Solved Trojans/malware detected on computer. Popups in browser.

[SirCarnifex]

I just decided to rerun the scan. It worked better this time. Here's the scan log:

C:\Qoobox\Quarantine\C\WINDOWS\system32\veteboot.dll.vir probably a variant of Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043434.sys a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP57\A0043637.sys a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP58\A0043977.dll probably a variant of Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP61\A0044428.sys a variant of Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP61\A0044481.sys a variant of Win32/Sirefef.DA trojan
C:\WINDOWS\system32\adobeactivefilemonitor4.0.dll probably a variant of Win32/Sirefef.ER trojan
C:\WINDOWS\system32\pelmouse.dll probably a variant of Win32/Sirefef.ER trojan
C:\WINDOWS\system32\drivers\avipbb.sys a variant of Win32/Sirefef.DA trojan
Operating memory multiple threats

 

[Bobbye]

The system is still actively infected:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\WINDOWS\system32\adobeactivefilemonitor4.0.dll 
  C:\WINDOWS\system32\pelmouse.dll 
  C:\WINDOWS\system32\drivers\avipbb.sys 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Do you have or did you have Adobe Photoshop v4> the PhotoshopElementsFileAgent.exe. Description: Related to Adobe Photoshop ..I do not see it now installed on the system.

Do you have or did you have a Mouse Suite Driver from Primax Electronics Ltd? C:\WINDOWS\system32\pelmouse.dll Again, I don't see it installed on the system.

Where did you download the Avira Security?
---------------
SAS 10 Previously handled malware, now in restore points in scan Generated 03/06/2012 at 02:46 PM- all like the following, with different restore point number:

Trojan.Agent/Gen-Sirefef
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP54\A0040296.SYS

At that point I said

You'll be happy to know that Trojan.Agent/Gen-Sirefef (AKA Zero Access Rootkit) is only indicated in System Volume. It is not active in the system. This is where the restore points are kept and I will have you set clean restore point and drop old ones when we finish.

It also found Trojan.Agent/Gen-Haote in files for
X-COM TERROR FROM THE DEEP
X-COM UFO DEFENSE. In each case, it included:
The program uninstall.exe
The LNK shortcut

C:\PROGRAM FILES\2K GAMES\X-COM TERROR FROM THE DEEP\UNINSTALL.EXE
C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\START MENU\PROGRAMS\2K GAMES\X-COM TERROR FROM THE DEEP\UNINSTALL X-COM TERROR FROM THE DEEP.LNK

C:\PROGRAM FILES\2K GAMES\X-COM UFO DEFENSE\UNINSTALL.EXE
C:\DOCUMENTS AND SETTINGS\CHRISTOPHER AUNE\START MENU\PROGRAMS\2K GAMES\X-COM UFO DEFENSE\UNINSTALL X-COM UFO DEFENSE.LNK

2 weeks go you left a message from Avira:

A virus or unwanted program 'TR/Sirefef.BV.2' was found in file 'C:\WINDOWS\system32\pelmouse.dll'.Access Denied.

I had you rerun the Eset scan, Post only left partial info. Rescan show recurrence of Sirefef active in the system. And a third active entry shows to be related to Avira Security Suite.

=======================================
If you are continuing to use these infected programs, please stop and uninstall them. It is useless to continue to remove these recurring infections. If you are using any torrent site to download or pirate programs, please stop now.
======================================
About (Sirefef) rootkit

• You receive the message "Error communicating with kernel"
• You believe you are infected with a rogue antivirus such as "Open Cloud Security"
• This malware is also known as "Sirefef" and "Max++" and ESET detects this and its many variants as Win32/Sirefef

Remove Zero.Access (Sirefef)
ESET has provided a stand-alone malware removal tool to remove this particularly resilient threat. Follow the steps below.

1. . Download, save and run the Win32/Sirefef' stand-alone malware removal tool and follow the prompts as directed.
2. If this tool is unsuccessful in cleaning, try restarting into Safe Mode with Networking and running it again.
3. When finished, update and rescan with the Eset online scanner.

Leave any new log that is generated.

 

[SirCarnifex]

Answers to your questions:

Do you have or did you have Adobe Photoshop v4> the PhotoshopElementsFileAgent.exe. Description: Related to Adobe Photoshop ..I do not see it now installed on the system.

No. I've never had Adobe Photoshop on this system.

Do you have or did you have a Mouse Suite Driver from Primax Electronics Ltd? C:\WINDOWS\system32\pelmouse.dll Again, I don't see it installed on the system.

I've only used one mouse since I've had the computer. It's an XG Lazer. Primax Electronics doesn't sound familiar, but considering I've not installed any drivers for mice in about four years and that thing wasn't on before (to my knowledge) I'd say no.

Where did you download the Avira Security?

I went directly to the Avira site and downloaded it.

SAS 10 Previously handled malware, now in restore points in scan Generated 03/06/2012 at 02:46 PM- all like the following, with different restore point number:

Trojan.Agent/Gen-Sirefef
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP54\A0040296.SYS

At that point I said

You'll be happy to know that Trojan.Agent/Gen-Sirefef (AKA Zero Access Rootkit) is only indicated in System Volume. It is not active in the system. This is where the restore points are kept and I will have you set clean restore point and drop old ones when we finish.

Yes. I haven't done anything with restore points. Actually, I haven't done a thing with the computer itself besides run what you tell me to run and reply to this thread.

If you are continuing to use these infected programs, please stop and uninstall them. It is useless to continue to remove these recurring infections. If you are using any torrent site to download or pirate programs, please stop now.

I haven't done a thing with the computer besides what pertains to this thread. Both the X-Com programs (which I haven't used for months) were purchased from direct2drive (a year ago) so they should have been okay at the time. If the uninstall.exe is infected, as you mentioned, then would just using Add/Remove programs work? Or just delete the exe. files and empty the bin? Avira.... now that program will boot itself up every time the computer boots. I've always shut it off immediately since you told me to quit using it.

Okay. Now time to get working on all the steps you provided. Thanks!

 

[SirCarnifex]

Here is the OTM log:

All processes killed
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\adobeactivefilemonitor4.0.dll
C:\WINDOWS\system32\adobeactivefilemonitor4.0.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pelmouse.dll
C:\WINDOWS\system32\pelmouse.dll moved successfully.
File move failed. C:\WINDOWS\system32\drivers\avipbb.sys scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Christopher Aune
->Temp folder emptied: 16295707 bytes
->Temporary Internet Files folder emptied: 580526 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 56540089 bytes
->Flash cache emptied: 59773 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 93217170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 159.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04042012_134829

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\avipbb.sys scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\hlktmp scheduled to be moved on reboot.

Registry entries deleted on Reboot...

 

[SirCarnifex]

Okay, I just went ahead and deleted the two X-COM programs. I also got rid of Avira using Add/Remove. Naturally, it brought a popup window to the Avira site to ask me why I did it. :haha: Actually, even if it weren't showing signs of being infected, I'd be glad to be rid of it. Avira Free has way too many popups constantly asking you to purchase the non-free version.

I ran the ESET sirefef removal tool. It said that no instance of sirefef could be found. Running it in safe mode with networking yielded the exact same result. I'm going ahead with the regular ESET scan now.

 

[SirCarnifex]

And here's the log from the latest ESET scan:

C:\Qoobox\Quarantine\C\WINDOWS\system32\veteboot.dll.vir probably a variant of Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043434.sys a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP57\A0043637.sys a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP58\A0043977.dll probably a variant of Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP61\A0044428.sys a variant of Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP61\A0044481.sys a variant of Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP61\A0044507.sys a variant of Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP61\A0044518.sys a variant of Win32/Sirefef.DA trojan
C:\_OTM\MovedFiles\04042012_134829\C_WINDOWS\system32\adobeactivefilemonitor4.0.dll probably a variant of Win32/Sirefef.ER trojan
C:\_OTM\MovedFiles\04042012_134829\C_WINDOWS\system32\pelmouse.dll probably a variant of Win32/Sirefef.ER trojan

 

[Bobbye]

By gosh, I think you did it!!

Is everything in the system working okay? Any remaining problems? What?

 

[SirCarnifex]

No. You did it. I just followed instructions!

I've not had any problems with the redirects or popups for awhile, actually. Obviously, Avira no longer shows any viruses because Avira is no longer on the system. The computer seems to be running well, and the internet is fast.

I assume that there will have to be wipe of the old restore points and setting a new one now?

Also, now that Avira is gone, I'll need another anti-Virus. Even if Avira (when not infected) is decent considering it's free, I wasn't too happy how it was constantly asking me to upgrade, buy their other products, and stuff like that. It was like having an adbot installed. Anything else out there?

And as for the programs that were installed. Are there certain ones that I should keep around? Like SuperAntiSpyware? And Malwarebytes - I haven't tried running it since it wouldn't work the last time. If I were to keep that, would you recommend just uninstalling it and reinstalling?

Thanks!

 

[Bobbye]

Okay, here are suggestions for good and free antivirus:

Antivirus Software(only one):

• Microsoft Security Essentials
• Comodo AV
• Avast! Free Antivirus

=====================================================
It's easier to remove the cleaning tools we used. Some of the programs I had you use would have to be purchased in order to be functional in Real Time, so it's eisier to download Mbam and SAS when you want to run a scan-free:
----------------------------------
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
============================================
You may find the following helpful: (Links are Bold Blue)
Tips for added security and safer browsing:

1. Browser Security
   [o][url="http://www.bleepingcomputer.com/tutorials/tutorial102.htm]Make Internet Explorer safer][/url]
   [o] Use a Site Advisor..
   Have layered Security:
2. Antivirus Software(only one): Previously given
   =============================
3. Firewall (only one)
   [o] Zone Alarm Free
   [o]Comodo Firewall Free
4. Antispyware/Security: I recommend all of the following:
   [o]Spywareblaster:Protects against bad ActiveX.
   [o]IE/Spyad Restricts bad domains.
   [o]MVPS Hosts files Directs HOSTS file to 127.0.0.1 which is your local computer.
   [o]Google Toolbar Popup Stopper
5. Stay current on updates:
   [o] Windows Updates. You should get All updates marked Critical and the current SP updates.
   [o] Adobe Reade. Uninstall old.
   [o]Java Uninstall old.
6. Reset Cookies to prevent Tracking Cookies:
   [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
   [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
   I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
   AdBlock Plus
   Easy List
   [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
   (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
7. Do regular Maintenance
   [o]To include Disc Cleanup, Defrag, Error Check/
8. Remove Temporary Internet Files regularly:
   [o]TFC
9. System Restore GuideUnderstand Restore Points> why you need to clean and set restore points and what information is in them.
   [*] Practice Safe Email Handling
   [o] Don't open email from anyone you don't know.
   [o] Don't open Attachments in the email. Save to your desktop and scan for viruses using a right click
   [o] Don't leave your personal email address on the internet/ Have a separate email account on free web-based mail.

Please let me know if you find any bad links.

 

[SirCarnifex]

Thanks for that list. I'm still working my way through it. I have one little hangup, and that's uninstalling Malwarebytes. Any time I try removing it, I get a message that a certain dll file can't be found and that it can't be removed because of that. Even just trying to delete the files and folder won't work. Any tips on how to get that off?

Thanks!

 

[Bobbye]

Suggest you try the Mbam removal in Safe Mode. If that doesn't work, use the link in our preliminary thread, download Malwarebytes again, then uninstall using Add//Remove Programs. Follow with removal of the program folder using Windows Explorer.

 

[SirCarnifex]

Safe Mode didn't work, but installing again, then removing did the job. Thanks!

I do have a question: you recommended removing everything, including SuperAntiSpyware because those versions won't work real time. Elsewhere I've seen recommendations of keeping those and running a scan every now and then (after updating). Is there a reason to re-download each time I want to do a scan as opposed to just updating it regularly? Is it because they are targeted by malware (like this past one that seemed to shut down MBAM)? I'd just like to know.

As always, thanks for the help!

 

[Bobbye]

Why fill up the hard drive with a program that is free, requires an update before running, offers no Real Time Protection and will only be run occasionally. Instead, put useful programs on the system and use tips for safe surfing.
-----------------------------------------
Edit to remove Tips for added security and safer browsing which were previously posted.

The above is my opinion, but the choice is yours.