Sirefef with logs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by december32nd, Jul 15, 2012.

  1. december32nd

    december32nd Private E-2

    Wow, I've had some pretty bad problems before but this is crazy. just started today on the computer i share with my parents (one user login). I imagine my dad clicked some links he wasnt familiar with in the past day or so. He's been lookin at hubcaps for what it's worth. Went through the read me and run sticky and now, MSE doesnt start. Also having a hard time starting in safe mode. I've done it using msconfig but F8 doesnt seem to work getting multiple hits with MB and Hitman Pro. Any help would be aprreciated.
     

    Attached Files:

  2. thisisu

    thisisu Malware Consultant

    Welcome to MajorGeeks, december32nd :)

    http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[3].txt
    Attach RKreport[3].txt to your next message. (How to attach)

    __

    http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif - Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

    _

    http://3.bp.blogspot.com/-tH5H1icUyOc/T1XP6r4puoI/AAAAAAAAAQE/jLwmqQECjCg/s1600/hitmanpro.gif Once you are back in Windows, run another scan with HitmanPro and then attach the latest hitmanpro.zip log. (How to attach)

    __

    Completely delete these two folders manually using Windows Explorer:
    • c:\windows\installer\{67d8fb44-a4d8-363b-589a-9598baef58ef}
    • c:\users\metz\appdata\local\{67d8fb44-a4d8-363b-589a-9598baef58ef}
    Let me know if you were successful or not.
     
  3. december32nd

    december32nd Private E-2

    Thank you for the reply.
    Before I do anything, I just want to clarify:
    When running Hitman Pro, should I continue to Ignore everything but the Services.exe, or allow Hitman Pro to Quarantine/delete the items it finds?
     
  4. thisisu

    thisisu Malware Consultant

    ^ Correct
     
  5. december32nd

    december32nd Private E-2

    okay, when I first ran Rouge killer, it only gave me RKreport[2]. that made me do a double take and I realized that I didnt run it as Administrator. I performed another scan as adminstrator and it gave me RKreport[3] and [4]. I don't know how badly this screwed me up, sorry.
    Also, when Hitman Pro finished, my UAC was reset. I assume this is normal.
     

    Attached Files:

  6. thisisu

    thisisu Malware Consultant

  7. december32nd

    december32nd Private E-2

    okay, seems to have gone smoothly. When i rebooted, the screen said ~Hitman Pro BV surf~ or something similar.
     

    Attached Files:

  8. thisisu

    thisisu Malware Consultant

    http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:
    • Java(TM) 6 Update 31

    __

    Delete these two files using Windows Explorer
    • C:\Users\Metz\AppData\Local\funmoods-speeddial.crx
    • C:\Users\Metz\AppData\Local\funmoods.crx
    Let me know if you were successful or not

    __

    http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    __

    Let me know what problems remain after you have completed these steps.
     
  9. december32nd

    december32nd Private E-2

    no problems uninstalling, or deleting files.
     

    Attached Files:

  10. thisisu

    thisisu Malware Consultant

    First, turn off UAC again.

    Run the attached fix.bat file by right-mouse clicking it and selecting Run as Administrator (extract from fix.zip).
    Then attach attach.txt :)
     

    Attached Files:

    • fix.zip
      File size:
      264 bytes
      Views:
      3
  11. december32nd

    december32nd Private E-2

    okay, first I read try to deleter GAC64 etc using Windows explorer. I couldn't find it at that directory. then i ran the fix.bat.
     

    Attached Files:

  12. thisisu

    thisisu Malware Consultant

    I think its gone but I just want to double-check as the log is not what I would have expected.

    http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  13. december32nd

    december32nd Private E-2

    here it is. for the record, I havent done a single thing on the infected computer that I wasn't instructed to here. I had seen the GAC_64 on previous scans, though.
     

    Attached Files:

  14. thisisu

    thisisu Malware Consultant

    It's gone but your Windows Firewall is broken:

    http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to the Start Repairs tab.
    • Press the Start button
    • Create a System Restore point if prompted.
    • In the Repair Options window, choose the following repairs:
      • Reset Registry Permissions
      • Repair Windows Firewall
      • Repair Winsock & DNS Cache
    • Place a checkmark in Restart/Shutdown System When Finished
    • Fill in the Restart System bubble
    • Now click the Start button.
    • Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

    __

    http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  15. december32nd

    december32nd Private E-2

    Fantastic! One last thing, I'm not sure if it's the UAC or the hidden file view, but there is a User file, a MY Computer icon and two Desktop.ini Configuration icons on my desktop. With your go-ahead, I'd like to uninstall Malware bytes, reinstall Microsoft security essentials and run a scan.
     
  16. december32nd

    december32nd Private E-2

    it tells me that it is not compatible with my version of windows
    EDIT: never mind
     
  17. december32nd

    december32nd Private E-2

    okay, it finished and i told it to restart, but it's giving me the same "windows will restart in one minute" message that i got with sirefef...
     
  18. december32nd

    december32nd Private E-2

    here's the log. I don't know if its because of the view hidden files and folders setting, but I can see a User File, a My Computer icon, and two Desktop.ini configuration files on the desktop. with your go-ahead, I'll uninstall Malwarebytes, Reinstall MSE and run a scan.
     

    Attached Files:

  19. december32nd

    december32nd Private E-2

    I still have a User File, My computer icon, and two Desktop.ini configuration settings on my desktop
     
  20. december32nd

    december32nd Private E-2

    just ran a quick scan with MSE with no results (after MBAM uninstall). cleared out all previous quarantined items with no issue. running full scan now. Will update if needed. you people are saints. Where can i donate?
     
  21. thisisu

    thisisu Malware Consultant

    You're welcome.

    If you are not having any other malware related problems, it is time to do our final steps:
    • Any programs we had you download and/or install can be removed at this time.
    • If we had you download and run ComboFix, here is how to uninstall it:
      • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
      • This opens the Run dialog box.
      • Copy and paste the below text inside the text-field:
        • "%userprofile%\desktop\ComboFix" /uninstall
      • Now press ENTER
      • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
    • You can re-enable your Disk Emulation software at this time via DeFogger.
    • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
    • Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
    • Now we will toggle System Restore to remove any infected system restore points.
    • Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
    • Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds