Inactive Sirefef got me

[Vitharr]

This is an old log, from before I even came to this site. Not sure if it will be of any use to you.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.27.08
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
cal :: CAL_DELL531S [administrator]
7/27/2012 12:49:19 PM
mbam-log-2012-07-27 (12-49-19).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201796
Time elapsed: 7 minute(s), 57 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|tTAXlNdYqeIHN.exe (Trojan.FakeAlert.3CH) -> Data: C:\ProgramData\tTAXlNdYqeIHN.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|XSECVA (Trojan.Agent) -> Data: "C:\Users\cal\AppData\Roaming\xsecva\xsecva.exe" -s -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lsaco (Trojan.Midhos) -> Data: rundll32.exe "C:\Users\cal\AppData\Roaming\lsaco.dll",HrGetStreamPos -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|6IYqpdniL7Y909 (Backdoor.Agent.RC2Gen) -> Data: C:\ProgramData\6IYqpdniL7Y909.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\ProgramData\tTAXlNdYqeIHN.exe (Trojan.FakeAlert.3CH) -> Quarantined and deleted successfully.
C:\Users\cal\AppData\Roaming\xsecva\xsecva.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\cal\AppData\Roaming\lsaco.dll (Trojan.Midhos) -> Quarantined and deleted successfully.
C:\ProgramData\6IYqpdniL7Y909.exe (Backdoor.Agent.RC2Gen) -> Quarantined and deleted successfully.
C:\Users\cal\AppData\Local\Temp\4B68.tmp (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
C:\Users\cal\AppData\Local\Temp\Av8IspC2tLCJcJ.exe.tmp (Trojan.FakeAlert.3CH) -> Quarantined and deleted successfully.
C:\Windows\Installer\{c87bc561-eefd-ed9f-5262-78af73b1c897}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
(end)

 

[Vitharr]

Another log, from a full scan. Felt it might be important because it has a Sirefef file listed. This was done right after the first scan back before I came here.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.27.08
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
cal :: CAL_DELL531S [administrator]
7/27/2012 1:02:07 PM
mbam-log-2012-07-27 (13-02-07).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 440102
Time elapsed: 1 hour(s), 3 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 4
C:\Program Files (x86)\Ubisoft\Assassin's Creed II\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> No action taken.
C:\Users\cal\Downloads\Assassin's Creed II + Patch 1.01 [PC ~ ENG GER FRA SPA ITA DEN NOR SWE][SKIDROW][Colombo-BT.i2p]\Assassin's Creed II + Patch 1.01 [PC ~ ENG GER FRA SPA ITA DEN NOR SWE][SKIDROW]\Patch 1.01 + Crack\Crack\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> No action taken.
C:\ProgramData\Microsoft\Windows\DRM\3F73.tmp.dat (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
C:\Users\cal\AppData\Local\{c87bc561-eefd-ed9f-5262-78af73b1c897}\n (Trojan.Sirefef) -> Delete on reboot.
(end)

 

[Jay Pfoutz]

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[Vitharr]

As I was scanning with ESET, MSE, which I had turned off before starting the scan, suddenly popped up with this about halfway through. I'm not sure what I should do.

 

[Vitharr]

I removed it, and then checked the MSE Quarantine. There was a whole bunch of files, including files like Sirefef and Sirefef.Y, which I removed as well. Here is the ESET scan log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
ESETSmartInstaller@High as downloader log:
all ok

 

[Jay Pfoutz]

Was most likely Sirefef in Quarantine, which is a reliably designated place to securely prevent those threats from starting again.

Let's get one more opinion...

Please run the F-Secure Online Scanner

• Accept the License Agreement and check the box. Then click on Run Check.
• 
• It will ask you to Run the Java plugin. Please confirm.
• Once the download completes, the window for the scanner will launch.
• Please confirm anymore prompts, and then select Full Scan.
• The scan will take some time to finish, so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• It will run its cleaning.
• Click the Full report button and Copy & Paste the entire report (except the bold text at the foot of the page) in your next reply. Once that's done, click the Close button on the scan window.

 

[Vitharr]

[FONT=Arial]Scanning Report[/FONT]

[FONT=Arial]Sunday, August 5, 2012 13:44:47 - 14:46:40[/FONT]

Computer name: CAL_DELL531S
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
[FONT=Arial]20 malware found[/FONT]

TrackingCookie.Questionmarket (spyware)

• System (Disinfected)

TrackingCookie.Adinterax (spyware)

• System (Disinfected)

TrackingCookie.Research-int (spyware)

• System (Disinfected)

TrackingCookie.2o7 (spyware)

• System (Disinfected)

TrackingCookie.Advertising (spyware)

• System (Disinfected)

TrackingCookie.Atdmt (spyware)

• System (Disinfected)

TrackingCookie.Adtech (spyware)

• System (Disinfected)

TrackingCookie.Adform (spyware)

• System (Disinfected)

TrackingCookie.Revsci (spyware)

• System (Disinfected)

TrackingCookie.WebTrendsLive (spyware)

• System (Disinfected)

TrackingCookie.Zanox (spyware)

• System (Disinfected)

TrackingCookie.Fastclick (spyware)

• System (Disinfected)

TrackingCookie.Adbrite (spyware)

• System (Disinfected)

TrackingCookie.Xiti (spyware)

• System (Disinfected)

TrackingCookie.Webtrends (spyware)

• System (Disinfected)

TrackingCookie.Mediaplex (spyware)

• System (Disinfected)

TrackingCookie.Liveperson (spyware)

• System (Disinfected)

TrackingCookie.Statistik-Gallup (spyware)

• System (Disinfected)

TrackingCookie.Atwola (spyware)

• System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

• System (Disinfected)

[FONT=Arial]Statistics[/FONT]

Scanned:

• Files: 150308
• System: 7450
• Not scanned: 38

Actions:

• Disinfected: 20
• Renamed: 0
• Deleted: 0
• Not cleaned: 0
• Submitted: 0

Files not scanned:

• C:\HIBERFIL.SYS
• C:\PAGEFILE.SYS
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\SAM
• C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
• C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
• C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
• C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
• C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
• C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
• C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
• C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
• C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
• C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{C96A8F57-3899-4428-9FEC-335CE50DB161}.BIN
• C:\WINDOWS\CSC\V2.0.6\PQ
• C:\WINDOWS\CSC\V2.0.6\TEMP\EA-{EF4C292B-7D49-11E1-BF91-93CF50724A96}
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\ETILQS_IVR94C48RBVYKC297CGM
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\ETILQS_IVR94C48RBVYKC297CGM-JOURNAL
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF19D9DF16E7942EC9.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF1B61D5A331006E65.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF2A066595CC9260EB.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF336B7D9B7E715A81.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DFA19984095D540469.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DFEAD02CFAC0F4B63C.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF7B309C01DB9EC705.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF671BB0D8A91E150B.TMP
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\HSPERFDATA_CAL\3884
• C:\USERS\CAL\APPDATA\LOCAL\TEMP\HSPERFDATA_CAL\5520
• C:\QOOBOX\BACKENV\SETPATH.BAT
• C:\QOOBOX\BACKENV\VIKPEV00
• C:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\MPDIAG.BIN
• C:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\HISTORY\CACHEMANAGER\MPSCANCACHE-0.BIN
• C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7CA61CCE377099FCF171318B3E5E5ABB_3582A102-8769-4482-8E93-EF7C0892B5CD
• C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D98F3DEA7E6AD066A1F5EB01BAB57BE5_3582A102-8769-4482-8E93-EF7C0892B5CD
• C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\56E810489351C1C3F26DD316DC76AF50_3582A102-8769-4482-8E93-EF7C0892B5CD
• C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B7673D716DBEF4F840EC8BA3DDA3DEBF_3582A102-8769-4482-8E93-EF7C0892B5CD
• C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FE7D329E9E87B1C11D35ED04A2276267_3582A102-8769-4482-8E93-EF7C0892B5CD

[FONT=Arial]Options[/FONT]

Scanning engines:
Scanning options:

• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TMP
• Use advanced heuristics

 

[Jay Pfoutz]

Oooh COOOOKIES!!! For us!!! Just kidding.

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
• Ran OTC
• Ran TFC
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

 

[Vitharr]

I apologize. Been super busy lately. Will get right on that.

 

[Jay Pfoutz]

Okay. No problem.

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.