FIRST >>>>

• Right click on FRST64.exe on your desktop and select “Run as Administrator…” When the tool opens click Yes to disclaimer.
  • Type FBEB8A05-BEEE-4442-804E-409D6C4515E9 into the Search Box.
  • Press the Search Registry button.
  • It will produce a log called search.txt in the same directory the tool is run from.
  • Please copy and paste log back here.

SECOND >>>>

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
REG: reg query HKU\S-1-5-21-930250783-1986003217-1596953152-1000_Classes\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} /s
Reboot
end

NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.

Farbar Recovery Scan Tool (x86) Version:23-11-2015
Ran by Owner (2015-11-24 00:09:28)
Running from C:\Users\Owner\Desktop
Boot Mode: Normal

================== Search Registry: “FBEB8A05-BEEE-4442-804E-409D6C4515E9” ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\PropertySheetHandlers{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\AutoplayHandlers\CancelAutoplay\CLSID]
“fbeb8a05-beee-4442-804e-409d6c4515e9”=“”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_USERS\S-1-5-21-930250783-1986003217-1596953152-1000\Software\Classes\Drive\shellex\FolderExtensions{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_USERS\S-1-5-21-930250783-1986003217-1596953152-1000_Classes\Drive\shellex\FolderExtensions{fbeb8a05-beee-4442-804e-409d6c4515e9}]

** attached scan done right before I checked your message

Ok, all done, here are your logs: Looks like what I thought I attached before has vanished. Hope this is the right thing…added another MBAM scan log.

I believe that there is something hiding in your Recycle Folder ( the Recycle Bin ). Follow the directions given here (steps to view all files on your system, delete the $Recycle.bin folder and restart your system).
http://www.tech-recipes.com/rx/2802/vista_how_to_reset_recycle_bin/

If MalwareBytes finds the same listing again after doing this, please run the last Fixlist.txt file (the one with the REG query line in it) BEFORE having MBAM remove the registry value. This will allow me to read the entire key data (if there is any) and further narrow down the approach.

Well, we may have found the culprit…I have run 4 MBAM scans at different times today, and no Trojan found so far. All clean scans, finally…Thank you, I’m almost afraid to think this is it, but I’m going to pray that it is done!!

Since the flag has not been thrown by MBAM in some days, I will post our clean-up steps and let you on your way …

Clean up of Malware Removal Tools
Now that we are through using these tools, let’s clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

[]Download Delfix from here to your desktop and double click it to start the program
[*]Ensure Remove disinfection tools is ticked
Also tick:
[]Activate UAC
[]Create registry backup
[]Purge system restore
[*]Reset system settings

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFixSelectall_zps0f04cec4.png

[*]Click Run
[*]The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system. Please attach the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.

Also, if you do not have to have all the various versions of Java on your system, this utility is a good way to clean those up and keep the latest Java installed (if you need it):

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :
Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, then click on Remove Java Runtime.
[*]Select the Java version you have from the drop down list, and then click on Run Uninstaller
[*]Press Yes if it asks to uninstall the product.
[*]Allow the uninstaller to remove the installed version.
[*]When its finished, go back to JavaRa, and click Back
[*]Click on Update Java Runtime and then select Download and install latest version.
[*]Press Next
[*]Press Java Manual Download.
[*]A browser window will open with the Java download page.
[*]Click the Windows offline link to download Java.
[*]Run the installer.
[*]Close JavaRa

Ok, still no sign of the Trojan, so it seems to be gone…Thank you so much for hanging in there with me and finding the culprit…wish I could get my hands on the culprit who sent it to me. I would like to pay you something, and would also like to see if you could help me with a dispute I have ongoing since May with Avast for charging me $119 for an unsuccessful remote session that lasted 4-5 hours, and which I did not request. My computer repairman did write a letter attesting to the fact that the session did not repair my problem.
But that aside, I really do appreciate your assistance. KW

I’m glad the trojan is gone. As to the other matter, I’m not sure I can help you any as I am not affiliated with Avast in any way. I am just a trained volunteer helping out here as best I can.

Have a very Merry Holidays and surf safely!

I am grateful for your assistance…please don’t think the amount of my donation reflects the amount of gratitude I feel…just my circumstances. KW

Celebrated too soon, I’m afraid…same Trojan back on today’s mbar scan. Do you mind helping? No recycle bin showing in C drive, even after “un-hiding” hidden files.

It is not in the log you attached?

Problems with the page I guess, MBAR file didn’t show up…trying again.

Your log is here, but the first one you attached did not show any detections

The one you attached now does

Malwarebytes Anti-Rootkit BETA 1.9.3.1001 www.malwarebytes.org

Database version:
main: v2015.11.29.04
rootkit: v2015.11.26.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: KATHYSLAPTOP [administrator]

11/29/2015 3:35:31 PM
mbar-log-2015-11-29 (15-35-31).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 352030
Time elapsed: 21 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKU\S-1-5-21-930250783-1986003217-1596953152-1000_Classes\CLSID{FBEB8A05-BEEE-4442-804E-409D6C4515E9} (Hijack.Trojan.Siredef.C) → Delete on reboot. [6266fa899dee0d29f6566d9451afa15f]

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

I have wasted the last hour trying to get a screen print or snipped copy of the scan done at 3:35pm, which is when the Trojan appeared.
MBAM is not performing as usual to export a scan log, and I don’t have all night to work on it. I want to get the exact location to you, but have trouble right now…wish you could just copy and paste a line from MBAM,can’t. The log I sent earlier, was from an earlier scan, and it didn’t show up on that scan…the reason I scanned again, is that the computer froze, as it often does when it is infected with this Trojan, so, I had to shut it down and restart it, then scan…what I always do when that happens.

The issue now, is how I can scan the external hard drive I’ve been using for backup…no doubt the Trojan is there, too. Can I open MBAM within the Ext. HDD and run it in the drive? or is there a trick to it? If I ever have to restore from that drive, I don’t want to restore my old Trojan.

I got a pop-up notice “Malware Detected”, so finally got you an instance in MBAM…this after I had rebooted, which was supposed to delete the one found earlier this afternoon.

Another instance of the “demon Trojan” located 11-30-15 at 12 15 am.

Let’s get a second opinion on this …

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/TDSSKiller_options2015-01-10_zpse37afaba.png

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

No threats today, although the computer has frozen and had to be shut down 3 times,…I was online when that happened.

Did you ever get your $Recycle.Bin folder back? Does your Recycle Bin function properly (you can delete file and recover them from the Recycle Bin “trash can”)?

The Recycle bin on the desktop is still functional…just no folder appears on the C drive. MBAM and TDSS both scanned with no malware found! (Happy Face) Will hope it’s beaten??