Sirefef.FB.Gen/ScrInject.B.Gen plaguing recently obtained computer

Solved
By rmacleod18
Dec 9, 2012
  1. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    The security check scan isn't popping up the log when it finishes...it just disappears.
    I also noticed that my notepad seems to have vanished...I can see it in the start menu but it has the icon that means it doesn't exist.
  2. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Everything has been opening in wordpad...

    Here is the FSS log

    Farbar Service Scanner Version: 10-12-2012
    Ran by User (administrator) on 12-12-2012 at 20:29:00
    Running from "C:\Users\User\Desktop"
    Windows Vista (TM) Home Basic Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is unreachable
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error. Yahoo IP is unreachable
    Attempt to access Yahoo.com returned error: Other errors


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll
    [2012-12-11 06:58] - [2012-06-01 19:02] - 0133120 ____A (Microsoft Corporation) F1E8C34892336D33EDDCDFE44E474F64

    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  3. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    I'm also stuck on the f-secure...it says I need an add-on to run it but it doesn't say how to obtain said browser add-on.
  4. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      notepad.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  5. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    S_y_s_t_e_m_L_o_o_k_ _3_0_._0_7_._1_1_ _b_y_ _j_p_s_h_o_r_t_s_t_u_f_f_
    _
    _L_o_g_ _c_r_e_a_t_e_d_ _a_t_ _1_2_:_3_0_ _o_n_ _1_3_/_1_2_/_2_0_1_2_ _b_y_ _U_s_e_r_
    _
    _A_d_m_i_n_i_s_t_r_a_t_o_r_ _-_ _E_l_e_v_a_t_i_o_n_ _s_u_c_c_e_s_s_f_u_l_
    _
    _
    _
    _=_=_=_=_=_=_=_=_=_=_ _f_i_l_e_f_i_n_d_ _=_=_=_=_=_=_=_=_=_=_
    _
    _
    _
    _S_e_a_r_c_h_i_n_g_ _f_o_r_ _"_n_o_t_e_p_a_d_._e_x_e_"_
    _
    _C_:_\_W_i_n_d_o_w_s_\_w_i_n_s_x_s_\_x_8_6___m_i_c_r_o_s_o_f_t_-_w_i_n_d_o_w_s_-_n_o_t_e_p_a_d_w_i_n___3_1_b_f_3_8_5_6_a_d_3_6_4_e_3_5___6_._0_._6_0_0_0_._1_6_3_8_6___n_o_n_e___4_0_9_3_0_a_e_2_f_e_2_1_f_c_f_5_\_n_o_t_e_p_a_d_._e_x_e_ _-_-_a_-_-_-_-_ _1_5_1_0_4_0_ _b_y_t_e_s__[_1_2_:_3_3_ _0_2_/_1_1_/_2_0_0_6_]_ _[_1_2_:_3_3_ _0_2_/_1_1_/_2_0_0_6_]_ _F_F_7_F_1_4_F_D_A_9_0_1_0_9_0_E_3_3_7_4_8_8_A_1_9_0_0_E_3_6_6_0_
    _
    _C_:_\_W_i_n_d_o_w_s_\_w_i_n_s_x_s_\_x_8_6___m_i_c_r_o_s_o_f_t_-_w_i_n_d_o_w_s_-_n_o_t_e_p_a_d_w_i_n___3_1_b_f_3_8_5_6_a_d_3_6_4_e_3_5___6_._0_._6_0_0_1_._1_8_0_0_0___n_o_n_e___4_2_c_9_c_c_d_e_f_b_0_d_0_d_c_9_\_n_o_t_e_p_a_d_._e_x_e_ _-_-_-_-_-_-_-_ _1_5_1_0_4_0_ _b_y_t_e_s__[_2_1_:_0_3_ _2_0_/_0_9_/_2_0_0_9_]_ _[_0_3_:_3_3_ _1_9_/_0_1_/_2_0_0_8_]_ _D_A_F_6_0_E_1_3_E_9_6_E_C_B_6_7_F_0_E_D_A_A_8_9_C_6_B_0_1_B_8_D_
    _
    _C_:_\_W_i_n_d_o_w_s_\_w_i_n_s_x_s_\_x_8_6___m_i_c_r_o_s_o_f_t_-_w_i_n_d_o_w_s_-_n_o_t_e_p_a_d___3_1_b_f_3_8_5_6_a_d_3_6_4_e_3_5___6_._0_._6_0_0_0_._1_6_3_8_6___n_o_n_e___6_c_e_3_c_b_7_f_7_3_1_4_a_a_9_f_\_n_o_t_e_p_a_d_._e_x_e_ _-_-_a_-_-_-_-_ _1_5_1_0_4_0_ _b_y_t_e_s__[_0_8_:_4_7_ _0_2_/_1_1_/_2_0_0_6_]_ _[_0_9_:_4_5_ _0_2_/_1_1_/_2_0_0_6_]_ _F_F_7_F_1_4_F_D_A_9_0_1_0_9_0_E_3_3_7_4_8_8_A_1_9_0_0_E_3_6_6_0_
    _
    _C_:_\_W_i_n_d_o_w_s_\_w_i_n_s_x_s_\_x_8_6___m_i_c_r_o_s_o_f_t_-_w_i_n_d_o_w_s_-_n_o_t_e_p_a_d___3_1_b_f_3_8_5_6_a_d_3_6_4_e_3_5___6_._0_._6_0_0_1_._1_8_0_0_0___n_o_n_e___6_f_1_a_8_d_7_b_6_f_f_f_b_b_7_3_\_n_o_t_e_p_a_d_._e_x_e_ _-_-_-_-_-_-_-_ _1_5_1_0_4_0_ _b_y_t_e_s__[_2_1_:_0_3_ _2_0_/_0_9_/_2_0_0_9_]_ _[_0_3_:_3_3_ _1_9_/_0_1_/_2_0_0_8_]_ _9_5_6_C_C_9_5_4_3_3_E_9_D_3_9_8_1_9_6_3_6_6_3_3_6_2_9_2_9_C_6_F_
    _
    _
    _
    _-_=_ _E_O_F_ _=_-_
  6. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Something happened to formatting. I can barely read it.
    Please repost or even attach search result log.
  7. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Something is ****ed up...the only way that I was able to post it was to copy/paste to word then copy/paste to here...if I try to do it directly from wordpad it just makes an "S"...it's kinda weird.
  8. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    It also doesn't help that my ISP is garbage... my connection cuts out literally every 30 secs then takes a minute or 2 to re-connect. I need to reem out Bell on this but I just don't have the time to sit on hold for an hour.
  9. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Copy/paste to Notepad instead of Word.
  10. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Notepad doesn't exist... when I try to open it a window pops up saying windows cannot find 'C:\Windows\System32\notepad.exe'. make sure its typed correctly...blah blah blah...I'm clicking a link that did open notepad just a few days ago when we started this process.
  11. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Oooops sorry.
    It's indeed missing. That was the reason we ran System Look...LOL
    We have good copies though...

    Copy Notepad file from here:
    C:\Windows\winsxs\x86microsoft-windows-notepadwin_31bf3856ad364e35_6.0.6001.18000_none_42c9ccdefb0d0dc9\notepad.exe
    and paste it to C:\Windows\System32 folder
  12. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    There we go that is much better

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:30 on 13/12/2012 by User
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "notepad.exe"
    C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.0.6000.16386_none_40930ae2fe21fcf5\notepad.exe --a---- 151040 bytes [12:33 02/11/2006] [12:33 02/11/2006] FF7F14FDA901090E337488A1900E3660
    C:\Windows\winsxs\x86_microsoft-windows-notepadwin_31bf3856ad364e35_6.0.6001.18000_none_42c9ccdefb0d0dc9\notepad.exe ------- 151040 bytes [21:03 20/09/2009] [03:33 19/01/2008] DAF60E13E96ECB67F0EDAA89C6B01B8D
    C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.0.6000.16386_none_6ce3cb7f7314aa9f\notepad.exe --a---- 151040 bytes [08:47 02/11/2006] [09:45 02/11/2006] FF7F14FDA901090E337488A1900E3660
    C:\Windows\winsxs\x86_microsoft-windows-notepad_31bf3856ad364e35_6.0.6001.18000_none_6f1a8d7b6fffbb73\notepad.exe ------- 151040 bytes [21:03 20/09/2009] [03:33 19/01/2008] 956CC95433E9D3981963663362929C6F

    -= EOF =-
  13. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    And here is he security check scan...Just the F-secure scanner to go

    Results of screen317's Security Check version 0.99.56
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.65.1.1000
    Java(TM) 6 Update 30
    Java 7 Update 9
    Adobe Flash Player 11.5.502.135
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (17.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    ESET NOD32 Antivirus egui.exe
    ESET NOD32 Antivirus ekrn.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0 %
    ````````````````````End of Log``````````````````````
     
  14. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    And sorry about the delay there I broke down and called Bell about my connectivity issues.
  15. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Not a problem :)
  16. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    I still can't find that add-on that f-secure says I need
  17. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Try different browser.
  18. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Scanning Report

    Friday, December 14, 2012 17:19:24 - 17:49:51

    Computer name: USER-PC
    Scanning type: Quick scan
    Target: System
    3 malware found

    TrackingCookie.2o7(spyware)
    • System (Disinfected)
    TrackingCookie.Advertising(spyware)
    • System (Disinfected)
    TrackingCookie.Mediaplex(spyware)
    • System (Disinfected)
    Statistics

    Scanned:
    • Files: 5129
    • System: 5129
    • Not scanned: 0
    Actions:
    • Disinfected: 3
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0
  19. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    ============================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
  20. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    The issue seems to be resolved.
  21. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Thanks for all your help ...I haven't been on recently bcus Bell found the problem and had the whole block down for a few days because the technician found water damage at the junction that leads to my neighbourhood causing us all to short out frequently.

    Everything seems fine now and I would be totally screwed without your help, thanks again. I wish I could donate even a little bit to you but...three kids, christmas time...you know how it is.

    Thanks Again
    Ryan
  22. Broni

    Broni Malware Annihilator Posts: 45,312   +243

    Way to go!! [​IMG]
    Good luck and stay safe :)

    [​IMG]
  23. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Thanks for all your help ...I haven't been on recently bcus Bell found the problem and had the whole block down for a few days because the technician found water damage at the junction that leads to my neighbourhood causing us all to short out frequently.

    Everything seems fine now and I would be totally screwed without your help, thanks again. I wish I could donate even a little bit to you but...three kids, christmas time...you know how it is.

    Thanks Again
    Ryan
  24. rmacleod18

    rmacleod18 Newcomer, in training Topic Starter Posts: 31

    Sorry for repost it looked like it hadnt sent when I came back to tab


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.