Trojan.Sirefef and others (OTL, MBAM, aswMBR files attached) -- thx for yr help

[afoyfs]

Hi,

A couple of days ago, my wife inadvertently clicked on an Adobe-looking software update and gave access to the damned Sirefef and a bunch of other trojans. I have run Avast boot scan and MBAM in normal and safe mode, and each time it finds and quarantines things. I have disconnected my WiFi card so no Internet connection but when the Internet is on, Avast keeps warning about win32:Sirefef-PL and another trojan whose name I can't remember. Unlike some other users, thankfully I have not been redirected to other websites but my turning off the WiFi card may have something to do with that.

Anyway, I have followed the instructions on the forum and am attaching OTL.txt, aswMBR.txt and the MBAM log. All .txt files were saved in ANSI format. By the way, OTL did not produce an Extra.txt file.

I want to thank you in advance for helping me.

Best,
Afoyfs

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
  O3 - HKU\S-1-5-21-807215146-2730604830-511077904-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-807215146-2730604830-511077904-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
  O3 - HKU\S-1-5-21-807215146-2730604830-511077904-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
  
  :Files
  C:\Windows\Installer\{5b94ccfa-cbd2-f49e-8251-d6a40b8cc51a}
  C:\Users\Far\AppData\Local\{5b94ccfa-cbd2-f49e-8251-d6a40b8cc51a}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[afoyfs]

Essexboy,

Thanks for the prompt response. I have one question before I run the fix. I have kept the infected PC offline so the virus does not make it worse. But one of the instructions on the OTL fix appear to update Java plug-in from Sun's website, which would mean that I need to be connected to the Internet when running the OTL fix. Is this correct, or can I run the OTL fix while disconnected from the Internet?

Thanks,
Farhan

[essexboy]

No that is the removal of an old an risky java active X

So run them all whilst offline 

[afoyfs]

Essexboy,

I ran the OTL fix and ComboFix. I am attaching two files that were created by OTL and the ComboFix log.

A couple of unexpected things happened during this clean-up process:
-- I could not find the Avast shields control item in the system tray so I stopped Avast and also disabled VRDB generation. I think ComboFix worked fine but wanted to tell you about this as I am not sure if Avast was properly shut down.
-- During ComboFix, two dialog boxes opened up for pev.3XE and PEV.exe, each saying that this program "has stopped working. A problem has caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

I don't know if these issues had any impact on the fix. My PC seems to be working fine. It booted in decent time and I am on the Internet and Avast is running but it hasn't caught any viruses. Hopefully the OTL and ComboFix logs can tell you if the trojans are gone. I will report back at the end of the day and let you know how the PC is doing.

Thanks,
Afoyfs

[essexboy]

Are you still running Avast 4 ?

[afoyfs]

Yes, 4.8

[essexboy]

Any specific reason as to why you have not updated to version 7 ?

How is the system behaving now ?

[afoyfs]

No reason, just laziness

I just installed Avast 7 and am running the boot scan. It has found more instances of win32:Sirefef-PL [RTK], win32:Malware-gen and INI:cycbot-gen, so I guess the virus was either not cleaned completely or it has returned. *sigh!!* The PC ran fine all day yesterday but today my wife said another Adobe upgrade message popped up similar to what preceded the first infection. I have not seen this myself so I can't describe it to you.

I told Avast to delete the infections and will attach the Avast log file when the boot scan is complete.

Please advise on what I should do next.

Thanks,
Afoyfs

P.S. What did the messages related to pev.3XE and PEV.exe mean from the previous clean-up?

[afoyfs]

Essexboy,

Here are the logs from MBAM, OTL and aswMBR. I said I would provide a log from Avast but I couldn't see where the logs are maintained in the new setup for Avast 7. Anyway, looks like we are back to the beginning of troubleshooting the God-awful trojans and you want to see the MBAM, OTL and aswMBR logs anyways...

Thanks,
Afoyfs

[essexboy]

It looks as though it failed to install this time..  A suggestion if I may rather than let programmes auto update do it yourself. When I clean up there will be a small programme to assist in this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKU\S-1-5-21-807215146-2730604830-511077904-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51616
  
  :Files
  ipconfig /flushdns /c
  C:\Users\Far\AppData\Local\{5b94ccfa-cbd2-f49e-8251-d6a40b8cc51a}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Run Combofix once more and allow it to update if requested.  Then attach that log

Once done could you let me know how the computer is behaving

The Avast boot log is here C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt

[afoyfs]

Essexboy,

Sorry but I am not sure what failed to install this time.

Afoyfs

[essexboy]

The malware from the adobe popup 

[afoyfs]

Oh, I see. That's great.

I agree with you on updating myself rather than letting programs do it automatically. The only program I allow to update automatically is Avast but clearly Adobe is having a party at my expense and Java also keeps prompting me to update. In answer to your question, yes, I will update programs manually.

I will run this fix later this evening when I get home, post the logs and then monitor the system for a day or two and let you know how it's running.

Thanks again,
Afoyfs

[essexboy]

I never let anything auto update bar windows and Avast.  I will give a link to the programme that I use monthly to check my programme updates when I remove the tools and tidy up