Author Topic: Can't get rid of win32:sirefef-BTT  (Read 762 times)

Offline anjam

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Can't get rid of win32:sirefef-BTT
« on: September 19, 2013, 04:35:25 AM »
Can't get rid of win32:sirefef-BTT Avast found a win32:sirefef-BTT / PL trojan on my laptop. I had Avast check and clean at bootup but 2 of the files were in the windows folder (in the installer folder and attached to the desktop.ini). I didn't move them to the Chest but selected "Ignore".

Trojan is still on pc. I tried to find a fix by browsing through this forum but all the advice seems to be depending on the log an user posted.

Can someone please advise? THank you!

Ran OTL and this is what I got (see attachment)

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1340
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #1 on: September 19, 2013, 05:57:25 AM »
Hi anjam, I will be working on your malware issues.


Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:files
C:\Windows\Installer\{bd946cdb-4f80-26a1-6665-6e0fc3514355}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

:commands
[CREATERESTOREPOINT]
[emptytemp]

  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.





*********** Next *************






1. Please download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  • => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
 Attach log reports ( ComboFix.txt) back to topic.


Offline anjam

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #2 on: September 19, 2013, 02:59:58 PM »
Thank you so much for your help!!

Ok - ran OTL again. Actually had to run it twice as I realized it was not saved to the desktop initially. Attached is the OTL log.

Then, ran Combofix. Was advised that a version of AntiVir Desktop and Spyware was still running but I couldn't find anything on my laptop to stop this program or file (nothing installed or in msconfig or TaskManager).
Since I had stopped Avira, I ran Combofix anyway. Attached is the log.
When Combofix finished, I was not able to either open Google Chrome or look at the log file. What I did, I got  "Illegal operation attempted on a registry key that has been marked for deletion". In an attempt to get my laptop running properly, I rebooted into safe mode and ran sfc /scannow which only worked for the Administrator account (couldn't log into Guest account due to connection problem to "Sens Service" ... what ever that means).
Anyway, now I am able again to open programs in normal operation and posted the logs from the (hopefully now virus-free) laptop.
« Last Edit: September 19, 2013, 03:01:43 PM by anjam »

Offline Pondus

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 21697
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #3 on: September 19, 2013, 03:07:15 PM »
Quote
When Combofix finished, I was not able to either open Google Chrome or look at the log file. What I did, I got  "Illegal operation attempted on a registry key that has been marked for deletion".
did you read the bottom of the combofix instructions?

Quote
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1340
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #4 on: September 19, 2013, 03:14:46 PM »
Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

SecCenter::
{090F9C29-64CE-6C6F-379C-5901B49A85B7}
{B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

Folder::
c:\program files (x86)\Freecorder

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
[-HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

Offline anjam

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #5 on: September 19, 2013, 03:57:42 PM »
Thank you again.
Attached is the new log.

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1340
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #6 on: September 19, 2013, 04:07:36 PM »
Remove icon ComboFix and download new
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Run Combofix again and attach here log file.

Offline anjam

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #7 on: September 19, 2013, 04:45:43 PM »
Thank you, Argus. Attached is the latest log.

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1340
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #8 on: September 19, 2013, 04:48:38 PM »
How is your computer behaving now?

Offline anjam

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #9 on: September 19, 2013, 04:52:06 PM »
Just turned Avast back on and will let you know if anything else should pop up.
Do the logs seem to be clear?

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1340
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #10 on: September 19, 2013, 05:05:35 PM »
Quote
Do the logs seem to be clear?

Yep.

Remains Avira are also is gone.
« Last Edit: September 19, 2013, 05:09:02 PM by argus »

Offline anjam

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #11 on: September 20, 2013, 11:45:56 PM »
Argus, seems all good again! The only strange thing was that upon rebooting, approx. 35 updates were installed by Windows which took quite a while. But maybe the clean up deleted a bunch of stuff?!
Anyway, ran an Avast check today and nothing came up. Thank you so much!!!

Offline argus

  • Anti Malware Fighter _ ASAP_
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1340
  • Gender: Male
    • Personal Message (Offline)
Re: Can't get rid of win32:sirefef-BTT
« Reply #12 on: September 21, 2013, 06:12:52 AM »
I'm glad so that  :)


It is necessary to uninstall ComboFix :
  • Click Start (or ) then Run.


    On Windows7 or Vista you may use Start Search field if Run is not available.

  • In the line of text type in (Copy) the following:
Code: [Select]
ComboFix /Uninstall
    Note that there is a space between " ComboFix " and " /Uninstall " .

    • then click OK (or press Enter ).
    Wait for the uninstall process is complete.

     

    Google Chrome

    AVAST recommends using the FREE Google Chrome™ browser.

    Download Google Chrome Now