Solved Live platinum security and sirefef infections

[Broni]

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

========================================

• Download RogueKiller on the desktop
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

======================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[notforyou]

Here's the mbam log. When I tried to go to the roguekiller site I got a 404 page not found error(in firefox) and an ilitili.com popup window with some spam survey. When I've been running combofix, it has not disconnected me from the internet, should I just do that manually?

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.25.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Joni :: SALLY [administrator]

Protection: Enabled

7/25/2012 1:40:58 PM
mbam-log-2012-07-25 (13-40-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190799
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Broni]

Are you saying you have no internet connection?
If so did you try to restart computer?

 

[notforyou]

Restarting got it done. Here's the RK log:

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Joni [Admin rights]
Mode: Scan -- Date: 07/25/2012 14:01:55

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[SUSP PATH] CandyUpdater.job @ : C:\Users\Joni\AppData\Local\ArcadeCandy\candyUpdater.exe -> FOUND
[SUSP PATH] CandyUpdater.job @ : C:\Users\Joni\AppData\Local\ArcadeCandy\candyUpdater.exe -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST332041 8AS SCSI Disk Device +++++
--- User ---
[MBR] ef995492884d608df3aae70effef0a4c
[BSP] f5c601666463ec10212840cd4010222d : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 295193 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 604762112 | Size: 9950 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: SanDisk Cruzer USB Device +++++
--- User ---
[MBR] 33a0f33fb7e7f518f64aedcb9dad35b0
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

 

[Broni]

Which browser gives you those pop-ups?

Go ahead with aswMBR.

 

[notforyou]

Firefox. It's not everytime, but just when the page gives me the 404 error or like with the eset not loading last night.

 

[Broni]

Any issues with IE?

 

[notforyou]

nevermind on that log. it wasn't done scanning yet, was just sitting still for a long while.

 

[Broni]

Any issues with IE?

...or Chrome?
aswMBR found some bad Chrome extension.

 

[notforyou]

OK, here's the completed aswmbr log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-25 14:06:03
-----------------------------
14:06:03.563 OS Version: Windows x64 6.1.7601 Service Pack 1
14:06:03.563 Number of processors: 1 586 0x7F02
14:06:03.563 ComputerName: SALLY UserName: Joni
14:06:14.927 Initialize success
14:09:23.090 AVAST engine defs: 12072500
14:09:39.314 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004f
14:09:39.314 Disk 0 Vendor: ST332041 HP34 Size: 305245MB BusType: 3
14:09:39.361 Disk 0 MBR read successfully
14:09:39.361 Disk 0 MBR scan
14:09:39.361 Disk 0 unknown MBR code
14:09:39.392 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:09:39.408 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 295193 MB offset 206848
14:09:39.439 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 9950 MB offset 604762112
14:09:39.642 Disk 0 scanning C:\Windows\system32\drivers
14:09:53.479 Service scanning
14:10:17.425 Modules scanning
14:10:17.456 Disk 0 trace - called modules:
14:10:17.487 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
14:10:17.487 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80027f0060]
14:10:17.815 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa80021fae40]
14:10:17.830 5 ACPI.sys[fffff88000ede7a1] -> nt!IofCallDriver -> \Device\0000004f[0xfffffa80020ed9c0]
14:10:25.677 AVAST engine scan C:\Windows
14:10:28.189 AVAST engine scan C:\Windows\system32
14:14:01.629 AVAST engine scan C:\Windows\system32\drivers
14:14:15.497 AVAST engine scan C:\Users\Joni
14:14:26.247 File: C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\adhmhclafdhfabmmglbcngpddpdeijgd\npRivalGamingGC.dll **INFECTED** Win32:Adware-gen [Adw]
14:17:28.462 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
14:17:28.493 The log file has been saved successfully to "F:\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-25 14:06:03
-----------------------------
14:06:03.563 OS Version: Windows x64 6.1.7601 Service Pack 1
14:06:03.563 Number of processors: 1 586 0x7F02
14:06:03.563 ComputerName: SALLY UserName: Joni
14:06:14.927 Initialize success
14:09:23.090 AVAST engine defs: 12072500
14:09:39.314 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004f
14:09:39.314 Disk 0 Vendor: ST332041 HP34 Size: 305245MB BusType: 3
14:09:39.361 Disk 0 MBR read successfully
14:09:39.361 Disk 0 MBR scan
14:09:39.361 Disk 0 unknown MBR code
14:09:39.392 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:09:39.408 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 295193 MB offset 206848
14:09:39.439 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 9950 MB offset 604762112
14:09:39.642 Disk 0 scanning C:\Windows\system32\drivers
14:09:53.479 Service scanning
14:10:17.425 Modules scanning
14:10:17.456 Disk 0 trace - called modules:
14:10:17.487 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
14:10:17.487 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80027f0060]
14:10:17.815 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa80021fae40]
14:10:17.830 5 ACPI.sys[fffff88000ede7a1] -> nt!IofCallDriver -> \Device\0000004f[0xfffffa80020ed9c0]
14:10:25.677 AVAST engine scan C:\Windows
14:10:28.189 AVAST engine scan C:\Windows\system32
14:14:01.629 AVAST engine scan C:\Windows\system32\drivers
14:14:15.497 AVAST engine scan C:\Users\Joni
14:14:26.247 File: C:\Users\Joni\AppData\Local\Google\Chrome\User Data\Default\Extensions\adhmhclafdhfabmmglbcngpddpdeijgd\npRivalGamingGC.dll **INFECTED** Win32:Adware-gen [Adw]
14:17:28.462 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
14:17:28.493 The log file has been saved successfully to "F:\aswMBR.txt"
14:18:53.853 AVAST engine scan C:\ProgramData
14:19:55.944 Scan finished successfully
14:23:21.561 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
14:23:21.577 The log file has been saved successfully to "F:\aswMBR.txt"

 

[notforyou]

Chrome gave me the same 404 error the first time I tried to get the RK download, but it worked in firefox after the restart. Didn't try IE, but IE was giving me the error message when I tried it to run eset last night.

 

[Broni]

I still need you to answer my questions from my previous reply.

 

[Broni]

I didn't see your previous reply.
Hold on...

 

[Broni]

1. Open IE, go Tools>Internet options>Advanced tab and click on "Reset" button.
Restart IE and see how it goes.

2. Uninstall Firefox completely using this manual: http://kb.mozillazine.org/Uninstalling_Firefox
Install fresh copy.

3.Chrome...

1. Go to Start > All Programs > Google Chrome > Uninstall Google Chrome.
2. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete browser data" checkbox.
3. Select the default browser you'd like to use.
4. Click OK in the confirmation prompt.
5. Install fresh copy.

 

[notforyou]

Opened chrome and clicked a news article in yahoo and got the ilitili.com popup again. Clicking around in firefox and haven't gotten anything yet. IE seems to be running fine as well.

Chrome isn't really used on the comp, should I just uninstall and be done with it?

edit: looks like the eset site works now as well in IE

edit again: when checking eset in firefox a redirect page was brought up by rivalgaming.com

 

[Broni]

You may as well but make sure you do it the way from my previous reply.
You can reinstall it after that.

Next....


1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Do NOT post JavaRa log.

=======================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[notforyou]

Looks as if everything is working fine now. Haven't gotten any popups or redirect pages. Window updates worked fine as well as java update and removal. And installed the WOT and Secunia programs.

Thanks a ton for your help on this, I'll let you know if everything still seems to be ok sometime tomorrow.

 

[Broni]

Way to go!!
Good luck and stay safe

 

[notforyou]

Everything is still looking good after 2 days of use. Thanks again for the help, very much appreciated.

 

[Broni]

You're very welcome