NEED HELP WITH SIREREF AO[Rtk]

N> help with this malware cuz it makes me craizyyyyyyy
i’m use avast antivirus and i’m already uploaded malwarebytes log and adwcleaner log
i cant bring u roguekiller log cuz when i’m openeed this program 1 times only i had blue screen so i’m scared to open rogue killer again
i’m attached my log that i can do

THX for ur concern and attention ;D

monitoring

@Tribez
Hello and Wellcome 8)

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Step#1

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Select "Combined fix"options
http://fotkica.com/thumbs3/1_tmb_149978192_zoek.jpg
(bottom right)

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



filesrcm;
startupall;
resetIEproxy;
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA};c
emptyclsid;
C:\Users\TOSHIBA\AppData\Roaming\Mozilla\Firefox\Profiles\jr7ix1xx.default\extensions\ffxtlbr@babylon.com;f
C:\Users\TOSHIBA\AppData\Roaming\Mozilla\Firefox\Profiles\jr7ix1xx.default\extensions\ffxtlbr@incredibar.com;f
emptyIEcache;
iedefaults;
emptyiecache;
C:\Windows\Installer\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\@;f
C:\Windows\Installer\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\L;f
C:\Windows\Installer\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\U;f
C:\Windows\Installer\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\U\00000001.@;f
emptytemp;
C:\Users\TOSHIBA\AppData\Local\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\@;f
C:\Users\TOSHIBA\AppData\Local\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\L;f
C:\Users\TOSHIBA\AppData\Local\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}\U;f
emptyjava;
emptyflash;


[*] Click on Run script button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

already scan with combofix, but i cant run your log at zoek
it said that ur log is wrong, and want to retry or not

this is the log from combofix
nb: my combofix restarted about 3 times and some nottification appeared.

can do the zoek now
here’s my report

Sorry for butting in … Tribez, I will close the topic you have at G2G

G2G??
what is that?
sorry cuz i’m newbie at this site… ;D

btw, my avast detected this virus as a file that locate like this
c:\windows\installer.…80000032.@

thx

oh you mean g2g for my post in other forum…
http://www.geekstogo.com/forum/topic/323650-infected-with-sireref-ao-rtk-need-help-for-removal/
okay you can close it… ;D

thank for your concern

Thank you for notification essexboy. :slight_smile:

@Tribez
Can you read again thouse rules please!?

Also, please read this officijal info about running Combofix.
http://www.bleepingcomputer.com/forums/topic273628.html


Attach here AdwCleaner log

C:\AdwCleaner[S1].txt

Step#1

Open notepad and copy/paste the text present inside the code box below:



Folder::
c:\windows\Installer\{86e8d81d-31cc-879f-4031-c1ce376ffcbb}
c:\program files\smadav

FileLook::
c:\windows\system32\services.exe

KillAll::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM?RT-Protection"=-

RegLockDel::
[HKEY_USERS\S-1-5-21-1564134155-1841001883-2689682887-1000_Classes\CLSID\{0637fe19-fe36-44f5-8a04-c34a9b9aad3f}]
[HKEY_USERS\S-1-5-21-1564134155-1841001883-2689682887-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_USERS\S-1-5-21-1564134155-1841001883-2689682887-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_USERS\S-1-5-21-1564134155-1841001883-2689682887-1000_Classes\CLSID\{da811759-be99-4d50-bb79-7f69b8e84605}]


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Step#2

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Select "Combined fix"options
http://fotkica.com/thumbs3/1_tmb_149978192_zoek.jpg
(bottom right)

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



filesrcm;
startupall;


[*] Click on Run script button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Sorry for that :stuck_out_tongue:
but if i turn off my avast but when combofix restart my laptop, avast is activate again…
and now after i do CFscript, why i can’t open any program unless open as administrator?

here is my log
thx for the fast reply…
anyway i need to sleep now cuz in my place the time showing @ 3a.m. and i have school for 6a.m :o :o :o
i must be dead tommorow hahahaha ::slight_smile: ::slight_smile: ::slight_smile: ::slight_smile:

i came home @2p.m in my place but my email will notify me when you reply
so i will continue with this tommorow…

thx u 4 your concern and sorry for my bad english ;D ;D ;D ;D

Hello Good afternoon all,
to mr/mrs magna86
now im back to home and ready to continue what we left @yesterday
today the problem about can’t open program unless open as administrator have solved by only restarting my computer

i already do the combofix and zoek and attach that @ my post before this
now waiting for further information and decision from magna86 ;D ;D ;D

Special thx to magna86, :smiley: :smiley: :smiley: :smiley: :smiley: :smiley:

Need a reply plz… :‘( :’( :‘( :’( :‘( :’(

Hi,
Dont worry, i will be here :wink:

‘open as administrator’ are normal thinks and it will be solved if you just update you Windows. You may do that after cleaning…

We still need to remove some things…


Step#1
Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Select "Combined fix"options
http://fotkica.com/thumbs3/1_tmb_149978192_zoek.jpg
(bottom right)

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:


filesrcm;
startupall;
SMëRT-Protection;z
SM?RT-Protection;z
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"SM?RT-Protection"=-;r
[HKEY_USERS\S-1-5-21-1564134155-1841001883-2689682887-1000\Software\Microsoft\Windows\CurrentVersion\Run];r
"SMëRT-Protection"=-;r
c:\program files\smadav\sm?rtp.exe;f
c:\program files\smadav;f
emptytemp;



[*] Click on Run script button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log


Step#2
Open notepad and copy/paste the text present inside the code box below:


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM?RT-Protection"=-
[HKEY_USERS\S-1-5-21-1564134155-1841001883-2689682887-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"SMëRT-Protection"=-

File::
c:\program files\smadav\sm?rtp.exe

KillAll::

Folder::
c:\program files\smadav


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Sorry for my long reply, cuz i just got home ;D
i’ve done what you have asked.
btw, i want to ask something, why we remove smadav? isn’t it antivirus? or is it malware?
thx

and here is my log

Well, first to be honest I neverd hear before for this antivirus. And my tools do not recognize him. I considered him to be a kind of rogue…
Second,running - more than one - antivirus program is not recommended because:

[]They can conflict with each other.
[
]Report the other antivirus software as malicious.
[]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[
]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc

And third,
http://www.threatexpert.com/report.aspx?md5=c0f9ba4a0a3116885896c08ce0a59b47

You will need to uninstall one of them. Which one, is your decision.
Antivirus that you deside to keep & use, if it has a some operating problem, just reinstall.

I also may remove it using a stronger force tool (because the traces are still present)…


It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Your computer looks clean.How’s your computer running now?

Now my computer run normally and there is still no sign from avast about this virus sireref AO anymore…
now i want to ask how to remove roguekiller from my desktop??
and is my laptop now free from malware?
how can i prevent malware to infect my laptop?

thx for the help… ;D ;D ;D

hi Tribez,

magna86 will be back soon and give you the all clear if you are happy with your results. Included will be instructions to remove all programs you used to cleanse your system.

As for running two antiviruses at the same time, please do not do that. You may have increased your risk of infection by doing so, conflict between the two may have allowed a malware object to slip in undetected whist they were fighting with each other when a conflict was ongoing.

Please look below my post for ideas to run certain programs that you can run side-by-side without conflict; the idea here is to layer your protection so that one can see malware activity when the others do not. All programs I run are free.

You are clean and there is no aktive malware in logs …

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

how can i prevent malware to infect my laptop?
Turn on your antivirus. You may keep Malwarebytes Anti-Malware becouse it will come as a great addition to your Anti-Virus.

A also recommended you to use MCShield.
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

sorry 4 reply it 4 so long time cause i think my thread is closed :‘( :’(
hahahhaa…

already do Clean up OTL, now my computer run smoothly
thanks 4 your help, and can i ask you what is antivirus that can prevent malware?
can avast do it?

thx
best regards,