Solved May have WIn64/sirefef.B--redirect problems, etc

Status
Not open for further replies.
The log for the Kaspersky removal is huge. I deleted the indivdual registry searches to make it fit. What you have here are the header and footer entries. If you need all those other entries, let me know and I'll post.

EDIT: Kaspersky does not seem to be on my system, only that leftover folder. I took a quick Google look, and it would seem that manual deletion is OK to do for that folder. I have not yet tried, and will not do until I hear from you.

8012:2154 09:20:43.319 KAVRemover tool version 1.0.179
8012:2154 09:20:43.320 User language detected: langID=9, sublangID=1
8012:2154 09:20:43.320 Setting UI language: langID=9, sublangID=2
8012:2154 09:20:43.320 Locale successfully set
8012:2154 09:20:43.321 dbghelp.dll dumped OK
8012:2154 09:20:43.323 Initializing application...
8012:2154 09:20:43.368 Loading ini files...
8012:2154 09:20:43.369 Loading resource data 'RES_INI_X64'...
8012:2154 09:20:43.372 Loading resource data finished, 615820 bytes
8012:2154 09:20:43.372 Parsing ini files data...
8012:2154 09:20:43.411 Ini files data parsed, 24 files parsed
8012:2154 09:20:43.411 Dumping data to files...
8012:2154 09:20:43.415 Data dumped to files
8012:20a0 09:20:43.420 Searching for installed products...
8012:20a0 09:20:43.421 ShutdownDetector started watch thread (00000298)
8012:0a7c 09:20:43.421 Watch thread started
8012:20a0 09:20:43.421 Kaspersky Removal Tool 1.0.179
8012:20a0 09:20:43.421 KLeaner initialized
8012:20a0 09:20:43.421 OS Platform = NT, version = 6.1.7601, 64 bit
8012:20a0 09:20:43.421 KLeaner is looking in C:\Users\TODDBA~1\AppData\Local\Temp\jkbasuy1\xsxfr\ for *.ini...
8012:20a0 09:20:43.422 file found: df0.ini
8012:20a0 09:20:43.429 This OS is not supported
8012:20a0 09:20:43.429 no detect
8012:20a0 09:20:43.429 file found: df1.ini
8012:20a0 09:20:43.437 no detect
8012:20a0 09:20:43.437 file found: df10.ini
8012:20a0 09:20:43.442 This OS is not supported
8012:20a0 09:20:43.442 no detect
8012:20a0 09:20:43.442 file found: df11.ini
8012:20a0 09:20:43.449 This OS is not supported
8012:20a0 09:20:43.449 no detect
8012:20a0 09:20:43.449 file found: df12.ini
8012:20a0 09:20:43.452 no detect
8012:20a0 09:20:43.452 file found: df13.ini
8012:20a0 09:20:43.459 no detect
8012:20a0 09:20:43.459 file found: df14.ini
8012:20a0 09:20:43.463 no detect
8012:20a0 09:20:43.463 file found: df15.ini
8012:20a0 09:20:43.468 This OS is not supported
8012:20a0 09:20:43.468 no detect
8012:20a0 09:20:43.468 file found: df16.ini
8012:20a0 09:20:43.476 no detect
8012:20a0 09:20:43.476 file found: df17.ini
8012:20a0 09:20:43.480 This OS is not supported
8012:20a0 09:20:43.480 no detect
8012:20a0 09:20:43.480 file found: df18.ini
8012:20a0 09:20:43.485 This OS is not supported
8012:20a0 09:20:43.485 no detect
8012:20a0 09:20:43.485 file found: df19.ini
8012:20a0 09:20:43.486 no detect
8012:20a0 09:20:43.486 file found: df2.ini
8012:20a0 09:20:43.490 This OS is not supported
8012:20a0 09:20:43.490 no detect
8012:20a0 09:20:43.490 file found: df20.ini
8012:20a0 09:20:43.498 no detect
8012:20a0 09:20:43.499 file found: df21.ini
8012:20a0 09:20:43.499 RegOpenKey64BitAware(SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Password Manager) ->
8012:20a0 09:20:43.499 RegOpenKeyEx(SOFTWARE\KasperskyLab\Kaspersky Password Manager) failed. Error 2: The system cannot find the file specified.
.
8012:20a0 09:20:43.499 no detect
8012:20a0 09:20:43.499 file found: df22.ini
8012:20a0 09:20:43.505 no detect
8012:20a0 09:20:43.505 file found: df23.ini
8012:20a0 09:20:43.505 RegOpenKey64BitAware(SYSTEM\CurrentControlSet\services) ->
8012:20a0 09:20:43.505 avptool_detection.RegQueryInfoKey: subkeys=579, maxlen= 38
8012:20a0 09:20:43.505 RegOpenKey64BitAware(SYSTEM\CurrentControlSet\services\.NET CLR Data\Instances\.NET CLR Data) ->
8012:20a0 09:20:43.505 RegOpenKeyEx(SYSTEM\CurrentControlSet\services\.NET CLR Data\Instances\.NET CLR Data) failed. Error 2: The system cannot find the file specified.

...deleted registry searches here

.
8012:20a0 09:20:43.722 No avptool drivers found
8012:20a0 09:20:43.722 no detect
8012:20a0 09:20:43.722 forced detection of Virus Removal Tool Driver
8012:20a0 09:20:43.722 file found: df3.ini
8012:20a0 09:20:43.727 no detect
8012:20a0 09:20:43.727 forced detection of Kaspersky Anti-Virus 6.0 FS MP4 (x64)
8012:20a0 09:20:43.727 file found: df4.ini
8012:20a0 09:20:43.730 This OS is not supported
8012:20a0 09:20:43.730 no detect
8012:20a0 09:20:43.730 forced detection of Kaspersky Anti-Virus 6.0 SOS MP3 x64
8012:20a0 09:20:43.730 file found: df5.ini
8012:20a0 09:20:43.733 no detect
8012:20a0 09:20:43.733 forced detection of Kaspersky Anti-Virus 6.0 SOS MP4 x64
8012:20a0 09:20:43.733 file found: df6.ini
8012:20a0 09:20:43.737 no detect
8012:20a0 09:20:43.737 forced detection of Kaspersky Anti-Virus 6.0 WKS MP4 (x64)
8012:20a0 09:20:43.737 file found: df7.ini
8012:20a0 09:20:43.740 This OS is not supported
8012:20a0 09:20:43.740 no detect
8012:20a0 09:20:43.741 forced detection of Kaspersky Anti-Virus 6.0 for Windows Servers
8012:20a0 09:20:43.741 file found: df8.ini
8012:20a0 09:20:43.743 This OS is not supported
8012:20a0 09:20:43.743 no detect
8012:20a0 09:20:43.743 forced detection of Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition x64
8012:20a0 09:20:43.743 file found: df9.ini
8012:20a0 09:20:43.747 This OS is not supported
8012:20a0 09:20:43.747 no detect
8012:20a0 09:20:43.747 forced detection of Kaspersky Anti-Virus 6.0 for Windows Workstations
8012:20a0 09:20:43.747 KLeaner deinitialized
8012:20a0 09:20:43.747 Stopping shutdown detector...
8012:20a0 09:20:43.747 Waiting for watch thread stop...
8012:1d54 09:20:43.747 Watch thread finished
8012:20a0 09:20:43.748 Watch thread was stopped
8012:11e8 09:21:28.123 Removing selected product: <Remove all known products>.
8012:11e8 09:21:28.123 ShutdownDetector started watch thread (000002cc)
8012:11e8 09:21:28.123 Kaspersky Removal Tool 1.0.179
8012:11e8 09:21:28.123 KLeaner initialized
8012:11e8 09:21:28.123 OS Platform = NT, version = 6.1.7601, 64 bit
8012:11e8 09:21:28.123 KLeaner is looking in C:\Users\TODDBA~1\AppData\Local\Temp\jkbasuy1\xsxfr\ for *.ini...
8012:11e8 09:21:28.123 file found: df0.ini
8012:11e8 09:21:28.127 This OS is not supported
8012:11e8 09:21:28.127 no detect
8012:11e8 09:21:28.127 forced detection of Kaspersky Anti-Virus 2009 (x64)
8012:11e8 09:21:28.127 removing...
8012:11e8 09:21:28.127 Processing section main...
8012:11e8 09:21:28.127 The 'Kaspersky Anti-Virus 2009' has been detected
8012:11e8 09:21:28.127 RegOpenKey64BitAware(software\Wow6432Node\KasperskyLab\protected\AVP8\environment) ->
8012:11e8 09:21:28.127 RegOpenKeyEx(software\KasperskyLab\protected\AVP8\environment) failed. Error 2: The system cannot find the file specified.
.
8012:11e8 09:21:28.128 error: invalid registry key software\Wow6432Node\KasperskyLab\protected\AVP8\environment or insufficient access right
8012:11e8 09:21:28.128 RegOpenKey64BitAware(SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP8\environment) ->
8012:11e8 09:21:28.128 RegOpenKeyEx(SOFTWARE\KasperskyLab\protected\AVP8\environment) failed. Error 2: The system cannot find the file specified.
.
8012:11e8 09:21:28.128 error: invalid registry key SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP8\environment or insufficient access right
8012:11e8 09:21:28.128 RegOpenKey64BitAware(SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE) ->
8012:11e8 09:21:28.128 Processing section assassinate...
8012:11e8 09:21:28.128 stopping service "avp"...
8012:11e8 09:21:28.128 Loading key data...
8012:11e8 09:21:28.128 key data (706 bytes) successfully loaded
8012:11e8 09:21:28.128 removing self-protection using new scheme...
8012:11e8 09:21:28.144 can't be done, err 0x80070002
8012:11e8 09:21:28.144 removing self-protection using old scheme...
8012:11e8 09:21:28.162 can't be done, err 0x80004005
8012:11e8 09:21:28.162 removing self-protection failed
8012:11e8 09:21:28.178 error: apply murder action - OpenService failed(The specified service does not exist)
8012:11e8 09:21:28.178 stopping service "avp"...
8012:11e8 09:21:28.178 Loading key data...
8012:11e8 09:21:28.178 key data (706 bytes) successfully loaded
8012:11e8 09:21:28.178 removing self-protection using new scheme...
8012:11e8 09:21:28.186 can't be done, err 0x80070002
8012:11e8 09:21:28.186 removing self-protection using old scheme...
8012:0e30 09:21:28.192 Watch thread started
8012:11e8 09:21:28.192 can't be done, err 0x80004005
8012:11e8 09:21:28.193 removing self-protection failed
8012:11e8 09:21:28.217 error: apply murder action - OpenService failed(The specified service does not exist)
8012:11e8 09:21:28.217 Processing section script...
8012:11e8 09:21:28.217 extracting resource to 'C:\Users\TODDBA~1\AppData\Local\Temp\actBB23.tmp'...
8012:11e8 09:21:28.217 Resource (341504 bytes) successfully dumped
8012:11e8 09:21:28.217 cmdline: '"C:\Users\TODDBA~1\AppData\Local\Temp\actBB23.tmp" remove vbs "param"'
8012:11e8 09:21:28.217 running utility...
8012:11e8 09:21:28.235 utility finished with exit code: 2
8012:11e8 09:21:28.235 ------Utility Stdout v ---
4704:1368 09:21:28.228 64-bit utility started, params: 'remove vbs param'
4704:1368 09:21:28.228 Command detected: restore original DLLs for VBS
4704:1368 09:21:28.228 64-bit utility finished, return code = 2
8012:11e8 09:21:28.235 ------Utility Stdout ^ ---
8012:11e8 09:21:28.235 Utility Stderr is empty
8012:11e8 09:21:28.235 creating kleaner host object...
8012:11e8 09:21:28.236 creating ActiveScriptSite...
8012:11e8 09:21:28.263 parsing script...
8012:11e8 09:21:28.273 ->Script Begin
8012:11e8 09:21:28.276 +++++ NEW SCENARIO +++++
8012:11e8 09:21:28.282 NOW!!! HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP8\settings contain:
8012:11e8 09:21:28.282 Processing section execute_avp...
8012:11e8 09:21:28.282 Calling 64-bit util for 'run' '%kaka% -e' action...
8012:11e8 09:21:28.282 cmdline: '"C:\Users\TODDBA~1\AppData\Local\Temp\actBB23.tmp" run run-cmd "%kaka% -e"'
8012:11e8 09:21:28.283 running utility...
8012:11e8 09:21:28.297 utility finished with exit code: 2
8012:11e8 09:21:28.297 ------Utility Stdout v ---
8472:1150 09:21:28.292 64-bit utility started, params: 'run run-cmd %kaka% -e'
8472:1150 09:21:28.292 Command detected: run-cmd '%kaka% -e'
8472:1150 09:21:28.292 executing command line: %kaka% -e
8472:1150 09:21:28.293 failed to execute, error = 2
8472:1150 09:21:28.293 64-bit utility finished, return code = 2
8012:11e8 09:21:28.297 ------Utility Stdout ^ ---
8012:11e8 09:21:28.297 Utility Stderr is empty
8012:11e8 09:21:28.297 Command was not executed
8012:11e8 09:21:28.354 ->msiReturnCode: 1605
8012:11e8 09:21:28.354 ->Begin: If Error while uninstalling
8012:11e8 09:21:28.354 Processing section assassinateall...
8012:11e8 09:21:28.354 stopping process "avp" with method 0...
8012:11e8 09:21:28.354 RegOpenKey64BitAware(software\microsoft\windows nt\currentversion\perflib\009) ->
 
Actually, the Kaspersky file does show removed, bu then shows created again.

If you can find this, go ahead and do a manual delete.
 
Deleted without a problem. Bobbye, unless you still see any big problems, I'd like to close this out soon. Computer seems to be running correctly, and although I'm keeping it disconnected from the Internet, when I do reconnect to continue cleaning I don't detect any weird processes or behavoir. I don't see anything funny in the logs anymore. So I'm hopeful!

But I may be missing something, and if you really think more work needs to be done, please say so. I've cleaned up and removed all the cleaning apps except for Malwarebytes and Combofix. I did save logs. I have not yet removed my past restore points, and won't until I hear from you.

Thanks again for all your help--I see how swamped you guys are, so I greatly appreciate your work!
 
You're welcome. Since the problems have been resolved and the system is clean you can Remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
    [o] Click START> then RUN
    [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
    [o] Double click OTCleanIt.exe.
    [o] Click the CleanUp! button.
    [o] If you are prompted to Reboot during the cleanup, select Yes.
    [o]The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  • Set a new, clean Restore Point
    [o] Click on Start> right click on Computer> Properties
    [o] Select System Protection
    [o] Click on the Create button (near bottom)
    [o] Type a name for the Restore Point
    [o] Click on Create again to save the restore point.
  • Deleting all but the most recent System Protection point in Windows 7
    [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
    [o] Click Disk Cleanup from there.
    image2.png

    [o] Click Clean up system files
    This restarts Disk Cleanup to run in elevated mode.
    [o] Click the More Options tab
    w7-srp2.png

    [o] Click the Clean up under System Restore and Shadow Copies.
    [o] Click OK.
    [o] You will get a confirmation screen> Just click Delete.
    [o] Click OK on the Disk Cleanup Screen.
    [o] Click Delete Files on the Confirmation screen.
image6.png

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin

Let me know if you have any questions. You indicate that you have remove the Kaspersky data. If you have not, okay to delete all manually.
 
Status
Not open for further replies.

Similar threads

A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
AlphaX
EVGA's low profit margins may have been partially self-inflicted, report says
Replies
19
Views
963
toooooot
T
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back