Inactive Sirefef.r - sirefef.ah - sirefef.ab

[DLegal]

Please Help!
I've been alerted to having the above sirefef trojans. I'm hoping to save my OS before I lose everything I have. I'm running Windows7, 32bit. Please let me know if you need additional information, to proceed. I've researched enough information about this to know that I'll need help, to remove it all.

 

[Jay Pfoutz]

Hello, and welcome to TechSpot.

Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information

• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to the disclaimer.
• Place a check next to List Drivers MD5 as well as the default check marks that are already there
• Press Scan button.
• type exit and reboot the computer normally
• FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

 

[DLegal]

Ok, You responded a lot quicker than I expected, so thank you. You are appreciated ..... and I know how busy you are so I will do my best to be brief and to the point.
First off, I had trouble downloading the scan tool. Options were only to delete, to not download or to run away (hmm). To get around this I saved the file as chkFRST - and I was able to save it to flash.
Upon following your instructs and system recovery - at "scan" I was notified of my two bootable drives (which I failed to mention earlier, sorry) and proceeded with the first mentioned. Here are the results -

 

[Jay Pfoutz]

Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

services.exe

Click: Search file(s)

When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.

 

[DLegal]

Ok, here we go.....

 

[Jay Pfoutz]

Great! Please make sure not to attach logs, but rather post them in the body of the replies to this topic.

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\assembly\GAC\Desktop.ini
Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

 

[DLegal]

Something isn't right .....

 

[DLegal]

My system froze after Fix. Let me try it again.

 

[DLegal]

I notice that when I choose system recovery, I dont see the drivers scroll anymore. it's also flashing (screen) in between actions. It took a few tries, so let's see if this is what you're looking for


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 16-07-2012 01
Ran by SYSTEM at 2012-07-22 02:15:17 Run:2
Running from H:\
==============================================
C:\Windows\assembly\GAC\Desktop.ini not found.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

 

[DLegal]

Also restarted my machine (normal boot) and it seems to be fine. I had "Essentials" update and it is now current. I shut down after that tho. What's next? (y)

 

[Jay Pfoutz]

ComboFix

Please download ComboFix

by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
• It is important to rename ComboFix before the download.
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

 

[DLegal]

No problems, it went smooth. I know that you asked me to post the fix.txt, but for this instance and due to the nature of the files it contains, I'm not going to (sorry).

 

[Jay Pfoutz]

Scan for malware

Please download Malwarebytes Anti-Malware from HERE.


Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Copy and paste the entire report in your next reply.

 

[DLegal]

I've rec'd your msg with instructions. However I won't be able to attempt this until later, after 6:00pm California time. Sorry for the delay, but I wanted to let you know, you can expect my post at that time. Thank you.

 

[Jay Pfoutz]

That's fine with me. I look forward to it. Thanks!

 

[DLegal]

ok, I did this just as you specified and here's the result -

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.25.01
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Denise Hornsby :: DLEGAL [administrator]
7/25/2012 12:24:57 AM
mbam-log-2012-07-25 (00-24-57).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230367
Time elapsed: 2 minute(s), 40 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[Jay Pfoutz]

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

 

[DLegal]

Wow! Check this out -

C:\Users\Denise Hornsby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\57e83dab-1f4dda4f Java/Exploit.Agent.NBI trojan deleted - quarantined
C:\Users\Denise Hornsby\Documents\My Products\Motorola i9\MMCsetup.exe Win32/Somoto application cleaned by deleting - quarantined
C:\Users\Denise Hornsby\Downloads\New Program Downloadz\Windows7 DVD Codecs\SoftonicDownloader_for_windows-essentials-codec-pack.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
G:\ALL PROGRAMS\3gp_converter_setup.exe a variant of Win32/SweetIM.A application cleaned by deleting - quarantined
G:\ALL PROGRAMS\MMCsetup.exe Win32/Somoto application cleaned by deleting - quarantined
G:\ALL PROGRAMS\SoftonicDownloader_for_windows-essentials-codec-pack.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
G:\Users\Denise Hornsby\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FEGH6GMZ\QQkFBg0NBgYDDAABEkcJBQcEAAADBwAFBA==[1].htm JS/Exploit.Agent.NCQ trojan cleaned by deleting - quarantined
G:\Users\Denise Hornsby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\13673cb0-3670e213 a variant of Java/TrojanDownloader.OpenStream.NCE trojan deleted - quarantined
G:\Users\Denise Hornsby\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\51d1c3f7-191dd573 a variant of Java/TrojanDownloader.OpenStream.NCE trojan deleted - quarantined
G:\Users\Denise Hornsby\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\FFTextLinks.dll Win32/Adware.Gamevance.AG application cleaned by deleting - quarantined

 

[Jay Pfoutz]

And again please...another ESET scan...

 

[DLegal]

I did another scan. I clicked "scan" and then I received an error code. I repeated the process again and it completed the scan but said it found no infected files. NONE. I didn't get a report to post, either. Although my system seems to be better, I'm concerned it remains compromised. There are files that continue to appear. I ran task manager and can see there are processess running that shouldn't be. At this point, what do you think?

 

[Jay Pfoutz]

• Please Download RogueKiller and save it on your desktop.
• Quit all programs
• Start RogueKiller.exe.
• Wait until Prescan has finished ...
• Click on Scan

• Wait for the end of the scan.
• The report has been created on the desktop.
• Click on the Delete button.

• The report has been created on the desktop.

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

 

[DLegal]

Ugh! It won't let me ...... says it is not a valid win32 application!

 

[DLegal]

Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Timestamp: Fri, 27 Jul 2012 09:47:48 UTC
　
Message: 'jQuery' is undefined
Line: 1
Char: 1
Code: 0
URI: https://static.techspot.com/images2/lib/techspot.js?v=07.11.2012.04
　
Message: Object expected
Line: 1130
Char: 9
Code: 0
URI: https://www.techspot.com/
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Timestamp: Fri, 27 Jul 2012 09:48:50 UTC
　
Message: '$' is undefined
Line: 21
Char: 3
Code: 0
URI: https://www.techspot.com/community/account/alerts
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Timestamp: Fri, 27 Jul 2012 09:49:58 UTC
　
Message: '$' is undefined
Line: 21
Char: 3
Code: 0
URI: https://www.techspot.com/community/account/alerts
　
Message: 'jQuery' is undefined
Line: 1
Char: 1
Code: 0
URI: https://static.techspot.com/images2/lib/techspot.js?v=04.20.2012.00
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Timestamp: Fri, 27 Jul 2012 09:54:33 UTC
　
Message: '$' is undefined
Line: 21
Char: 3
Code: 0
URI: https://www.techspot.com/community/login/login
　
Message: 'jQuery' is undefined
Line: 1
Char: 1
Code: 0
URI: https://static.techspot.com/images2/lib/techspot.js?v=04.20.2012.00
Webpage error details
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Timestamp: Fri, 27 Jul 2012 09:56:38 UTC
　
Message: 'jQuery' is undefined
Line: 1
Char: 1
Code: 0
URI: https://static.techspot.com/images2/lib/techspot.js?v=07.11.2012.04

 

[Jay Pfoutz]

Please download aswMBR from here

• Save aswMBR.exe to your Desktop
• Double click aswMBR.exe to run it
• Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review

 

[Jay Pfoutz]

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.