Trojan virus issue

Discussion in 'Malware Help (A Specialist Will Reply)' started by Snowride155, Jan 10, 2013.

  1. Snowride155

    Snowride155 Private E-2

    Hello all, I'm obviously new here. I received a message from my Windows 7 action center today saying that I had a Trojan:Win32/Sirefef.AN. I went through all the instructions in the READ & RUN ME FIRST post and obtained all the logs that were requested from RK, HitmanPro, and MGtools. No threats were detected when I ran TDSkiller or Malwarebytes. However the other programs did detect issues. I did not delete or quarantine anything per instructions. Here are the logs. Thank you very much in advance!
     

    Attached Files:

    Snowride155, Jan 10, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-3174122918-4036108595-1348009327-1000\$2949d9e2503ad8af17f3f1800486e3b8\n) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Now click the Files/folders tab and locate these detections:


    • [ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-3174122918-4036108595-1348009327-1000\$2949d9e2503ad8af17f3f1800486e3b8\n --> FOUND
      [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-3174122918-4036108595-1348009327-1000\$2949d9e2503ad8af17f3f1800486e3b8\@ --> FOUND
      [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-3174122918-4036108595-1348009327-1000\$2949d9e2503ad8af17f3f1800486e3b8\U --> FOUND
      [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-3174122918-4036108595-1348009327-1000\$2949d9e2503ad8af17f3f1800486e3b8\L --> FOUND
      [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
      [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Now rerun Hitman and have it fix everything it finds.

    Reboot.

    Re-scan with both RogueKiller and Hitman and attach those new logs as well.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    TimW, Jan 10, 2013
    #2
  3. Snowride155

    Snowride155 Private E-2

    Thank you for being so detailed with that procedure. I followed the first set of instructions and ran RK. I selected only that registry detection and deleted it. After I did that I went to the files tab and all of those other detections you have written were deleted when the registry detection was deleted. Which I'm assuming is ok. My question is after I do the reboot and run RK again, which fix button do I select? Fix Host, Proxy, DNS, shortcuts, or Delete? Here is the 2nd RK log. Thanks again!
     

    Attached Files:

    Snowride155, Jan 11, 2013
    #3
  4. Snowride155

    Snowride155 Private E-2

    I re-read your post and realized that I'm only supposed to run hitman and fix the issues that were found. So you can completely disregard my previous post. I have since performed all of those tasks. After the reboot and rescan using hitman, there were no threats detected. However when I ran RK there was a list of quite a few registry issues found. I have all three post-deletion logs that I just ran. Thanks again, Nick.
     

    Attached Files:

    Snowride155, Jan 11, 2013
    #4
  5. Snowride155

    Snowride155 Private E-2

    Also to add to the problem I can no longer perform windows updates. I went into services.msc and there is no service for windows update. I'm assuming the virus took out my windows update agent.
     
    Snowride155, Jan 11, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. What issues do you still have, if any?
     
    TimW, Jan 11, 2013
    #6
  7. Snowride155

    Snowride155 Private E-2

    Other than RK finding those registry issues I am not able to install any Windows updates. I think the virus must have attached itself to a registry item for windows update or something. I was able to find windows update in services.msc. It allows me to find the new Windows updates but when I try to install them it says failed.
     
    Snowride155, Jan 11, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
     
    TimW, Jan 12, 2013
    #8
  9. Snowride155

    Snowride155 Private E-2

    Perfect! It worked like a charm! Thank you very much for all of your help Tim. I ran security essentials after everything was sorted out. It found 2 items Exploit:Java/CVE-2012-4681 and 2013-0422. I deleted both items. Everything seems to be in tip top shape. Thanks again!
     
    Snowride155, Jan 13, 2013
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link
    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Jan 14, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds