Help removing Win64/32:Sirefef-All [Trj/Rtk] & services.exe

system · June 16, 2013, 2:21am

C:\DwNldS\SOFTWARE\windows 7 32bit with everything\loader\not sure!\7Loader By Orbit30 & Hazar v1.2.exe a variant of Win32/HiddenStart.A application
C:\DwNldS\SOFTWARE\Windows XP Home SP2 [OEM Edition]\Windows XP Home SP2 [OEM Edition].rar Win32/HackTool.WpaKill.B application
C:\Qoobox\Quarantine\C\Users\Anthony\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe.vir Win32/Toolbar.DefaultTab.A application
C:\Users\Mike\Documents\intunemp3_d11645.exe a variant of Win32/InstallIQ application
C:\Users\Mike\Music\iLividSetupV1.exe Win32/Toolbar.SearchSuite application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5385NAOH\q[1].txt HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6T1FGEV\iframe3CAI7LTJ2.htm HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6T1FGEV\iframe3[5].htm HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H22O63F5\iframe3CANZETXV.htm HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQZKIN12\iframe3[5].htm HTML/Iframe.B.Gen virus
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z60V1F0C\iframe3[7].htm HTML/Iframe.B.Gen virus

system · June 16, 2013, 2:21am

Above are the ESET results.

system · June 16, 2013, 6:09pm

Hi,

http://i1224.photobucket.com/albums/ee380/jeffce74/ckscannericon_zpsafea984c.jpg
Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

system · June 16, 2013, 6:24pm

CKScanner 2.3 - Additional Security Risks - These are not necessarily bad
c:\dwnlding\windows xp pro corp sp3 bootable incl key\crack\keyfinder.exe
c:\dwnlding\windows xp pro corp sp3 bootable incl key\crack\readme.txt
c:\dwnlding\windows xp pro corp sp3 bootable incl key\crack\windows xp key.txt
c:\program files\hp games\bejeweled 2 deluxe\wtmui_de\sounds\firecrackle.ogg
c:\program files\hp games\bejeweled 2 deluxe\wtmui_default\sounds\firecrackle.ogg
c:\program files\hp games\bejeweled 2 deluxe\wtmui_es\sounds\firecrackle.ogg
c:\program files\hp games\bejeweled 2 deluxe\wtmui_fr\sounds\firecrackle.ogg
c:\program files\hp games\bejeweled 2 deluxe\wtmui_it\sounds\firecrackle.ogg
scanner sequence 3.CE.11.VHNAKP
----- EOF -----

system · June 17, 2013, 11:38am

Just checking on something…I will return as quickly as I can.

system · June 17, 2013, 2:23pm

Thank you again!

system · June 17, 2013, 4:06pm

Please run the MGA Diagnostic Tool and post the report it produces:

[]Download MGADiag to your desktop.
[*]Double-click on MGADiag.exe to launch the program.
[*]Click Continue.
[*]Ensure that the Windows tab is selected. (It should be by default.)
[*]Click the Copy button to copy the MGA Diagnostic Report to the Windows clipboard.
[]Paste the MGA Diagnostic Report into your next reply.

system · June 17, 2013, 8:40pm

Diagnostic Report (1.9.0027.0):

Windows Validation Data–>
Validation Status: Genuine
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: --27HYQ-XTKW2-WQD8Q
Windows Product Key Hash: U8YEZzymoD4DMyaMb32rPrNIS90=
Windows Product ID: 89578-OEM-7332157-00061
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {5C4E2BB9-B297-4D99-97F0-3BC9C67D6630}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista ™ Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.101014-0432
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data–>
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

Windows XP Notifications Data–>
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data–>
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data–>
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data–>
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data–>

Other data–>
Office Details: {5C4E2BB9-B297-4D99-97F0-3BC9C67D6630}1.9.0027.06.0.6002.2.00010300.2.0.003x32----WQD8Q89578-OEM-7332157-000612S-1-5-21-1821000488-4133590769-1524290879Hewlett-PackardHP G60 Notebook PCHewlett-PackardF.3220081120000000.000000+000DB323507018400F804090409Mountain Standard Time(GMT-07:00)03HPQOEMSLIC-MPC100100Microsoft Office Home and Student 2007123EBB9E88B15EF2CAzkaCxChFm/Jgq87DOtFsgdX8S8=81602-918-8026552-683631

Spsys.log Content: 0x80070002

Licensing Data–>
Software licensing service version: 6.0.6002.18005
Name: Windows™ Vista, HomePremium edition
Description: Windows Operating System - Vista, OEM_SLP channel
Activation ID: bffdc375-bbd5-499d-8ef1-4f37b61c895f
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89578-00146-321-500061-02-1033-6001.0000-0072009
Installation ID: 006743922370679290096740559175849865160316066982211512
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: WQD8Q
License Status: Licensed

Windows Activation Technologies–>
N/A

HWID Data–>
HWID Hash Current: NAAAAAEAAgABAAIAAQABAAAAAwABAAEAeqig9kpZQq16fziEgvTGBvL0BHaAqP5wrFZGyg==

OEM Activation 1.0 Data–>
N/A

OEM Activation 2.0 Data–>
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC INSYDE
FACP HPQOEM SLIC-MPC
HPET INSYDE SLIC-MPC
BOOT INSYDE INSYDE
MCFG INSYDE
ASF! INTEL HCG
SLIC HPQOEM SLIC-MPC
SSDT INTEL SataAhci
SSDT INTEL SataAhci

system · June 18, 2013, 12:18am

ComboFix

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:

ClearJavaCache::
File::
c:\dwnlding\windows xp pro corp sp3 bootable incl key\crack\keyfinder.exe
c:\dwnlding\windows xp pro corp sp3 bootable incl key\crack\readme.txt
c:\dwnlding\windows xp pro corp sp3 bootable incl key\crack\windows xp key.txt

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix may request an update; please allow it.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Attach the new log and let me know what remaining malware problems you are having.

system · June 18, 2013, 4:13pm

Seems like its running very well, thank you for all the help you’ve given! here is the report,

system · June 18, 2013, 5:34pm

Providing there are no other malware related problems…

http://i149.photobucket.com/albums/s64/mxyzptlk1214/Vegeta.gif
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

The following will implement some cleanup procedures as well as reset System Restore points:

Press the Windows key + R and this will open the Run text box. Copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the …X and the /U that needs to be there.)

http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren’t cluttering up your desktop. If you did not have Malwarebytes Antimalware before, I would keep it and run it weekly.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:
NoScript
AdBlock Plus

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. **There are firewalls that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7. Finally, I strongly recommend that you read Miekiemoes’ great advice How to prevent malware.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

system · June 20, 2013, 11:46am

Since this issue appears to be resolved … this Topic has been closed. Glad we could be of assistance.

If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.