sirefef-pl infection

I have Win32:Sirefef-PL [Rtk] in my C:\Windows\assembly\GAC_64\Desktop.ini.

Yay.

I need to be rid of this silly thing. Any help would be great.

I have run the AdwCleaner and did the delete there.
And below I have pasted the malwarebytes log, and attached the other requested logs to help rid myself of this.

Thanks!

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.29.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
trooney :: ACG-TROONEY01 [administrator]

1/29/2013 2:02:13 PM
mbam-log-2013-01-29 (14-02-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 358826
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

removers are notified, it may take hours before one arrive so be patient…

Hi there, we will need to take a couple of runs at this as I will be doing manual removal and repair

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-77879606-125310410-1787567668-9824\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{FCA6F0F0-D0E6-11E1-8270-B8AC6F996F26}: C:\Users\TRooney\AppData\Local\{FCA6F0F0-D0E6-11E1-8270-B8AC6F996F26}\ [2012/07/18 07:44:36 | 000,000,000 | ---D | M]
[2012/07/18 07:44:36 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\TROONEY\APPDATA\LOCAL\{FCA6F0F0-D0E6-11E1-8270-B8AC6F996F26}

:Files
C:\$Recycle.Bin\S-1-5-21-77879606-125310410-1787567668-9824\$b5f23c7a9a7999da5477823df9e37b93

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here we go, I had some time to run the steps you outlined.

Here are the results.

Thanks for the help!

OK now we need to do some repairs

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

THEN

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Done.

Log is below

DFarbar Service Scanner Version: 16-01-2013
Ran by TRooney (administrator) on 30-01-2013 at 08:29:35
Running from “C:\Users\TRooney\Desktop\stuff”
Windows 7 Enterprise Service Pack 1 (X64)
Boot Mode: Normal


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

Windows Update:

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.

Windows Defender Disabled Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
“DisableAntiSpyware”=DWORD:1

Other Services:

Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

OK final repair

Download the fixreg.zip from here https://dl.dropbox.com/u/73555776/fixreg.zip to your desktop
Extract both reg files to the desktop
Double click each in turn and allow to merge with the registry

Once done reboot, run a fresh FSS scan and let me know what problems remain

Done, and I am aware of no other problems that need to be fixed at the moment.

Thank you for your help.

Farbar Service Scanner Version: 16-01-2013
Ran by trooney (administrator) on 30-01-2013 at 09:44:09
Running from “C:\Users\TRooney\Desktop\stuff”
Windows 7 Enterprise Service Pack 1 (X64)
Boot Mode: Normal


Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Action Center:

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: “C:\Windows\system32\wuaueng.dll”.

Windows Autoupdate Disabled Policy:

Windows Defender:

WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
“DisableAntiSpyware”=DWORD:1

Other Services:

File Check:

C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

Could you test for windows updates please before I tidy up

Ran windows update, came back with a list that I’ll need to install later today when I have the time to do so.

Thanks again!

OK lets clean you up then ;D

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: