infected computer is vista 64 bit / home premium
please see attached pictures of the problem
also, i’ve seen mentionings of sirefef.b … [windows defender] but it is unable to remove it [reports an unspecified error during ]
HOW DO I GET OTL? Where can i install it from? What are the first steps that i need to take in OTL to produce the initial log and post it here?
welcome to the forum.
follow this guide and a malware expert will help you from there. it might take a few hours.
attached are all the logs
please take note that eventhough mbam removed some stuff, it appears that they’ve reinstalled themselves again after restart…
kindly please send me further instructions?
I see you have used everything bar the kitchen sink
The first run will stop the alerts, and combofix will replace a file and do some repairs
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O4 - HKU\.DEFAULT..\RunOnce: [] File not found O4 - HKU\S-1-5-18..\RunOnce: [] File not found O4 - HKU\S-1-5-19..\RunOnce: [] File not found O4 - HKU\S-1-5-20..\RunOnce: [] File not found O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07) O33 - MountPoints2\{5f5fd5a7-fe01-11de-8d43-001f16d8a79d}\Shell\1\Command - "" = F:\Recycle.exe O33 - MountPoints2\{5f5fd5a7-fe01-11de-8d43-001f16d8a79d}\Shell\2\Command - "" = F:\Recycle.exe [2012/07/30 18:30:08 | 000,000,000 | ---D | C] -- C:\4807d56047ac3347f6 [2011/02/07 19:47:26 | 000,000,120 | ---- | C] () -- C:\Users\arlene\AppData\Local\Wjidoqocefuwejat.dat [2011/02/07 19:47:26 | 000,000,000 | ---- | C] () -- C:\Users\arlene\AppData\Local\Umolapuhidonokec.bin:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\arlene\AppData\Local{ff24043d-55f8-5ce9-a20a-8337d9b4b888}:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
i’m sorry about the sluggish reply; i had to take a relative to the hospital…
after i ran the OTL fix it finished, rebooted the system by itself and generated a log - THAT’S THE FIRST ATTACHMENT
then I pressed quick scan in OTL but while waiting I also started the ComboFix steps - I know that was stupid because ComboFix stopped OTL’s quick scan function… but i didn’t dare touch ComboFix while running…
Anyway, midway ComboFix reminded me that I didn’t disable avast, so I clicked in Avast - disable until the system is restarted
after ComboFix finished, it must have restarted itself (i was not at the computer) because I had to log in into windows again. After I logged back into windows ComboFix did some other things and finally it spit out a log - THAT’S THE SECOND ATTACHMENT
NOTE: Avast has now disappeared from system tray and I haven’t restarted the system yet, so I don’t know if it is going to come back on after I restart windows. After I saved the ComboFix log I immediately went back to OTL and pressed the Quick Scan button again - THAT’S THE THIRD ATTACHMENT.
Sorry for all this trouble that i caused…
overall the system appears to be running about the same. maybe slightly faster…
PS - I rebooted the system after above post, and Avast definitely doesn’t start… Removed Avast through revo uninstaller tool, and reinstalled avast. reboot, and avast back on again. NOTE: avast does NOT appear to be making any notifications about any Win32:malware-gen and Win32:downloader-PKU; anymore. but i remember seeing combofix saying that services.exe is infected, so we still have ways to go, right?
This should be the last malware removal bit, then we will proceed to the repair stage
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe|c:\windows\system32\Services.exeSave this as [b]CFScript.txt[/b], in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
THEN
https://dl.dropbox.com/u/73555776/FSS.GIF
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Farbar Service Scanner Version: 26-07-2012
Ran by arlene (administrator) on 02-08-2012 at 13:41:30
Running from “C:\Users\arlene\Desktop”
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X64)
Boot Mode: Normal
Internet Services:
Connection Status:
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
Windows Firewall:
Firewall Disabled Policy:
System Restore:
System Restore Disabled Policy:
Security Center:
Windows Update:
Windows Autoupdate Disabled Policy:
Windows Defender:
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Other Services:
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
File Check:
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2010-08-11 16:53] - [2010-06-16 16:28] - 1414544 ____A (Microsoft Corporation) D43D5336BE9DD93E02EE124297295713
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll
[2010-08-11 16:53] - [2010-06-16 15:39] - 0458240 ____A (Microsoft Corporation) B66AEBF3B7073473468B941629242FBD
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2009-10-20 20:51] - [2009-08-06 19:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
How is the computer now any problems ?
after a reboot - it seems like it is working pretty good! ;D
what else do we need to do?
PS #1 nope, on second thought - when i ran the aswMBR.exe and pressed on scan, and then in about 20-30 min into the scan the screen goes completely black and the system is still working, but non-responsive with the black screen. the only way is to hold the power button and restart… I don’t know if it is related to aswMBR.exe scanning combofix.exe? because other than that the system doesn’t seem to go into black screen mode.
PS#2 windows updates installed vista service pack 2 just right now… also when i click on windows defender - it gives the attached error message… windows defender was working fine before we started this whole process…
PS #3 after i ran this services repair from this link [found it on ESET website] http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
windows defender is running fine again, and it seems the system is running faster…
The problem with defender is that it was set to demand rather than auto, I di not change that as some people leave it turned off
Still running good ?
yes, after i did the ESET services fix even the aswMBR.exe scan doesn’t go into black screen anymore but finished the entire scan and did not report any viruses anymore (before we started this it reported two instances of sirefef rtk)
anyway, google chrome is a little sluggish on start-up compared to IE explorer, but i don’t know if that can be fixed or not…
yes, it runs good. Do we need to go to next steps now?
OK lets remove my bits and bobs… This will clear all temp files so Chrome may speed up
Subject to no further problems 
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [emptytemp] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK
http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg
[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones
[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe 