Sirefef with logs

Wow, I've had some pretty bad problems before but this is crazy. just started today on the computer i share with my parents (one user login). I imagine my dad clicked some links he wasnt familiar with in the past day or so. He's been lookin at hubcaps for what it's worth. Went through the read me and run sticky and now, MSE doesnt start. Also having a hard time starting in safe mode. I've done it using msconfig but F8 doesnt seem to work getting multiple hits with MB and Hitman Pro. Any help would be aprreciated.

 

Welcome to MajorGeeks, december32nd

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

_

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

__

Completely delete these two folders manually using Windows Explorer:

• c:\windows\installer\{67d8fb44-a4d8-363b-589a-9598baef58ef}
• c:\users\metz\appdata\local\{67d8fb44-a4d8-363b-589a-9598baef58ef}

Let me know if you were successful or not.

 

Thank you for the reply.
Before I do anything, I just want to clarify:
When running Hitman Pro, should I continue to Ignore everything but the Services.exe, or allow Hitman Pro to Quarantine/delete the items it finds?

 

^ Correct

 

okay, when I first ran Rouge killer, it only gave me RKreport[2]. that made me do a double take and I realized that I didnt run it as Administrator. I performed another scan as adminstrator and it gave me RKreport[3] and [4]. I don't know how badly this screwed me up, sorry.
Also, when Hitman Pro finished, my UAC was reset. I assume this is normal.

 

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif That's fine, can you rescan with HitmanPro and if C:\Windows\assembly\gac_32\Desktop.ini appears again, have HitmanPro Delete it.

__

Reboot your computer (very important before proceeding)

__

http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Then attach the latest HitmanPro log after an additional scan.

 

okay, seems to have gone smoothly. When i rebooted, the screen said ~Hitman Pro BV surf~ or something similar.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31

__

Delete these two files using Windows Explorer

• C:\Users\Metz\AppData\Local\funmoods-speeddial.crx
• C:\Users\Metz\AppData\Local\funmoods.crx

Let me know if you were successful or not

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know what problems remain after you have completed these steps.

 

no problems uninstalling, or deleting files.

 

First, turn off UAC again.

Run the attached fix.bat file by right-mouse clicking it and selecting Run as Administrator (extract from fix.zip).
Then attach attach.txt

 

okay, first I read try to deleter GAC64 etc using Windows explorer. I couldn't find it at that directory. then i ran the fix.bat.

 

I think its gone but I just want to double-check as the log is not what I would have expected.

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

here it is. for the record, I havent done a single thing on the infected computer that I wasn't instructed to here. I had seen the GAC_64 on previous scans, though.

 

It's gone but your Windows Firewall is broken:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
  • Repair Winsock & DNS Cache
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Fantastic! One last thing, I'm not sure if it's the UAC or the hidden file view, but there is a User file, a MY Computer icon and two Desktop.ini Configuration icons on my desktop. With your go-ahead, I'd like to uninstall Malware bytes, reinstall Microsoft security essentials and run a scan.

 

it tells me that it is not compatible with my version of windows
EDIT: never mind

 

okay, it finished and i told it to restart, but it's giving me the same "windows will restart in one minute" message that i got with sirefef...

 

here's the log. I don't know if its because of the view hidden files and folders setting, but I can see a User File, a My Computer icon, and two Desktop.ini configuration files on the desktop. with your go-ahead, I'll uninstall Malwarebytes, Reinstall MSE and run a scan.

 

I still have a User File, My computer icon, and two Desktop.ini configuration settings on my desktop

 

just ran a quick scan with MSE with no results (after MBAM uninstall). cleared out all previous quarantined items with no issue. running full scan now. Will update if needed. you people are saints. Where can i donate?

 

You're welcome.

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe