Hi guys, I’ve got a virus and/or trogan on my laptop. I’ve ran OTLPENet on a Boot disc, ran FRST.exe to scan and the results are below. Please help!
I run Windows Vista 32bit.
It won’t let me c&p due to character limit, or attach a .txt file. How should I display the results?
I’ve uploaded the results here:
http://www.gtlawrochdale.co.uk/stuart/FRST.txt
I’ve also been able to identify one of the trogans are Sirefef. I can’t use Microsoft Security Essentials or any other anti-virus tool as one of the trogans/viruses pops up after a couple of minutes with the message “The system has encountered a critical problems and will restart automatically in one minutes.”
I appreciate anyone who can help me with this.
Follow this guide…if able to. http://forum.avast.com/index.php?topic=53253.0
Could you re-run FRST please but this time in the search box type :
https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif
Services.exe
Then press search
Then attach the FRST log here
Hi Pondus/essexboy, thanks for the replies.
I have followed the guide & re-ran FRST as requested. Malwarebytes scan came up clean, here are all the logs/reports that have been created from OTL, aswMBR, RogueKiller, FSS & FRST.
Scan Report attachements (continued).
It’s worth noting the error that said “The system has encountered a critical problems and will restart automatically in one minutes” has stopped and, after numerous attempts at re-booting windows and Microsoft Security Essentials, the majority of the Sirefef trogan ‘seems’ to have disappeared, it will be interesting to see if you guys can spot anything additional that might be hiding from me from these reports.
Regards,
Stuart
Hi could you tell me exactly what the current situation is … Are you in normal mode… Did you replace the services.exe file
Hi, I’m currently running in normal mode and I didn’t replace the services.exe file.
Situation is:
-
I had at least one virus, didn’t have time to write down what Microsoft Security Essentials (MSE) named it, and the Sirefef trogan.
-
This was creating google search results (when clicked) to redirect to different websites
-
When attempting to scan/remove using MSE the trogan/virus would, after about 2 minutes into the scan, pop up saying “The system has encountered a critical problems and will restart automatically in one minutes” then force restart the laptop
-
After numerous restarts and attempts to remove the trogans/virus using MSE the pop & force restarts have stopped and the google search results seem to have stopped redirecting
-
I have performed these scans to see if there is any lingering/hidden trogans/viruses left on the laptop
Any help is, of course, appreciated 
Regards,
Stuart
OK I will need to create a few reg fixes as your windows updates is not working
Download your zip file from the link below to your desktop
https://dl.dropbox.com/u/73555776/ejfly.zip
Extract all 7 reg files to the desktop
Double click each reg file in turn and allow to merge
Reboot…
Then come back here and I will have some further fixes for you
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-2448870290-903082354-550941469-1000\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found. [2012/08/16 00:39:53 | 000,000,000 | ---D | C] -- C:\35209cbeb0a33318a0745ea8bfac:Reg
[HKEY_CLASSES_ROOT\CLSID{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
“”=“%systemroot%\system32\wbem\wbemess.dll”
[-HKCU\Software\Classes\clsid{12d0253a-7c96-815c-11e0-3034bbd97cc0}]:Files
C:\Windows\Installer{545a6bdc-4d4c-a15e-d205-9f232b91f476}
C:\Users\anne\AppData\Local{545a6bdc-4d4c-a15e-d205-9f232b91f476}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Hi, I’ve added the registry files, rebooted the laptop and now up to the Run Fix. The last thing I saw was the command prompt to renew my IP and now OTL has crashed and is saying Not Responding. Any ideas what I should do?
OK jump straight to combofix please
Sorry for the late reply, I’ve run the combofix and it finished but it’s gone to reboot and is now stalling on the “Logging off” screen. It did this after I had to manually reboot after the OTL crash.
Should I manually reboot the PC again and see if combofix left a report log?
Yes please… I may have to approach this from a different angle
I’ve manually restarted and the first thing that popped up was the combofix command prompt. It’s saying it is preparing a log reportand do not run any programs until combofix has finished.
It’s been on that screen for around 20 mins now :-\
OK reboot using the start button then on reboot see if there is a log at C:\combofix.txt
Just as I hit reply there was progress… lol… it now says:
Almost done . . This window will close in a short while
Please wait a few seconds for the report log to pop up.
The start bar and desktop items then disapeared. I’m just waiting to see what happens now.
Edit: Will reboot now, gimme 2 secs.
Ok, I’ve just rebooted (had to manually reboot again due to it hanging on Loggin off screen again), there was no ComboFix.txt in the C:\ dir but there was a ComboFix.txt in the C:\ComboFix dir and ComboFix-quarantined-files.txt in the C:\Qoobox dir
Both files are attached.
Also it is now telling me there are new updates available for Windows, should I attempt to install or hang fire at this stage?