Sirefef got me

Inactive
By Vitharr
Jul 28, 2012
  1. Vitharr

    Vitharr Newcomer, in training Topic Starter Posts: 22

    This is an old log, from before I even came to this site. Not sure if it will be of any use to you.
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.27.08
    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    cal :: CAL_DELL531S [administrator]
    7/27/2012 12:49:19 PM
    mbam-log-2012-07-27 (12-49-19).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 201796
    Time elapsed: 7 minute(s), 57 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 4
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|tTAXlNdYqeIHN.exe (Trojan.FakeAlert.3CH) -> Data: C:\ProgramData\tTAXlNdYqeIHN.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|XSECVA (Trojan.Agent) -> Data: "C:\Users\cal\AppData\Roaming\xsecva\xsecva.exe" -s -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|lsaco (Trojan.Midhos) -> Data: rundll32.exe "C:\Users\cal\AppData\Roaming\lsaco.dll",HrGetStreamPos -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|6IYqpdniL7Y909 (Backdoor.Agent.RC2Gen) -> Data: C:\ProgramData\6IYqpdniL7Y909.exe -> Quarantined and deleted successfully.
    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 7
    C:\ProgramData\tTAXlNdYqeIHN.exe (Trojan.FakeAlert.3CH) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Roaming\xsecva\xsecva.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Roaming\lsaco.dll (Trojan.Midhos) -> Quarantined and deleted successfully.
    C:\ProgramData\6IYqpdniL7Y909.exe (Backdoor.Agent.RC2Gen) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Local\Temp\4B68.tmp (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Local\Temp\Av8IspC2tLCJcJ.exe.tmp (Trojan.FakeAlert.3CH) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{c87bc561-eefd-ed9f-5262-78af73b1c897}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.
    (end)
  2. Vitharr

    Vitharr Newcomer, in training Topic Starter Posts: 22

    Another log, from a full scan. Felt it might be important because it has a Sirefef file listed. This was done right after the first scan back before I came here.
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.27.08
    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    cal :: CAL_DELL531S [administrator]
    7/27/2012 1:02:07 PM
    mbam-log-2012-07-27 (13-02-07).txt
    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 440102
    Time elapsed: 1 hour(s), 3 minute(s), 23 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 4
    C:\Program Files (x86)\Ubisoft\Assassin's Creed II\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> No action taken.
    C:\Users\cal\Downloads\Assassin's Creed II + Patch 1.01 [PC ~ ENG GER FRA SPA ITA DEN NOR SWE][SKIDROW][Colombo-BT.i2p]\Assassin's Creed II + Patch 1.01 [PC ~ ENG GER FRA SPA ITA DEN NOR SWE][SKIDROW]\Patch 1.01 + Crack\Crack\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> No action taken.
    C:\ProgramData\Microsoft\Windows\DRM\3F73.tmp.dat (Trojan.Agent.EXPD1) -> Quarantined and deleted successfully.
    C:\Users\cal\AppData\Local\{c87bc561-eefd-ed9f-5262-78af73b1c897}\n (Trojan.Sirefef) -> Delete on reboot.
    (end)
  3. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  4. Vitharr

    Vitharr Newcomer, in training Topic Starter Posts: 22

    [​IMG]As I was scanning with ESET, MSE, which I had turned off before starting the scan, suddenly popped up with this about halfway through. I'm not sure what I should do.
  5. Vitharr

    Vitharr Newcomer, in training Topic Starter Posts: 22

    I removed it, and then checked the MSE Quarantine. There was a whole bunch of files, including files like Sirefef and Sirefef.Y, which I removed as well. Here is the ESET scan log.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner64.ocx - registred OK
    OnlineScanner.ocx - registred OK
    ESETSmartInstaller@High as downloader log:
    all ok
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Was most likely Sirefef in Quarantine, which is a reliably designated place to securely prevent those threats from starting again.

    Let's get one more opinion...

    Please run the F-Secure Online Scanner
    • Accept the License Agreement and check the box. Then click on Run Check.
    • [​IMG]
    • It will ask you to Run the Java plugin. Please confirm.
    • Once the download completes, the window for the scanner will launch.
    • Please confirm anymore prompts, and then select Full Scan.
    • The scan will take some time to finish, so please be patient.
    • When the scan completes, click the Automatic cleaning (recommended) button.
    • It will run its cleaning.
    • Click the Full report button and Copy & Paste the entire report (except the bold text at the foot of the page) in your next reply. Once that's done, click the Close button on the scan window.
  7. Vitharr

    Vitharr Newcomer, in training Topic Starter Posts: 22

    Scanning Report

    Sunday, August 5, 2012 13:44:47 - 14:46:40

    Computer name: CAL_DELL531S
    Scanning type: Scan system for malware, spyware and rootkits
    Target: C:\
    20 malware found

    TrackingCookie.Questionmarket (spyware)
    • System (Disinfected)
    TrackingCookie.Adinterax (spyware)
    • System (Disinfected)
    TrackingCookie.Research-int (spyware)
    • System (Disinfected)
    TrackingCookie.2o7 (spyware)
    • System (Disinfected)
    TrackingCookie.Advertising (spyware)
    • System (Disinfected)
    TrackingCookie.Atdmt (spyware)
    • System (Disinfected)
    TrackingCookie.Adtech (spyware)
    • System (Disinfected)
    TrackingCookie.Adform (spyware)
    • System (Disinfected)
    TrackingCookie.Revsci (spyware)
    • System (Disinfected)
    TrackingCookie.WebTrendsLive (spyware)
    • System (Disinfected)
    TrackingCookie.Zanox (spyware)
    • System (Disinfected)
    TrackingCookie.Fastclick (spyware)
    • System (Disinfected)
    TrackingCookie.Adbrite (spyware)
    • System (Disinfected)
    TrackingCookie.Xiti (spyware)
    • System (Disinfected)
    TrackingCookie.Webtrends (spyware)
    • System (Disinfected)
    TrackingCookie.Mediaplex (spyware)
    • System (Disinfected)
    TrackingCookie.Liveperson (spyware)
    • System (Disinfected)
    TrackingCookie.Statistik-Gallup (spyware)
    • System (Disinfected)
    TrackingCookie.Atwola (spyware)
    • System (Disinfected)
    TrackingCookie.Yieldmanager (spyware)
    • System (Disinfected)
    Statistics

    Scanned:
    • Files: 150308
    • System: 7450
    • Not scanned: 38
    Actions:
    • Disinfected: 20
    • Renamed: 0
    • Deleted: 0
    • Not cleaned: 0
    • Submitted: 0
    Files not scanned:
    • C:\HIBERFIL.SYS
    • C:\PAGEFILE.SYS
    • C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    • C:\WINDOWS\SYSTEM32\CONFIG\SAM
    • C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
    • C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
    • C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
    • C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
    • C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
    • C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
    • C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{C96A8F57-3899-4428-9FEC-335CE50DB161}.BIN
    • C:\WINDOWS\CSC\V2.0.6\PQ
    • C:\WINDOWS\CSC\V2.0.6\TEMP\EA-{EF4C292B-7D49-11E1-BF91-93CF50724A96}
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\ETILQS_IVR94C48RBVYKC297CGM
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\ETILQS_IVR94C48RBVYKC297CGM-JOURNAL
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF19D9DF16E7942EC9.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF1B61D5A331006E65.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF2A066595CC9260EB.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF336B7D9B7E715A81.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DFA19984095D540469.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DFEAD02CFAC0F4B63C.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF7B309C01DB9EC705.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\~DF671BB0D8A91E150B.TMP
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\HSPERFDATA_CAL\3884
    • C:\USERS\CAL\APPDATA\LOCAL\TEMP\HSPERFDATA_CAL\5520
    • C:\QOOBOX\BACKENV\SETPATH.BAT
    • C:\QOOBOX\BACKENV\VIKPEV00
    • C:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\MPDIAG.BIN
    • C:\PROGRAMDATA\MICROSOFT\MICROSOFT ANTIMALWARE\SCANS\HISTORY\CACHEMANAGER\MPSCANCACHE-0.BIN
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7CA61CCE377099FCF171318B3E5E5ABB_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D98F3DEA7E6AD066A1F5EB01BAB57BE5_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\56E810489351C1C3F26DD316DC76AF50_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B7673D716DBEF4F840EC8BA3DDA3DEBF_3582A102-8769-4482-8E93-EF7C0892B5CD
    • C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FE7D329E9E87B1C11D35ED04A2276267_3582A102-8769-4482-8E93-EF7C0892B5CD
    Options

    Scanning engines:
    Scanning options:
    • Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TMP
    • Use advanced heuristics
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    :DOooh COOOOKIES!!! For us!!! :D Just kidding.

    Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
  9. Vitharr

    Vitharr Newcomer, in training Topic Starter Posts: 22

    I apologize. Been super busy lately. Will get right on that.
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. No problem.
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.