Solved Sirefef.y removal

Status
Not open for further replies.
For Windows Update fix:

Go to Start > type in CMD and right-click on Command Prompt in the results pane and hit Run as administrator...

Type the following in Command Prompt and hit enter:

sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto

Once done, tell me how it's working.


Then, re-run ComboFix and post a new log, please.
 
Thanks!

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>sc create BITS binpath= "c:\windows\system32\svchost.exe -k
netsvcs" start= delayed-auto
[SC] CreateService FAILED 1073:

The specified service already exists.


C:\Windows\system32>

BITS in services.msc was on Started and Manual, I changed that to Started and Automatic (Delayed Start) after the above didn't work.

Windows update still failing to install. Code2 and Code 66A.

I ran combofix, here is the log: http://pastebin.com/461LKNmr

I tried Windows Update again but it didn't work.
 
While in the Services console, restart the Windows Update Service by stopping it, and starting it again.

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.
 
I'll have to do that tonight (in 12 or so hours) because I did an ESET scan already (before I made this thread) and the scan took something like 13 hours. I'll post the new log tomorrow probably.

Thanks DragonMasterJay!
 
Hi DragonMasterJay,

I started and stopped BITS. Tried Windows Update again (when I say that I hit Check for Updates and then Install). It didn't work.

Ran ESET scan overnight and it found some infected files.

C:\Documents and Settings\McGinley\AppData\Local\Application Data\{B7161655-E74E-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\McGinley\Downloads\Setup-MsgPlus-511.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Documents and Settings\McGinley\old_AppData\Local\Temp\Update_ae6b.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Documents and Settings\McGinley\old_AppData\Local\Temp\Update_b418.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Documents and Settings\McGinley\old_AppData\Local\Temp\Update_c3ae.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Documents and Settings\McGinley\old_AppData\Local\Temp\Update_c7ba.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Documents and Settings\McGinley\old_AppData\Local\Temp\Update_e1fc.exe a variant of Win32/MessengerPlus.A application deleted - quarantined
C:\Program Files (x86)\s1\s1\sosi4len.bat Win32/Bicololo.E trojan cleaned by deleting - quarantined

old_AppData was a folder copied from my old hard drive when I got a new computer. I thought I deleted all the old stuff a day or two ago but that folder was in a different place. It has been deleted now.

I tried Windows Update again and it didn't work.

http://I.imgur.com/t7TIu.png

Maybe that will help diagnose the problem.

Thanks!
 
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.
2hd457o.gif


settingsslider.png


Set the slider to Maximum.

driversports.png


IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


generaltab.png


On the General tab, make sure all of the boxes are checked.


misce.png


On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.


2ekm73m.gif

Click Create Report to run it.

beginscanning.png

It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
 
I had to change the extension as .log files can't be attached.

I ran that tool (for the fifth time).

Windows update failed again. Only the MSE definitions update installed. The .NET updates still won't install.

Thanks!
 

Attachments

  • CheckSUR.txt
    394 bytes · Views: 1
Unfortunately that doesn't work. I clicked start, then run, then entered the line shown and hit OK and got this:

maARI.png


At the top of the page:

System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows 7 Solution Center
Thanks!
 
Click Start > type CMD and hit Enter.

Copy the following:

wmic qfe get 1>%userprofile%\desktop\log.txt

Then, in Command Prompt, right-click and select Paste. Then, press Enter. It will save a log to your Desktop, titled log.txt. Please attach that to your next reply.
 
I honestly don't understand why Windows Update is failing on your system. Your install of updates on Aug. 16 was the cumulative round of updates to fix and protect against the damages of Sirefef.

Let's try a couple of other things, and see if we can sort this out.

New log from ComboFix

We would like to see a ☆new log☆ from ComboFix. Please find the ComboFix icon on your Desktop, and double-click on it. Once it finishes running, post the new log.

AdwCleaner

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
 
We'll take care of those vulnerabilities very soon. Just be careful browsing until we do. ;)

Remove the Adware.
  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
Please post the log.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
Hello,

# AdwCleaner v2.000 - Logfile created 09/02/2012 at 18:12:34
# Updated 30/08/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : McGinley - ZEIPHER
# Boot Mode : Normal
# Running from : C:\Users\McGinley\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\McGinley\AppData\Roaming\Mozilla\Firefox\Profiles\i2ew16uu.default\prefs.js

C:\Users\McGinley\AppData\Roaming\Mozilla\Firefox\Profiles\i2ew16uu.default\user.js ... Deleted !

Deleted : user_pref("extensions.toolbar@ask.com.install-event-fired", true);
Deleted : user_pref("gm-notifier.ui.counter.showInbox", true);

*************************

AdwCleaner[R1].txt - [1162 octets] - [02/09/2012 15:39:10]
AdwCleaner[S1].txt - [1553 octets] - [02/09/2012 18:12:34]

########## EOF - C:\AdwCleaner[S1].txt - [1613 octets] ##########

There are no problems. The last problem was the browser redirecting websites but that doesn't seem to be happening since we started all this. The computer is fast and hasn't blue screened in ages. The only problem is windows update as far as I can tell. It hasn't been working since about May or so, it could be unrelated to the trojan.

Thanks
 
Do you know what errors are being caused (Windows Update)?

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name I.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive I.e. C
  • For a few moments the system will make some calculations:
    diskcleanup1.png
  • Select the More Options tab
    moreoptions.png
  • In the System Restore and Shadow Backups select Clean up
    moreoptions2.png
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Hello,

The two error codes Windows Update says are code 2 and code 66a. I've download the fixes from the Windows site but they don't solve the problem.

Here is the log:

Results of screen317's Security Check version 0.99.49
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
JavaFX 2.1.1
Java(TM) 6 Update 30
Java(TM) 7 Update 5
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader X (10.1.4)
Mozilla Firefox (15.0)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Thanks!
 
In about 9 hours I will be travelling and will be away from my home computer. I won't be back until Sunday night. I would still like help but just letting you know why you probably won't see me posting until probably Monday morning!

Thanks for the help!
 
Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Update Java

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?
 
Status
Not open for further replies.

Similar threads

E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni
R
Solved Data Hijacking, Help Please
2
Replies
37
Views
5K
Broni
Broni

Latest posts

Back