Online leonnacollins
Newbie
*
Posts: 1
View Profile
Email

Win32:Sirefef-BTT(Trj) Virus on my really old pc…is there any hope?!!

« Reply #16 on: Today at 08:07:24 PM »

Quote
Modify

:o

Hi all

I’m also having a similar problem to Vulpicurious. I fear I’ve actually made things worse by my lack of knowledge and my general impatience! I’m currently running ComboFix so I’ll let you know how it turns out. My PC is absolutely ancient - I believe around 8 years old actually but it’s been a great system and despite my using and abusing it with multiple downloads it’s continued to serve me well - until now. I fear my old pal will be heading for the bin. Do you think there’s any hope for me to fix it?!!

I do have a laptop which I’m currently using to type this so it’s not all bad. I’m just stubborn and don’t want to bin my old faithful!

Any thoughts?!!

Hi,

I'm currently running ComboFix

THEN

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

THEN…

Please download GMER, the AntiRootKit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ] button - save the report to the Desktop (named ARK );

Please attach here Gmer’s (ARK.txt) logreports.

Thanks. I’ve attached the ComboFix Log.

Please find attached the Farbar recovery scan logs:-

I really appreciate your help and support.

L

Here is the GMER scan log…it’s too big so I’ve split it into 2 - hope that’s ok

GMER file pt 2

[list]Hi,
Mistakes that are made by running ComboFix:

CF has not been run from Desktop:

Running from: J:\ComboFix.exe

C:\Documents and Settings\Leonna\Desktop\Shortcut to ComboFix.exe.lnk

Drive c: () (Fixed) (Total:228.11 GB) (Free:58.13 GB) NTFS ==>[Drive with boot components (Windows XP)] Drive j: (KINGSTON) (Removable) (Total:0.48 GB) (Free:0.47 GB) FAT

Your system is in a disastrous state. You need to stay with me to the end untill we fix your computer.

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

=> Wisit this website for downloading AppRemover tool:
http://www.appremover.com/

Follow video from the site, run this tool, and remove any found remainder of previsu installed AntiVirus. Do not uninstall avast.

------ Next -------

1. Delete old Combofix (drag&drop into Recycle bin) + delete copy from your flashdrive.
2. Download new, flesh ComboFix copy and save it to your Desktop:
   http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Runing ComboFix’s via CFScript:

Open notepad and copy/paste the text present inside the code box below:

FileLook:: c:\windows\system32\dllcache\hidparse.sys

DirLook::
C:\45fb849343a6770bb2587b863f62

KillAll::

File::
C:\Windows\assembly\GAC\Desktop.ini
C:\Documents and Settings\Leonna\hpothb07.dat
C:\Documents and Settings\LocalService\hpothb07.dat

Folder::
c:\docume~1\Leonna\LOCALS~1\APPLIC~1\Google\Desktop\Install
c:\program files\Google\Desktop\Install
c:\program files\AskPartnerNetwork
C:\Program Files\Web Assistant

ClearJavaCache::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ApnTBMon”=-

Driver::
APNMCP

DDS::
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

RegNull::
[HKEY_USERS\S-1-5-21-3356611892-1797742675-451484230-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@=“FlashBroker”
“LocalizedString”=“@c:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe,-101”
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
“Enabled”=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@=“c:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe”
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@=“IFlashBroker5”
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@=“{00020424-0000-0000-C000-000000000046}”
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@=“{FAB3E735-69C7-453B-A446-B6823C6DF1C9}”
“Version”=“1.0”

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

------ Next -------

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

------ Next -------

Re-run FRST, just press [ Scan ] button and attach here fresh FRST.txt logreport.

Thanks Magna86. Followed your last instructions - please find attached relevant logs…

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
File: c:\45fb849343a6770bb2587b863f62\mrtstub.exe
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = 
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = 
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR HKLM\...\Chrome\Extension: [dlnembnfbcpjnepmfjmngjenhhajpdfd] - C:\Program Files\Web Assistant\source.crx
C:\Program Files\Web Assistant
C:\Windows\assembly\GAC\Desktop.ini
C:\Documents and Settings\Leonna\hpothb07.dat
C:\Documents and Settings\LocalService\hpothb07.dat
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

--------- Next ----------

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type AFGMp50.sys into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

Thanks again Magna 86 - please find attached the last logs as per your last instructions.

Looks good. One final script and then we shall check all services, is there running good with FSS tool.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
S3 AFGMp50; System32\Drivers\AFGMp50.sys [x]
S3 AFGSp50; System32\Drivers\AFGSp50.sys [x]
END

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

---------- next -----------

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please copy and paste the log to your reply.

Hi again Magna86,

I’m so grateful for your help. My system is running so much better already! Here are the latest scans as per your instructions

Download this file (RemoteAccess.reg) to your Desktop:
http://wikisend.com/download/593286/RemoteAccess.reg

Run the file, on pop-up confirm Yes/Ok/Megre to allow changes into registry.
Restart your computer and post me fresh FSS.txt to see how the state of services.

bump!

Are you still with me?

Hi again Magna 86,

Haven’t had a chance to get back to you due to work committments. Have downloaded the remote access download. Also please find attached the latest FSS scan.

Thanks again.

Latest FSS log looks good. It is time to remove used tools here. First we shall use FRSTScript to clean his Quarantine folder. Then we shall remove and uninstall ComboFix.
With DelFix we will remove other used tools and create fresh restore point…etc.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

DeleteQuarantine: 

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Thanks Magna86.

Followed your instructions. GMER.exe is still present on my desktop, but everything else looks as if it’s gone. I’m now having issues with Google as well - whenever I do a google search I just keep getting tab recovered then it fails to display any search results. It only seems to be google - if I type in an address it comes up fine. Have installed MCShield as recommended.

Thank you for your patience - you’ve been amazing.