Triple Viruses: Malware-gen, Sirefef-A, and Downloader-PKU

Viruses and worms
1

Hello everyone!

Three days ago, I downloaded this stupid program that included Babylon Search. Ever since, I have been plagued with viruses. I’ve used Norton Internet Security, Ccleaner, Search and Destroy, Malware Bytes, and now Advast Antivirus. I’ve done full system scans and other miscellaneous scans with no success. Every time I think I got the virus(es) out of my system and restart my laptop, I get the dreaded, “Detected virus” pop-up as soon as I’m logged into my account.

According to Advast, I have Malware-gen, Downloader-PKU, and Sirefef-A. I’m so distressed about this and unfortunately do not have the re-boot/recovery CD that originally came with my laptop. Any help would be greatly appreciated. Thank you! :slight_smile: Attached are my logs.

P.S. Since I do have “sirfef” as well, I’m including the farbar service scanner log as well. Thank you in advance. A good weekend to all.

2

malware removers are notified. it may take hours before one arrive so be patient

3

Thank you for that immediate update. :slight_smile: I have all the patience in the world. I have been trying to battle this one out on my own for the past three days, so I can most certainly wait. Thank you for your assistance. 8)

4

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKU\S-1-5-21-51124437-1587450825-3072365709-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109597&tt=3212_1&babsrc=SP_ss&mntrId=4da068f000000000000000ff9aad576a IE - HKU\S-1-5-21-51124437-1587450825-3072365709-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 61.54.82.130:808 [2012/08/08 11:24:34 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml

:Reg
[HKEY_CLASSES_ROOT\CLSID{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
“”=“%systemroot%\system32\wbem\wbemess.dll”
[-HKCU\Software\Classes\clsid{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

:Files
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Isaac\AppData\Local{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

Re-run FSS and attach the log please

5

I’m so sorry, but I need your help. I tried running ComboFix after disabling Norton Internet Security and Advast but it prompted me that Norton Antivirus was still running. I disabled both Smart Firewall and Antivirus Auto-Protect for NIS. :frowning: I tried to do CTRL-ALT-DELETE to manually turn off NIS and ComboxFix closed in the process. You said not to re-run ComboFix and to consult with you. What should I do?

I did do the OTL as you instructed (with the reboot and QuickScan) and that log is attached. Sorry for messing up the ComboFix! :frowning:

6

No problem accept the combofix warnings but do not allow anything to be deleted or quarantined… You really should only have one AV

7

I know, I started with Norton Internet Security first. When it failed to remove the viruses, I googled and heard rave reviews about Advast. I’ll remove Norton Internet Security straight away and will do the ComboFix thereafter. Thanks so much for all your patience and help. You are awesomeness!

8

so you have avast and Norton installed ::slight_smile:

never install multiple AV… as this will give you…a slower machine / mysterious windows errors / false positive detections…
so uninstall one, and then run the removal tool to clear any leftover files that may conflict http://singularlabs.com/uninstallers/security-software/

I googled and heard rave reviews about Advast
and why do you keep calling it advast ? the name is a v a s t ;D
9

'Cos it adds vastly to your protection silly ;D ;D

10

ahaaa…forgot that ;D

11

I apologize for the delay AND for the typo! :slight_smile: I’m not familiar with Avast and just recently became introduced to it. I uninstalled NIS and ran the ComboFix. I am no longer able to use Firefox or Internet Explorer for some reason (“Illegal operation attempted on a registry key that has been marked for deletion”). I had to save the log on a USB and am posting the log on another uninfected computer. Thanks again. :slight_smile:

12
("Illegal operation attempted on a registry key that has been marked for deletion")
restart the computer one more time...should fix it
13

Thank you for both your help!!! It means so much. I will restart right now! :smiley:

Edit: Firefox and Internet Explorer are both working now!!! :slight_smile: Thank you for the restart tip, Pondus! ;D

14

Could you attach the combofix log please and the re-run of FSS

Also how is the computer behaving ?

15

My computer is acting normal!! :slight_smile: No constant pop-ups from A-V-A-S-T (:D) about trojans. :slight_smile: I’m doing the FSS right now. Attached is the log from ComboFix. I have to leave for church in a few but will post the log for the FSS before I leave. Thank you most sincerely for your help. You are magic! 8)

16

Well, goodness, that was quick. The FSS log is attached below. :slight_smile: I’ll be back later. Thank you so so so so so much!!! ;D

17

The FSS report will tell me if any repairs are needed, but so far looks good

18

Thank you! :slight_smile: I’m back now.

You have such a wonderful gift and talent with this; I am truly amazed and humbled. If you haven’t noticed, I’m not a very techy person. I love technology and cannot do without it, but with issues like this, it all appears to me as a second language. :slight_smile:

I do have two questions (feel free to answer at your leisure – no rush).

My first question is, how come NIS and AVAST failed to rectify this issue? Were these triple trojans an advanced virus?

And second: Am I now possibly disease/virus free? That is, have they been completely removed and can I have my peace?

Thank you both so much; especially essexboy! :slight_smile: If you are from Essex, U.K., Americans LOVE Sophia Grace and Rosie, as well as Russell Brand. I believe all three are from Essex!

I sincerely appreciate your amazing help and assistance. You are a true doctor! Thank you for the cure. :wink: :smiley:

19

There are no Av’s at this time that can stop this from installaing as the dropper is changing on an almost hourly basis

But Avast will stop it from doing further damage

Once you have run this small registry fix then all should be well, but let me know as we have to remove the tools and tidy up

So lets get at it

Any problems with this then just shout

From the link below download bits.zip to your desktop
https://dl.dropbox.com/u/73555776/BITSVista.zip
Double click the zip file to open
Then extract the reg file to your desktop
Double click the reg file
Accept the warnings
Reboot

Once rebooted could you try windows updates please

20

Sorry for the late response. I have downloaded the bits.zip and did as you instructed. I’m currently doing the Windows update and it is installing Windows Vista Service Pack 2 at the moment. :slight_smile: Will update with the final outcome. Thank you SO much! :slight_smile:

And lastly, I just wanted to make sure I understood you correctly. There are no anti-virus systems that can stop these trojans from installing, so therefore, these trojans are still present on my laptop? However, Avast will prevent the trojans from doing any further damage? Am I understanding this correctly? So there is no absolute “cure” for these viruses, but with all your amazing help, Avast will keep the viruses from doing any additional damage? I’m sorry if this sounds stupid and redundant. I’m just not technically gifted as many on this forum. :o

Edit: I have successfully completed Windows update. :slight_smile: If you need any updated logs or information, please do let me know. Again, I really appreciate all your help. Have a wonderful day. :smiley: