da68c945546cad
    [BSP] 7d4755e7c820a24a8f2162a6ed0543bc : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 15360 Mo
    2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31586304 | Size: 461516 Mo
    3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 976771072 | Size: 1 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1].txt >>
    RKreport[1].txt
    Johnny270268, Jul 15, 2012
    #49

  10. Broni Malware Annihilator Posts: 39,288   +175

    aswMBR?
    Broni, Jul 15, 2012
    #50

  11. Johnny270268 Newcomer, in training Posts: 81

    Still running and picking up infections. Will post as soon as scan completes.
    Johnny270268, Jul 15, 2012
    #51

  12. Broni Malware Annihilator Posts: 39,288   +175

    OK :)
    Broni, Jul 15, 2012
    #52

  13. Johnny270268 Newcomer, in training Posts: 81

    Here you go Broni, scan successfully completed. ASW.dat saved to desktop as well. Thanks for your patience... you're a diamond my friend :)


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-16 03:58:36
    -----------------------------
    03:58:36.752 OS Version: Windows 6.0.6002 Service Pack 2
    03:58:36.752 Number of processors: 2 586 0x1706
    03:58:36.752 ComputerName: GREG-PC UserName: Greg
    03:58:53.850 Initialize success
    04:00:12.806 AVAST engine defs: 12071500
    04:00:37.001 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    04:00:37.001 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01113 Size: 476940MB BusType: 3
    04:00:37.017 Disk 0 MBR read successfully
    04:00:37.017 Disk 0 MBR scan
    04:00:37.017 Disk 0 Windows VISTA default MBR code
    04:00:37.033 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
    04:00:37.048 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
    04:00:37.064 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461516 MB offset 31586304
    04:00:37.095 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 1 MB offset 976771072
    04:00:37.095 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
    04:00:37.126 Disk 0 scanning sectors +976773152
    04:00:37.204 Disk 0 scanning C:\Windows\system32\drivers
    04:01:10.900 Service scanning
    04:02:28.838 Modules scanning
    04:02:49.742 Disk 0 trace - called modules:
    04:02:49.773 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
    04:02:49.773 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ce3780]
    04:02:49.789 3 CLASSPNP.SYS[8bbac8b3] -> nt!IofCallDriver -> [0x86b2bb58]
    04:02:49.789 5 acpi.sys[805bc6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x86b06b98]
    04:02:58.119 AVAST engine scan C:\Windows
    04:03:11.675 AVAST engine scan C:\Windows\system32
    04:07:12.169 AVAST engine scan C:\Windows\system32\drivers
    04:07:32.153 AVAST engine scan C:\Users\Greg
    04:08:06.426 File: C:\Users\Greg\AppData\Local\Apps\2.0\KCEKG8JM.QTD\650PDRZ4.GZ0\cros..tion_18dde0b6f0266e94_0001.0000_60f416b8a42422e9\CrossFire Hack.exe **INFECTED** Win32:Malware-gen
    04:08:34.100 File: C:\Users\Greg\AppData\Local\hqopmya.exe **INFECTED** Win32:Susn-AK [Trj]
    04:08:37.891 File: C:\Users\Greg\AppData\Local\jkpcpukocn.exe **INFECTED** Win32:FakeAV-DNP [Trj]
    04:14:26.896 File: C:\Users\Greg\AppData\Local\Temp\cdoqovxndc.exe **INFECTED** Win32:Malware-gen
    04:59:02.988 File: C:\Users\Greg\Music\iTunes\iTunes Music\CrossFire Afk Bot\CrossFire Afk Bot\CrossFire d3d v.6.exe **INFECTED** Win32:Malware-gen
    05:03:49.258 AVAST engine scan C:\ProgramData
    05:17:05.453 Scan finished successfully
    05:18:26.973 Disk 0 MBR has been saved successfully to "C:\Users\Greg\Desktop\MBR.dat"
    05:18:26.973 The log file has been saved successfully to "C:\Users\Greg\Desktop\aswMBR.txt"
    Johnny270268, Jul 15, 2012
    #53

  14. Broni Malware Annihilator Posts: 39,288   +175

    OK, we still have that infected partition.

    For x86 (x32) bit systems please download Listparts to your Desktop.
    For x64 bit systems please download Listparts64 to your Desktop.
    Double click on downloaded file to start the program.

    Click on Scan button.

    Scan result will open in Notepad (Result.txt).
    Post it in your next reply.
    Broni, Jul 15, 2012
    #54

  15. Johnny270268 Newcomer, in training Posts: 81

    Results for your perusal :)


    ListParts by Farbar Version: 15-07-2012
    Ran by Greg (administrator) on 16-07-2012 at 05:41:57
    Windows Vista (X86)
    Running From: C:\Users\Greg\Desktop
    Language: 0409
    ************************************************************
    ========================= Memory info ======================
    Percentage of memory in use: 42%
    Total physical RAM: 3070.45 MB
    Available physical RAM: 1759.82 MB
    Total Pagefile: 6369.88 MB
    Available Pagefile: 5188.91 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1976.38 MB
    ======================= Partitions =========================
    1 Drive c: (OS) (Fixed) (Total:450.7 GB) (Free:178.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 451 GB 15 GB
    Partition 4 Primary 1040 KB 466 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ======================================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 15 GB Healthy
    ======================================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy System (partition with boot components)
    ======================================================================================================
    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F RAW Partition 1040 KB Healthy
    ======================================================================================================
    ****** End Of Log ******
    Johnny270268, Jul 15, 2012
    #55

  16. Broni Malware Annihilator Posts: 39,288   +175

    • Please open Notepad (Start>All Programs>Accessories>Notepad).
    • Copy and paste the contents of the quote box below into Notepad.

    • Save as Fix.txt to your Desktop (must be in this location).

    Next

    • Double click ListParts.exe/ListParts64.exe to launch the program.
    • Press the Fix button.
    • ListParts will process the script in Fix.txt
    • When finished please press the Scan button.
    • A log Result.txt will open on your Desktop.
    • Please post me the contents of the log.
    Broni, Jul 15, 2012
    #56

  17. Johnny270268 Newcomer, in training Posts: 81

    Result log,


    ListParts by Farbar Version: 15-07-2012
    Ran by Greg (administrator) on 16-07-2012 at 05:57:48
    Windows Vista (X86)
    Running From: C:\Users\Greg\Desktop
    Language: 0409
    ************************************************************
    ========================= Memory info ======================
    Percentage of memory in use: 43%
    Total physical RAM: 3070.45 MB
    Available physical RAM: 1748 MB
    Total Pagefile: 6369.88 MB
    Available Pagefile: 5186.45 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.2 MB
    ======================= Partitions =========================
    1 Drive c: (OS) (Fixed) (Total:450.7 GB) (Free:178.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 451 GB 15 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ======================================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 15 GB Healthy
    ======================================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy System (partition with boot components)
    ======================================================================================================
    ****** End Of Log ******
    Johnny270268, Jul 15, 2012
    #57

  18. Broni Malware Annihilator Posts: 39,288   +175

    Good job :)

    Delete your Combofix file, download fresh one and try to run it again (try safe mode if needed).

    If still no go post new FRST log.
    Broni, Jul 15, 2012
    #58

  19. Johnny270268 Newcomer, in training Posts: 81

    Thanks Broni,

    Should I save it to desktop as your_name.exe or jsut run as natural file name?
    Johnny270268, Jul 15, 2012
    #59

  20. Johnny270268 Newcomer, in training Posts: 81

    Disregard my last post :confused: . ComboFix is happening. Will post results ASAP :)
    Johnny270268, Jul 15, 2012
    #60
Page 3 of 5

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.