win64 sirefef.y removal request

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ccr, Jun 15, 2012.

  1. ccr

    ccr Private E-2

    Hello I'm trying to help remove the sirefef.y virus from a laptop. I have the attached files from FRST and the search. The laptop is running win7 64. Please let me know what other info you need. Thank you for your help
    Jay
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, Jay :)

    You did a bit of researching I see :-D

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally and remember to attach your Fixlog.txt

    >>> Now continue with this procedure: How to Remove Trojan:DOS/Alureon.A <<<
     

    Attached Files:

  3. ccr

    ccr Private E-2

    Thank You:p
    I'll be following your next steps.
    here is the fixlog.txt file
    Thanks again for your help.
     

    Attached Files:

  4. ccr

    ccr Private E-2

    ok Ive run the scans but now I have a new problem. First attached are the scan logs.
    2nd my network is local only. after running the scans I no longer have web access. The drivers are up to date with no funny identifiers on either the wireless or the hardwire. tcip settings are all set to auto dns. Under network and sharing center I have "this computer-------------identifying------X-------Internet". I have disabled and then reinabled the lan and wireless. any sugestions?


    Hit man pro wont run without internet.
    I also ran superantispyware it found 162 infections and MSE it found 2 one of which was sirefef.y It was able to remove it this time.

    Thanks again.
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    Hi,

    Please attach the TDSSKiller log and MGlogs.zip as requested by the Read and Run Me.

    HitmanPro is capable of scanning your system while you are offline. Re-read the instructions ;)
     
  6. ccr

    ccr Private E-2

    Here are the other reports you requested
    Thanks
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    [​IMG] From Programs and Features (via Control Panel), please uninstall the below:
    • Ares 2.1.7
    • AVG Security Toolbar
    • Java(TM) 6 Update 30
    • Windows iLivid Toolbar
    • Yahoo! Toolbar

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Users\Pedrito\AppData\Roaming\Microsoft\Windows\Templates\35ygk68ywp1531bwmar88tdiwf4uu61vph0h71w1i83fgn
    C:\ProgramData\AVG Secure Search
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iLivid
    C:\Program Files (x86)\AVG Secure Search
    C:\Program Files (x86)\iLivid
    C:\Program Files (x86)\Common Files\AVG Secure Search
    C:\$AVG
    C:\programdata\Microsoft\Windows\DRM\4ED4.tmp
    C:\programdata\Microsoft\Windows\DRM\4EE5.tmp
    C:\Users\All Users\Microsoft\Windows\DRM\4ED4.tmp
    C:\Users\All Users\Microsoft\Windows\DRM\4EE5.tmp
    ipconfig /flushdns /c
    netsh int ip reset resetlog.txt /c
    netsh winsock reset /c
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tdx]
    "DisplayName"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
    "Group"="PNP_TDI"
    "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
      52,00,49,00,56,00,45,00,52,00,53,00,5c,00,74,00,64,00,78,00,2e,00,73,00,79,\
      00,73,00,00,00
    "ErrorControl"=dword:00000001
    "Start"=dword:00000001
    "Tag"=dword:00000004
    "Type"=dword:00000001
    "DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
    "Description"="@%SystemRoot%\\system32\\tcpipcfg.dll,-50004"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tdx\Enum]
    "0"="Root\\LEGACY_TDX\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"=-
    "Facebook Update"=-
    "ares"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{167d9323-f7cc-48f5-948a-6f012831a69f}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B130551B-965A-47E2-BACF-8B10BEF9C6FA}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{d944bb61-2e34-4dbf-a683-47e505c587dc}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
    [COLOR="DarkRed"]:commands[/COLOR]
    [clearallrestorepoints]
    [emptytemp]
    [resethosts]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  8. ccr

    ccr Private E-2

    Here are the last files you were asking for.

    Thank You
     

    Attached Files:

  9. ccr

    ccr Private E-2

    The internet has started to work now. Very Good.
     
  10. thisisu

    thisisu Malware Consultant

    That's good ;)

    Are you having any malware related problems now?
     
  11. ccr

    ccr Private E-2

    It seems to be running good now.

    Thanks again for your help.
    Great Job.
     
  12. thisisu

    thisisu Malware Consultant

    You're welcome.

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds