Solved Infected with Sirefef.ab, Sirefef.W

Jay Pfoutz · Aug 9, 2012

Wow. And it only found that.

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name I.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive I.e. C
For a few moments the system will make some calculations:
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

Cleaned System Restore
Ran OTC
Ran TFC
Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

ChevyVan79 · Aug 13, 2012

One problem: I don't have the "More Options" tab.

Microsoft Security Essentials also popped up. It said that Win64/Sirefef.B was active and the recommended action was to quarantine it.

Jay Pfoutz · Aug 13, 2012

Jeez...back to the drawing board.

Please re-run FRST and post a new log.

ChevyVan79 · Aug 13, 2012

I deleted all the quarantined files in Microsoft Security Essentials and after a quick scan it didn't found anything.

Maybe the Win32/Packed.VMProtect.D virus was the creator of Sirefef and distributed it. So after deleting the source with the ESET online scan Sirefef couldn't be distributed anymore but it was still in the quarantine of MSE. I don't know if that's possible, but I suspect it.

Here's the FRST log.

Farbar Recovery Scan Tool "FRST.txt":
--------------------------------------------------------------------
Scan result of Farbar Recovery Scan Tool Version: 16-07-2012 02
Ran by SYSTEM at 13-08-2012 13:56:31
Running from F:\
Windows 7 Ultimate (X64) OS Language: Dutch Standard
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun [825184 2009-10-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKU\Gast\...\Run: [RGSC] E:\Data\Games\[PLAY] GTA IV\Rockstar Games Social Club\RGSCLauncher.exe /silent [x]
HKU\Gast\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1353080 2012-08-08] (Valve Corporation)
HKU\Gast\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671872 2012-04-17] (DT Soft Ltd)
HKU\Gast\...\Run: [AdobeBridge] [x]
HKU\Gast\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2010-08-25] (AMD)
HKU\Gast\...\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED [880496 2012-05-20] (BitTorrent, Inc.)
HKU\Gast\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17357960 2012-05-03] (Skype Technologies S.A.)
HKU\Gast\...\Run: [EADM] "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart [3407496 2012-05-23] (Electronic Arts)
HKU\Hidde\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1353080 2012-08-08] (Valve Corporation)
HKLM-x32\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/nl.special-unins...VORUYtUEI2M0YtWDlaQVMtQU8zVEItSEk5Sk8tM0xQMkM"&"inst=NzctNzEwOTk5NDQ0LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1796"&"mid=4262cf34cac247d1b5f5d16c649a9bc7-ad1491be2ce6c122f6b66faa90e70c2decf7d34c [x]
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\..\Interfaces\{D152E762-592D-4911-B26F-0089DDB0FE26}: [NameServer]212.19.241.137,212.19.225.136
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)

==================== Services (Whitelisted) ======

3 Adobe Version Cue CS4; "C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [288112 2012-03-16] (Adobe Systems Incorporated)
3 FirebirdServerMAGIXInstance; "C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe" [3276800 2008-08-07] (MAGIX®)
3 fussvc; "C:\Program Files\Windows Kits\8.0\App Certification Kit\fussvc.exe" [137728 2012-02-09] (Microsoft Corporation)
2 Irmon; C:\Windows\System32\irmon.dll [23552 2009-07-14] (Microsoft Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 MSSQL$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [57617752 2009-03-30] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-01-08] ()
2 Realtek11nSU; C:\Program Files (x86)\SITECOM\300N X2 USB Wireless LAN Utility\RtlService.exe [36864 2009-06-01] (Realtek)
4 SQLAgent$SQLEXPRESS; "C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -I SQLEXPRESS [427880 2009-03-30] (Microsoft Corporation)
2 TuneUp.UtilitiesSvc; "C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe" [2143552 2012-02-09] (TuneUp Software)
3 wampapache; "C:\wamp\bin\apache\apache2.2.21\bin\httpd.exe" -k runservice [21504 2011-09-26] (Apache Software Foundation)
3 wampmysqld; C:\wamp\bin\mysql\mysql5.5.20\bin\mysqld.exe wampmysqld [9690112 2012-01-25] ()
3 WMZuneComm; "C:\Program Files\Zune\WMZuneComm.exe" [306400 2011-08-05] (Microsoft Corporation)
3 ZuneNetworkSvc; "C:\Program Files\Zune\ZuneNss.exe" [8277728 2011-08-05] (Microsoft Corporation)
3 ZuneWlanCfgSvc; "C:\Program Files\Zune\ZuneWlanCfgSvc.exe" [467680 2011-08-05] (Microsoft Corporation)

========================== Drivers (Whitelisted) =============

2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55424 2011-06-24] (Advanced Micro Devices)
2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [314016 2011-04-08] ()
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [283200 2012-06-19] (DT Soft Ltd)
3 FLxHCIh; C:\Windows\System32\Drivers\FLxHCIh.sys [65536 2010-08-27] (Fresco Logic)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33856 2009-03-18] (LogMeIn, Inc.)
2 irda; C:\Windows\System32\Drivers\irda.sys [120320 2009-07-14] (Microsoft Corporation)
3 irsir; C:\Windows\System32\Drivers\irsir.sys [27648 2008-01-19] (Microsoft Corporation)
2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [43680 2011-04-08] ()
1 mbmiodrvr; \??\C:\Windows\syswow64\mbmiodrvr.sys [4608 2004-04-10] (cansoft@livewiredev.com)
3 TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesDriver64.sys [11856 2011-10-20] (TuneUp Software)
3 VSPerfDrv110; \??\C:\Program Files (x86)\Microsoft Visual Studio 11.0\Team Tools\Performance Tools\x64\VSPerfDrv110.sys [67920 2011-12-12] (Microsoft Corporation)
3 XENfiltv; C:\Windows\System32\Drivers\XENfiltv.sys [25600 2009-07-31] (Creative Technology Ltd.)
3 ALSysIO; \??\C:\Users\Hidde\AppData\Local\Temp\ALSysIO64.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 cpuz135; \??\C:\Users\Hidde\AppData\Local\Temp\cpuz135\cpuz135_x64.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
3 X6va005; \??\C:\Users\Hidde\AppData\Local\Temp\0059039.tmp [x]
3 X6va008; \??\C:\Windows\SysWOW64\Drivers\X6va008 [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-09 09:25 - 2012-08-09 09:25 - 02322184 ____A (ESET) C:\Users\Hidde\Downloads\esetsmartinstaller_enu.exe
2012-08-09 09:25 - 2012-08-09 09:25 - 00000000 ____D C:\Program Files (x86)\ESET
2012-08-08 07:35 - 2012-08-08 07:35 - 00024626 ____A C:\ComboFix.txt
2012-08-06 14:09 - 2012-08-08 07:35 - 00000000 ____D C:\Qoobox
2012-08-06 14:09 - 2012-08-06 14:21 - 00000000 ____D C:\Windows\erdnt
2012-08-06 14:09 - 2011-06-26 07:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-06 14:09 - 2010-11-07 18:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-06 14:09 - 2009-04-20 05:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-06 14:09 - 2000-08-31 01:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-06 14:09 - 2000-08-31 01:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-06 14:09 - 2000-08-31 01:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-06 14:09 - 2000-08-31 01:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-06 14:09 - 2000-08-31 01:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-06 14:08 - 2012-08-06 14:04 - 04725168 ___RA (Swearware) C:\Users\Hidde\Desktop\ComboFix.exe
2012-07-19 08:27 - 2012-07-19 08:28 - 00000000 ____D C:\FRST
2012-07-19 07:33 - 2012-07-19 07:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3C1AE47AB51889C6
2012-07-18 11:44 - 2012-07-18 11:44 - 00000855 ____A C:\Users\Hidde\Desktop\gmer.log
2012-07-18 11:19 - 2012-07-18 10:52 - 00302592 ____A C:\Users\Hidde\Desktop\gfz7h0gr.exe
2012-07-18 11:06 - 2012-08-08 12:42 - 00001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-18 11:06 - 2012-08-08 12:42 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-18 11:06 - 2012-07-18 11:06 - 00000000 ____D C:\Users\Hidde\AppData\Roaming\Malwarebytes
2012-07-18 11:06 - 2012-07-18 11:06 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-18 11:06 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-18 11:05 - 2012-07-18 10:52 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Hidde\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-18 10:21 - 2012-07-18 10:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F89547CC9349ABE0
2012-07-18 10:10 - 2012-07-18 10:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.213CD11BC46267B2
2012-07-18 09:56 - 2012-07-18 09:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BDCE8669122432CA
2012-07-18 09:50 - 2012-07-18 09:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6AD6BD21D505363A
2012-07-18 09:44 - 2012-07-18 09:44 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-18 09:44 - 2012-07-18 09:44 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-17 15:18 - 2012-07-17 15:18 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-17 14:50 - 2012-07-17 14:50 - 00000064 ____A C:\Users\Hidde\Desktop\virtuemart.txt

============ 3 Months Modified Files ========================

2012-08-13 12:53 - 2011-01-08 19:49 - 01570952 ____A C:\Windows\WindowsUpdate.log
2012-08-13 12:28 - 2012-06-16 10:13 - 00001054 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-13 11:57 - 2012-06-15 12:37 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-13 11:24 - 2009-07-14 05:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-13 11:24 - 2009-07-14 05:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-13 11:21 - 2009-07-14 10:16 - 00811884 ____A C:\Windows\System32\perfh013.dat
2012-08-13 11:21 - 2009-07-14 10:16 - 00178392 ____A C:\Windows\System32\perfc013.dat
2012-08-13 11:21 - 2009-07-14 06:13 - 01856960 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-13 11:17 - 2012-06-16 10:13 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-13 11:16 - 2012-02-29 22:09 - 00018320 ____A C:\Windows\setupact.log
2012-08-13 11:16 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-09 10:57 - 2012-05-09 17:16 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-09 10:57 - 2011-05-20 08:08 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-09 09:25 - 2012-08-09 09:25 - 02322184 ____A (ESET) C:\Users\Hidde\Downloads\esetsmartinstaller_enu.exe
2012-08-08 12:42 - 2012-07-18 11:06 - 00001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-08 12:36 - 2012-02-29 22:08 - 00238824 ____A C:\Windows\PFRO.log
2012-08-08 07:35 - 2012-08-08 07:35 - 00024626 ____A C:\ComboFix.txt
2012-08-08 07:33 - 2009-07-14 03:34 - 00000215 ____A C:\Windows\system.ini
2012-08-06 14:04 - 2012-08-06 14:08 - 04725168 ___RA (Swearware) C:\Users\Hidde\Desktop\ComboFix.exe
2012-07-19 07:33 - 2012-07-19 07:33 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.3C1AE47AB51889C6
2012-07-18 11:44 - 2012-07-18 11:44 - 00000855 ____A C:\Users\Hidde\Desktop\gmer.log
2012-07-18 10:52 - 2012-07-18 11:19 - 00302592 ____A C:\Users\Hidde\Desktop\gfz7h0gr.exe
2012-07-18 10:52 - 2012-07-18 11:05 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Hidde\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-18 10:21 - 2012-07-18 10:21 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F89547CC9349ABE0
2012-07-18 10:10 - 2012-07-18 10:10 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.213CD11BC46267B2
2012-07-18 09:56 - 2012-07-18 09:56 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.BDCE8669122432CA
2012-07-18 09:50 - 2012-07-18 09:50 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.6AD6BD21D505363A
2012-07-18 09:44 - 2011-12-28 11:02 - 00001912 ____A C:\Windows\epplauncher.mif
2012-07-18 09:44 - 2011-03-03 21:15 - 01878746 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-17 14:50 - 2012-07-17 14:50 - 00000064 ____A C:\Users\Hidde\Desktop\virtuemart.txt
2012-07-13 09:39 - 2012-07-13 09:39 - 00001644 ____A C:\Users\Hidde\Desktop\Crashtastic.lnk
2012-07-12 07:59 - 2009-07-14 05:45 - 06856704 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 16:27 - 2011-01-16 08:51 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-05 16:25 - 2012-07-05 16:25 - 00000967 ____A C:\Users\Hidde\Desktop\Core Temp.lnk
2012-07-05 16:23 - 2012-07-05 16:23 - 00000876 ____A C:\Users\Public\Desktop\CPUID CPU-Z.lnk
2012-07-05 16:08 - 2012-07-05 16:08 - 00000017 ____A C:\Users\Hidde\AppData\Local\resmon.resmoncfg
2012-07-03 12:46 - 2012-07-18 11:06 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 10:30 - 2011-12-19 16:34 - 00000235 __RAH C:\Windows\ctfile.rfc
2012-06-20 10:07 - 2012-06-20 10:07 - 00001525 ____A C:\Users\Hidde\Desktop\Illustrator.lnk
2012-06-20 10:07 - 2012-06-20 10:07 - 00001238 ____A C:\Users\Hidde\Desktop\Dreamweaver.lnk
2012-06-20 10:07 - 2012-06-20 10:07 - 00001214 ____A C:\Users\Hidde\Desktop\Fireworks.lnk
2012-06-20 10:04 - 2011-01-08 13:38 - 00133888 ____A C:\Users\Hidde\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-19 09:04 - 2012-03-18 13:27 - 00283200 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-06-16 14:19 - 2012-06-16 13:39 - 00002010 ___AH C:\Users\Hidde\Documents\Default.rdp
2012-06-12 04:08 - 2012-07-11 16:30 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 12:21 - 2012-06-11 10:49 - 00011083 ____A C:\Users\Hidde\Documents\werkzaamheden_specificatie_dewestfries.xlsx
2012-06-09 06:43 - 2012-07-11 13:05 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-09 05:41 - 2012-07-11 13:05 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-08 15:00 - 2012-03-02 15:59 - 00110447 ____A C:\Windows\DirectX.log
2012-06-08 09:26 - 2012-06-08 09:26 - 00000222 ____A C:\Users\Hidde\Desktop\Superbrothers Sword & Sworcery EP.url
2012-06-08 09:26 - 2012-06-08 09:26 - 00000221 ____A C:\Users\Hidde\Desktop\LIMBO.url
2012-06-08 09:26 - 2012-06-08 09:26 - 00000221 ____A C:\Users\Hidde\Desktop\Amnesia The Dark Descent.url
2012-06-08 09:26 - 2012-06-08 09:26 - 00000220 ____A C:\Users\Hidde\Desktop\Psychonauts.url
2012-06-08 09:22 - 2012-06-08 09:22 - 00000222 ____A C:\Users\Hidde\Desktop\Bastion.url
2012-06-08 09:21 - 2012-06-08 09:21 - 00000221 ____A C:\Users\Hidde\Desktop\Super Meat Boy.url
2012-06-08 09:21 - 2012-06-08 09:21 - 00000221 ____A C:\Users\Hidde\Desktop\Braid.url
2012-06-08 09:21 - 2012-06-08 09:21 - 00000202 ____A C:\Users\Hidde\Desktop\Super Meat Boy Editor.url
2012-06-08 09:21 - 2012-06-08 09:21 - 00000195 ____A C:\Users\Hidde\Desktop\Lone Survivor.url
2012-06-07 09:39 - 2012-06-07 09:39 - 00001727 ____A C:\Users\Public\Desktop\League of Legends.lnk
2012-06-07 09:11 - 2011-12-04 15:02 - 00001025 ____A C:\Users\Hidde\Desktop\Dropbox.lnk
2012-06-06 19:36 - 2011-06-12 13:11 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-06-06 19:36 - 2011-06-12 13:09 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-06-06 19:35 - 2011-06-12 13:09 - 00280904 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-06-06 07:06 - 2012-07-11 13:05 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-06 07:06 - 2012-07-11 13:05 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-06 07:02 - 2012-07-11 13:05 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-06 06:05 - 2012-07-11 13:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-06 06:05 - 2012-07-11 13:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-06 06:03 - 2012-07-11 13:05 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-05 13:14 - 2012-06-05 13:14 - 00316064 ____A C:\Windows\Minidump\060512-21574-01.dmp
2012-06-05 13:14 - 2012-04-11 09:18 - 1151349537 ____A C:\Windows\MEMORY.DMP
2012-06-04 17:01 - 2012-06-04 17:01 - 00001385 ____A C:\Users\Hidde\Desktop\Visual Studio 11 Beta.lnk
2012-06-04 13:24 - 2012-06-04 13:23 - 00275264 ____A C:\Windows\Minidump\060412-46113-01.dmp
2012-06-04 11:06 - 2012-06-04 11:06 - 00002531 ____A C:\Users\Hidde\Desktop\Skype.lnk
2012-06-02 23:19 - 2012-06-22 08:30 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 23:19 - 2012-06-22 08:30 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 23:19 - 2012-06-22 08:30 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 23:19 - 2012-06-22 08:30 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 23:19 - 2012-06-22 08:30 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 23:15 - 2012-06-22 08:30 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 23:15 - 2012-06-22 08:30 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:19 - 2012-06-22 08:30 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:15 - 2012-06-22 08:30 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 13:49 - 2012-07-11 16:26 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 13:17 - 2012-07-11 16:26 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 13:12 - 2012-07-11 16:26 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 13:05 - 2012-07-11 16:26 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 13:05 - 2012-07-11 16:26 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 13:04 - 2012-07-11 16:26 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 13:04 - 2012-07-11 16:26 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 13:03 - 2012-07-11 16:26 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 13:01 - 2012-07-11 16:26 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 13:00 - 2012-07-11 16:26 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 12:59 - 2012-07-11 16:26 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 12:57 - 2012-07-11 16:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 12:57 - 2012-07-11 16:26 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 12:54 - 2012-07-11 16:26 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 10:07 - 2012-07-11 16:26 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 09:43 - 2012-07-11 16:26 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 09:33 - 2012-07-11 16:26 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 09:26 - 2012-07-11 16:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 09:25 - 2012-07-11 16:26 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 09:25 - 2012-07-11 16:26 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 09:23 - 2012-07-11 16:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 09:21 - 2012-07-11 16:26 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 09:20 - 2012-07-11 16:26 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 09:19 - 2012-07-11 16:26 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 09:19 - 2012-07-11 16:26 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 09:17 - 2012-07-11 16:26 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 09:16 - 2012-07-11 16:26 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 09:14 - 2012-07-11 16:26 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-02 06:50 - 2012-07-11 13:05 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-02 06:48 - 2012-07-11 13:05 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-02 06:48 - 2012-07-11 13:05 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 06:45 - 2012-07-11 13:05 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 06:44 - 2012-07-11 13:05 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-02 05:40 - 2012-07-11 13:05 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-02 05:40 - 2012-07-11 13:05 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-02 05:39 - 2012-07-11 13:05 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-02 05:34 - 2012-07-11 13:05 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-24 11:04 - 2012-05-24 11:04 - 00000562 ____A C:\Windows\wmsetup.log
2012-05-23 19:57 - 2012-05-23 19:57 - 00000221 ____A C:\Users\Hidde\Desktop\Dead Island.url
2012-05-22 13:26 - 2012-06-11 12:13 - 00224088 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxDrv.sys
2012-05-22 13:26 - 2012-06-11 12:13 - 00130904 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxUSBMon.sys
2012-05-22 13:26 - 2012-05-22 13:26 - 00147288 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetAdp.sys
2012-05-22 13:25 - 2012-05-22 13:25 - 00320856 ____A (Oracle Corporation) C:\Windows\System32\VBoxNetFltNobj.dll
2012-05-22 13:25 - 2012-05-22 13:25 - 00166232 ____A (Oracle Corporation) C:\Windows\System32\Drivers\VBoxNetFlt.sys
2012-05-21 12:32 - 2012-05-21 12:32 - 00000767 ____A C:\Users\Hidde\Desktop\Driver.lnk

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 10239.24 MB
Available physical RAM: 9278.35 MB
Total Pagefile: 10237.39 MB
Available Pagefile: 9273.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (Windows) (Fixed) (Total:931.41 GB) (Free:457.01 GB) NTFS
3 Drive f: () (Removable) (Total:0.94 GB) (Free:0.78 GB) NTFS
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (Door systeem gereserveerd) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Schfnr. Status Grootte Vrij Dyn GPT
-------- ------------- ------- ------- --- ---
Schf 0 Online 931 GB 1024 KB
Schf 1 Online 961 MB 0 B

DiskPart afsluiten...

==========================================================

Last Boot: 2012-07-11 14:18

======================= End Of Log ==========================
--------------------------------------------------------------------

Jay Pfoutz · Aug 14, 2012

Indeed. The fact that it suspected "active" infection, made me realize the potential for it to be re-generated. But, I can see MSE has some flaws that I don't like at all.

Continue with post #26 please.

ChevyVan79 · Aug 14, 2012

Everything ran well and I now have one restore point named 'Clean'.

Here are the contents of the Security Check log.

Security Check Log "checkup.txt":
---------------------------------------------------------
Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
TuneUp Utilities 2012
TuneUp Utilities Language Pack (en-US)
JavaFX 2.0.3
Java(TM) 7 Update 3
Visual Studio Extensions for Windows Library for JavaScript
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 13.0.1 Firefox out of Date!
Google Chrome 14.0.835.202
Google Chrome 16.0.912.63
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 13% Defragment your hard drive soon!
````````````````````End of Log``````````````````````
------------------------------------------

Jay Pfoutz · Aug 15, 2012

Update Firefox

Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates.

Update Adobe Reader

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Update Java

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Read more about "FAQ: How did Sirefef or ZeroAccess Infect You?"

Any other questions before I mark this topic solved?

ChevyVan79 · Aug 15, 2012

Everything is updated.

I want to thank you very much for your help and patience. You guys do great work. (y)

Guess I should stop torrenting now.

Jay Pfoutz · Aug 15, 2012

You're welcome! Marked as solved. √

Solved Infected with Sirefef.ab, Sirefef.W

Jay Pfoutz

Posts: 4,279 +49

ChevyVan79

Jay Pfoutz

Posts: 4,279 +49

ChevyVan79

Jay Pfoutz

Posts: 4,279 +49

ChevyVan79

Jay Pfoutz

Posts: 4,279 +49

ChevyVan79

Jay Pfoutz

Posts: 4,279 +49

Similar threads

Latest posts