Sirefef trojan and now malicious URL blocking

Viruses and worms
1

Hi,
4 days ago I noticed that Microsoft Security essentials was turned off and I could not turn it back on so I uninstalled then reinstalled it. I did a scan and it came up with Sirefef trojan. There were 12 different sirefefs that it found. I ran combofix and then installed and ran Avast. I removed everything it found but now Im getting malicious Url blocked about every 5 seconds. I dont really know much about computers and only ran combofix on a recommendation from a friend. I went through the guide on this forum and I will attach the logs next. Thank you so much for your help.

2

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.02.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Gonzales :: GONZALES-PC [administrator]

Protection: Enabled

8/2/2012 10:40:31 AM
mbam-log-2012-08-02 (10-40-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209983
Time elapsed: 3 minute(s), 48 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 6444 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

3

A malware removal specialist has been informed of your topic.

4

Hi Katara, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Please do not run combofix on your own. It’s a very powerful tool and can create problems should things go wrong.

Please read through these instructions before running this next tool.

Do not use delete if offered as an option. Use skip instead when running this next tool.

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

5

I tried to copy and paste here but it was over the allowed character limit.

6

Hi Katara,

Please locate the copy of combofix you now have. Right click it and click delete.

Download ComboFix from one of these locations:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If after running combofix you recieve an message “Illegal operation attempted on a registery key that has been marked for deletion” or similar reboot the computer.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

7

here is the combo fix log.
thank you for your help

8

I just realized that windows defender was on. I’m sorry I didn’t even know I had it. Should I turn it off and redo the combo fix?

9

Hi Katara,

No that’s fine.

Please download Farbar Service Scanner and save it to your dsktop.
[*]double the program to run it
[*]Check all the boxes.
[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please copy and paste the log to your reply.

Next

Please rerun TDSKiller with the same settings as before. Do not delete anythng if offered that option, use skip instead.

Please post back with
[]FSS log
[]TDSSK log

How’s the computer?

10

Good morning, here are the scan logs you requested. The computer seems to be running much better, no malicious url warnings and its running at about 8% rather than 80%. Thanks again for your help

11

Hi Katara,

Please rerun TDSSKiller. When presented with this line use th drop down menu and select delete.

10:24:03.0197 4504 \Device\Harddisk0\DR0 ( TDSS File System )

Next

You have this program installed, Malwarebytes’ Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

[*]Click the Update tab
[*]Click Check for Updates
[*]If an update is found, it will download and install the latest version.
[*]The program will close to update and reopen.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

One more scan to check our handiwork.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
[*]Click Start
[*]Make sure that the option “Remove found threats” is Unchecked, and the option “Scan unwanted applications” is Checked.
[*]Click Scan.
[*]Wait for the scan to finish.
[*]When the scan completes, click List of found threats
[*]click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
[*]Include the contents of this report in your next reply

Note - when ESET doesn’t find any threats, no report will be created.

[*]Push the back button.
[*]Push Finish
[*]Re-enable your Antivirus software.

Please post back with
[]MBAM log
[]ESET log if there was one.
Any problems?

12

Hi, the computer seems to be working well. Here are the logs.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.05.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Gonzales :: GONZALES-PC [administrator]

Protection: Disabled

8/5/2012 10:29:01 AM
mbam-log-2012-08-05 (10-29-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210272
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Detected: 1
C:\Users\Gonzales\AppData\Local\Temp\0.9297217385721452 (Trojan.Agent.BRVGen) → 4564 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Gonzales\AppData\Local\Temp\0.9297217385721452 (Trojan.Agent.BRVGen) → Delete on reboot.

(end)

13

Hi Katara,

The ESET scan just showed some files we have quarantined all ready they will be removd when we remove the tools.

[QUOTE]Please rerun TDSSKiller. When presented with this line use th drop down menu and select delete.

10:24:03.0197 4504 \Device\Harddisk0\DR0 ( TDSS File System )
[/quote]
Did you do this part? I forgot to ask for the log.

Let’s make sure that MBAM did remove the file it detected. We’ll clean up the tools after you post back.

Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:Services

:Files
C:\Users\Gonzales\AppData\Local\Temp\0.9297217385721452

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

[]Let the program run unhindered
[]Please save the resulting log to be posted in your next reply.

Please post the OTL log.

14

Hi, this is the OTL log. I also attached the TDSS log from yesterday. I did delete the file you told me to delete.

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
File\Folder C:\Users\Gonzales\AppData\Local\Temp\0.9297217385721452 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Gonzales
->Temp folder emptied: 45893 bytes
->Temporary Internet Files folder emptied: 16933615 bytes
->Java cache emptied: 31731523 bytes
->FireFox cache emptied: 83223317 bytes
->Google Chrome cache emptied: 73826242 bytes
->Flash cache emptied: 567 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 259456 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7264 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 168250757 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 357.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.55.0 log created on 08062012_084757

Files\Folders moved on Reboot…
C:\Users\Gonzales\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files…
File C:\Users\Gonzales\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
[2012/08/06 08:58:01 | 000,000,000 | ---- | M] () C:\Windows\temp_avast_\Webshlock.txt : Unable to obtain MD5

Registry entries deleted on Reboot…

15

Hi Katara,

I do believe you are good to go.

We’ll clean up the tools now.

From your desktop, please delete, if present
[]any notepads/logs that we created
[]aswMBR
[]TDSSKiller
[]Farbar Service Scanner
You can also delete the TDSSK logs “C:\TDSSKiller.[Version][Date][Time]_log.txt” as well as the TDSSK quarantined folder, C:\TDSSKiller_Quarantine

Next

Click the Start button. Copy and paste the following line into the search box and click OK


Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates

Your java is out of date. Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) in the list and click on it
[*]when the java console opens click the update tab
[*]Click update now
Decline any other installs that may be offered.

Next, clear the java cache

To clear the Java Plug-in cache:
[*]Click Start > Control Panel.
[*]Double-click the Java icon in the control panel.
[*]On the General tab, Click Settings under Temporary Internet Files.
[*]On the Temporary Files Settings screen, Click Delete Files.
[*]check all boxes
[*]Click OK

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .

You should also use Spyware Blaster to help immunize your computer.

  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings

  • Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Take care

16

I can’t thank you enough!!! Thank you so much for your time! ;D

17

Hi Katara,

My pleasure, glad to have been able to help and you are more than welcome.

Take care.