Win64:Sirefef-A [Trj]

Viruses and worms
1

Hello avast! forums.

I am in dire need of help because earlier today I was torrenting a file and halfway through the download uTorrent froze on me as well as Firefox. I restarted my computer only to know that my computer got infected with Win64:Sirefef-A [Trj] and Win32:Sirefef-A0 [Rtk] viruses. I am currently on Safe Mode with Networking so my computer won’t freeze on me, and suffering through 800 x 600 resolution :'(. Please get to me soon, I have done all the necessary tests to get the logs and to show and will post them.

It goes in order MALB, OTL, OTL Extras and aswMBR

2

malware removers are notified. It may take several hours before one arrive so be patient

3

Helloo, :wink:
I will be working on your Malware issues.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:OTL
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

:files
C:\WINDOWS\Installer\{863ba3be-8d84-bdb7-ea9a-050b9526e857}
C:\Documents and Settings\Carlos Ibarra\Local Settings\Application Data\{863ba3be-8d84-bdb7-ea9a-050b9526e857}

:Commands
[CREATERESTOREPOINT]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

4

I have finished with the OTL scan. Here’s the report. I will do the ComboFix in the meantime

5

Here’s the ComboFix log.

6

O boy o boy… :smiley:

Step1
Go to control panel > add or remove programs

We will Remove any adware from computer to make sure.
Uninstall following:

Elf or Conduit
Dogpile Bundle Toolbar
Ask
Yontoo Layers

Step2

Open notepad and copy/paste the text present inside the code box below:


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{22e03916-85c5-44b0-8dc9-1830c11238d9}"=-
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"=-
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{22e03916-85c5-44b0-8dc9-1830c11238d9}]
[-HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[-HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

KillAll::

ClearJavaCache:: 

File::
C:\DOCUME~1\CARLOS~1\LOCALS~1\Temp\naecd.sys

Folder::
C:\Program Files\Elf_1
C:\Program Files\Dogpile Bundle Toolbar
C:\Program Files\Ask.com
C:\Program Files\Yontoo Layers

Driver::
naecd

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Step3

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

7

Removed the toolbars and the have the logs

8

Open notepad and copy/paste the text present inside the code box below:


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FF99715-3016-4381-84CE-E4E4C9673020}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}]
[-HKEY_CLASSES_ROOT\clsid\{7ff99715-3016-4381-84ce-e4e4c9673020}]
[-HKEY_CLASSES_ROOT\clsid\{9d425283-d487-4337-bab6-ab8354a81457}]
[-HKEY_CLASSES_ROOT\SearchToolbarLib.CSearchToolbarImpl.1]
[-HKEY_CLASSES_ROOT\TypeLib\{E43AD97A-5248-46A7-BB03-35574058224C}]
[-HKEY_CLASSES_ROOT\SearchToolbarLib.CSearchToolbarImpl]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FF99715-3016-4381-84CE-E4E4C9673020}"=-
"{9D425283-D487-4337-BAB6-AB8354A81457}"=-

DDS::
uStart Page = hxxp://www.ask.com/?l=dis&o=15486

Folder::
c:\program files\Windows Searchqu Toolbar
c:\program files\Search Toolbar

Save this as CFScript.txt

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

9
O boy o boy...

Step1
Go to control panel > add or remove programs

We will Remove any adware from computer to make sure.
Uninstall following:

Elf or Conduit
Dogpile Bundle Toolbar
Ask
Yontoo Layers


ahaaa… one of those toolbar collectors ;D

You can Never Have too Many Toolbars! [Humorous Image]
http://www.howtogeek.com/101242/you-can-never-have-too-many-toolbars-humorous-image/

10

;D 8)

11

The second Combofix log.

12

The logs look good. How’s the computer behaves?

13

It’s alright everything is pretty much normal now. But now I’m getting the Windows Genuine window pop up, but I’ll find a way to remove that or something.
Is this pretty much it, am I clean and home free?

14
Is this pretty much it, am I clean and home free?
Yap, you are clean :)

It is necessary to uninstall Combofix and OTL

Start (
http://fotkica.com/thumbs2/117539_tmb_191855275_Windows_Logo_key.gif
) >> Run

Combofix /Uninstall

Enter

Re-run OTL and hit CleanUp! button.

15

Alrighty. Did all of that.

Thanks so much for your help! ;D Hopefully I won’t have to seek out help for you guys again, but if I do, I know just where to go. Thanks again!

16

You’re welcome :wink:

Be safe :smiley: