sirefef 64bit strikes with a vengeance

I need some serious help here! :cry

It's my husband's computer, and I had removed one of the redirect trojans a month or two back, and thought I had it clean. We took it with on vacation and I discovered it had reinfected.

I've been battling this for 2 weeks now. First thing I noticed was that security updates were installing--and then uninstalling after the reboot. Pluse I couldn't get the firewall to reset for public locations.

I contacted MS, and the tech ran a bunch of things on the computer--then told me I'd need to reinstall Windows, there was so much damage. I asked for a third-party firewall to keep things confined until I could get home and access the repair DVD MS was sending--they suggested AVAST. I ran Avast from boot and found crap in some of the Java folders--then discovered I couldn't uninstall Java, either. So I simply deleted the Java folders; kept the Avast firewall as tight as possible, and waited. I ran the repair yesterday--managed to get all of the security updates installed and get MSSE working again--but things were still subtly hinky.

Microsoft wants to believe that the repair did the job--but I notice in the first log that there's still an instance of sirefef here somewhere. The Avast techs were helpful to begin with, but then they had me run HijackThis--and that told them I was running an unregistered version of Windows NT--and they refused to believe me that it was a perfectly legit OEM! So that may give you some other ideas of the kind of crap this thing has been pulling.

I'm attaching all 5 logs as requested. I wasn't sure if MSSE plus Avast was two AV programs or one, but they seem to work OK together, and this damn firewall has had so many holes in it.... If I need to shut one down, I'll need some coaching.

It's been interesting to watch what this thing has been trying to do... I'd love to dump the AVAST firewall log into a spreadsheet and analyze who has been trying to take over this computer, but I can't figure out how--and they haven't been willing to tell me. There's probably some useful info in that log to somebody, but.... I can't type the thing out manually, that's for sure. It's huge. Also, the first thing MSSE did once it was up and running again was shut down my DREngine (spelling?) and something else that was trying to call out--both of which had managed to convince Avast in those two weeks that they were OK.

I'm gonna crash--I'll check back in the morning and hope to see some new steps to clean this baby up.

thanks for being there!

 

:feeling hopeful

Registry edit was successful.

rogueKiller: I'm a bit concerned; I can't expand the window nor move what is inside it sufficiently to be CERTAIN that I'm following your directions. But
*I left the last registry item (Zero Access something...) checked and unchecked the rest
*I couldn't do anything at all with the items on the file tab--I had to just leave them alone and hope.

scan is there; rebooting now.

Running the scans now. I notice several different "system can't find the requested path" messages.

Done now. Here you go!

Fly high!

 

I've been downloading some of the recommended security programs. I'm inclined to try the free Comodo security suite--it has anti-virus, firewall, and something called BOClean, which sounds a lot like spyware blaster.

Before I install anything though (or uninstall), I'm going to disconnect from the network.

Nothing funny has happened at all--unless you count the fact that for the first time in WEEKS the recycle bin is back at the top-left corner of the desktop--all by itself! Recycle bin, then computer, then network, just the way we like them! (In that corner, desktop junk files that miss their aim simply go nowhere--rather than disappearing into some other folder! A very useful arrangement for a dyslexic and an ADDult!) The computer has been obstinately resisting our recycle bin placement for a couple of months now--until I had begun to thing it was a Windows 7 "feature".

So far, so good. However, we're headed to the wilds of Wisconsin tomorrow, and won't have internet until possibly as late as Monday night.

If you can, will you let me know what things I can remove from my desktop? There's a file labeled RK_Quarantine on my desktop--is that OK to delete now? And do the logs you got look clean?

Please check this thread sometime Tuesday--I should be able to give some kind of stability report by then.

But for now, things look VERY nice. Thank you.

 

Back early. Here's the report. (I've tucked the earlier reports into a special folder on the desktop, to tidy it up a bit--hence, it's coming up as [1].

So far so good. (Except I forgot that removing Avast would remove it's firewall log, so I don't have that info anymore.)

 

I think so. Let us hope!

 

I got to here:
Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
Unfortunately, Comodo decided the file was questionalble and "partially blocked" it. Now I can't find it anywhere on my computer.
I did tell Comodo to leave it alone in future, but....

 

tried on my own; redownloaded MGTools. Disabled the Comodo behavior blocker for 15 minutes. then repeated steps. MGClean was back. I got a message how what did I want to let it do this time, so I gave it full control. Ran promptly w no problems. MGTools icons disappeared. Now will reboot, and continue cleanup.

 

Happy-happy-joy-joy!

Many thanks!