Help, Help. Trojans at the gates.

Viruses and worms
1

A couple of days ago my avast! antivirus software started notifying me that a threat had been detected. The messages indicated two issues, the first threat being a Win64:Sirefef-A [Trj], and the second Win32:sirefef-AO [Rtk]. Although scans with avast have shown that the threats were found and deleted, the problem still persists. I have followed the steps on the guide and would greatly appreciate any assistance. Thanks to anyone who can help. Also in case this helps I was directed to download an update for adobe a couple of days ago and have since seen by trolling these forums that it might have been whats done me in. Also hulu isn’t working and hasn’t been since I got this dammed virus. Hope that narrows it down or something. Again thanks.

Log from MBAM:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.24.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Scott :: SCOTT-PC [administrator]

6/24/2012 2:27:35 PM
mbam-log-2012-06-24 (14-27-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193458
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKCU\SOFTWARE\XML (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKCU\SOFTWARE\CLASSES\CLSID{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) → Quarantined and deleted successfully.
HKCU\Software\UBC5AB1IDP (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) → Data: C:\Users\Scott\AppData\Local{7b62348c-bf40-d7a3-f0c8-d73a0400941d}\n. → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|EWABQAF7KL (Trojan.FakeAlert) → Data: C:\Users\Scott\AppData\Local\Temp\Ez0.exe → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Scott\Downloads\ultimatemediaplayer_2.exe (PUP.BundleOffers.IIQ) → Quarantined and deleted successfully.
C:\Users\Scott\Local Settings\Temporary Internet Files\Content.IE5\0MPI1Z2S\movie99766[1].exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Windows\Installer{7b62348c-bf40-d7a3-f0c8-d73a0400941d}\U\00000001.@ (Trojan.Small) → Quarantined and deleted successfully.

(end)

2

Send Achilles and his army to own them. Nah, just joking.

I am NOT an experienced user, but my suggestion is the same one that I received.

http://forum.avast.com/index.php?topic=53253.0

That link is the thread “Logs to Assist in Cleaning Malware”.

Follow the steps and upload the logs (4 in total).

By the way, remember that Win32:sirefef-AO is a rootkit (at least as defined by Avast) so any rootkit removal program (TDSSKiller is easy to use) would be recommended too. As last reminder, it’s safe to keep all programs updated, as well as Windows (installing updates). I hope your problem can be resolved.

EDIT: Oh, didn’t notice they were already there. My apologies. A moderator should reply soon :slight_smile:

3

I have followed all of these steps in the guide, its actually what got me here. There are the 4 attached scan logs as well as the post in forum from MBAM.

4

So after running them, the problem persists?

Could I ask, do you have a computer network at home of any type? This may sound primitive but Task Manager is sometimes helpful when identifying what could be the root of the problem. I guess if those programs didn’t achieve to eliminate every last bit of malware then the last option that could be used is ComboFix (it’s supposed to be only when a moderator/expert in topic can guide you through steps, as it can cause irreparable damage). I guess you know the parenthesis text though :slight_smile:

Odd why Hulu wouldn’t work… any other PC symptoms/problems at the moment?

5

As far as I can tell, no. I can’t say that I use the full range of functions my computer offers, its mostly a video game console, television and sometime lover. Would greatly appreciate any assistance though.

6

for people who have same problems make a new topic with the logs…essexboy or jeff will arrive later today to help u guys. :slight_smile:

7

Please leave it to the qualified malware removal specialists, they will analyse the logs. That is their purpose the first time these tools they are run they are essentially gathering information so it can be analysed by the malware removal specialists.

8

Don’t need to worry about that. I’m way too scared of screwing everything up on this machine to try anything serious on my own. Other than not being able to use hulu there is nothing else that this virus or whatever it is, is stopping me from doing on my computer so i will just patiently await assistance.

9

I have contacted one of the malware removal specialists, hopefully they will be able to analyse your logs. Though as you can imagine they are somewhat busy, so it may be a little while.

10

OK I be here ;D

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O4 - HKU\S-1-5-21-4136921964-2764666358-2870569962-1000..\Run: [fiigwjwd] rundll32 "C:\Users\Scott\AppData\Roaming\ipsmsnapx.dll",XVWCNLCN File not found

:Files
ipconfig /flushdns /c
C:\Windows\Installer{7b62348c-bf40-d7a3-f0c8-d73a0400941d}
C:\Users\Scott\AppData\Local{7b62348c-bf40-d7a3-f0c8-d73a0400941d}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

11

I am no longer getting any messages since running the fix on OTL but since running combofix i can’t open a single program. Every program I try to boot gives me the message: Illegal operation attempted on a registry that has been marked for deletion. Even the logs themselves will not open. I have had to transfer the logs to a flash drive and use my girlfriends computer to upload this message. It was working okay before the combofix was ran but now I can’t do a thing on the computer. Please help.

12

scratch that. computer rebooted now and everything is working fine. Still havent gotten any messages that look like i have a virus so i think im in the clear but as the experts you would know best.

13

Yes, what you experienced sometimes happens, it requires a reboot (2nd) to clear the marked for deletion issue.

Essexboy should be back on-line later today to confirm and any other actions required.

14

They all look good, any further problems ?

15

Nope everything looks great. It actually got rid of some run.dll thing from before this current virus as well. Thanks so much for everyone’s help.

16

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave: