Avast WEBforum
Other => Viruses and worms => Topic started by: Sonofnelak on August 15, 2012, 11:56:12 PM
-
My computer has recently been infected by that obnoxious Sirefef-PL [RTK]. Attached are my various scan logs. If any additional information is required other than what I've submitted, I'll be sure to provide it ASAP. Thank you very much for your assistance.
-
you may also attach a malwarebytes quick scan log
-
you may also attach a malwarebytes quick scan log
Alright, here's the quickscan.
-
malware removers are notified, it may take hours before one arrive so be patient
-
malware removers are notified, it may take hours before one arrive so be patient
Much appreciated, thank you very much.
-
Hi Sonofnelak,
Need to uninstall Comodo Internet Security if the active anti-virus component.
If only a firewall, do not touch.
Step1
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=SB1&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110703&user_guid=DE0CBDDCE28F4133A2EDD28F58C65553&machine_id=cd500c751680770a42910e0ef821e741&browser=IE&os=win&os_version=6.1-x64-SP1
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{F5906B4E-31E9-486B-94AE-AC9FBAF9A19C}: "URL" = http://start.funmoods.com/results.php?f=4&a=bndlr&q={searchTerms}
[2011/09/21 19:47:20 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Paul Kallen\AppData\Roaming\Mozilla\Firefox\Profiles\7040a65o.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2012/04/18 22:00:49 | 000,001,799 | ---- | M] () -- C:\Users\Paul Kallen\AppData\Roaming\Mozilla\Firefox\Profiles\7040a65o.default\searchplugins\funmoods.xml
O2:[b]64bit:[/b] - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
:files
C:\Program Files (x86)\Windows iLivid Toolbar
C:\Users\Paul Kallen\AppData\Local\facemoods.bmp
C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a
C:\Users\Paul Kallen\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[CLEARRESTOREPOINTS]
[EMPTYJAVA]
[Reboot]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
**************
Step2
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction. (http://www.bleepingcomputer.com/forums/topic114351.html)
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
I've done all the necessary steps so far, however I'm having a problem with installing ComboFix. The program doesn't finish installing past this message:
Output folder: C: \32788R22FWJFW
The program stayed at this part of the installation for some time, not progressing. Is it normal for it to take that long to install?
-
The program stayed at this part of the installation for some time, not progressing. Is it normal for it to take that long to install?
Stop the ComboFix.
- Download FRST64 (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) to a USB flash drive.
- Plug the USB drive into the infected machine.
Boot your computer into Recovery Environment
- Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
- Select Repair your computer.
- Select Language and click Next
- Enter password (if necessary) and click OK, you should now see the screen below ...
(http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png)
- Select the Command Prompt option.
- A command window will open.
- Type notepad then hit Enter.
- Notepad will open.
- Click File > Open then select Computer.
- Note down the drive letter for your USB Drive.
- Close Notepad.
- Back in the command window ....
- Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
- FRST will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- When finished scanning it will make a log FRST.txt on the flash drive.
- Next
- Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
- FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
- Exit FRST.
- Close the command window.
- Boot back into normal mode and post me the FRST.txt and Search.txt logs please.
-
Is there any chance that the virus will be transferred via flashdrive if it's put into another computer?
-
Alright, here's the FRST.txt and Search.txt logs.
-
Is there any chance that the virus will be transferred via flashdrive if it's put into another computer?
No :)
We will reply later'm currently busy.
-
@Sonofnelak
Argus is currently busy, so I will take your case. ;)
First, i see avast & comodo on your systems.
Is Comodo just a firewall or it have an antivirus moduls too?
Open notepad.
- Click Start
- Type notepad.exe in the search programs and files box and click Enter.
- A blank Notepad page should open.
- Copy/Paste the contents of the code box below into Notepad.
Start
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end
- Save it to your USB flashdrive as fixlist.txt
>> Boot into Recovery Environment
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your USB flashdrive.
Next
- >> Press Scan button and attach here fresh FRST.txt logreport.
>> Exit out of Recovery Environment and post me the log please.
-
Alright, here's the new FRST.txt.
-
First, i see avast & comodo on your systems.
Is Comodo just a firewall or it have an antivirus moduls too?
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
-
Alright, here's DDS.txt and Attach.txt.
-
Ok, there is no aktive malware. However, we still need to fix something what ZA rootkit mest up ...
Download Comodo Uninstaller tool:
Info:
https://forums.comodo.com/install-setup-configuration-help-cis/uninstaller-tool-for-comodo-products-t71897.0.html
Download:
https://sites.google.com/site/jacobcprt/Setup.zip?attredirects=0
---------------------------------
Lets try to finish this case with Combofix shell we? :)
Delete current Combofix and Download fresh Combofix from here to your Desktop!
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disabe temporaly avast antivirus. Argus hase wrote how to do it.
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
"%userprofile%\desktop\ComboFix.exe" /KillAll- then click OK (or press Enter ).
Combofix will re-run. Wait for scan process is complete and attach here Combofix.txt log
-
I followed the instructions to disable avast. When I ran ComboFix I got a warning message alerting me that avast was still running. What should I do?
-
I followed the instructions to disable avast. When I ran ComboFix I got a warning message alerting me that avast was still running. What should I do?
If you are disabled avast then just ignore Combofix warning ;)
-
Alright got that settled. Here's the ComboFix Log.
-
Step1
- Download AdwCleaner (http://www.general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) (by Xplode) on your desktop.
- Launch it, click on [Search] and wait for the scan.
- When the scan ends, notepad with the report will appears.
- Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
- The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
- Save the notepad report on the Desktop
- Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]
**********************
Step2
Open notepad and copy/paste the text present inside the code box below:
SkipFix::
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,26,f0,eb,eb,b2,78,47,ae,ae,cf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,26,f0,eb,eb,b2,78,47,ae,ae,cf,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you. I dont need that log.
Be free and go to Step3.
****************************
Step3
It is necessary to uninstall the ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
******************************
>> How is your computer running now? 8)
--------------------------------------
They are some leftovers...you may remove them with AppRemover. You may do later but do it ;)
You may download AppRemover (http://www.appremover.com/) (~ 6MB) on Desktop .
Run it by double-clicking
Click Next, choose the second option (Clean Up a Failed Uninstall), confirm with Continue, go to Next, wait to be finished, choose what it find, scan and remove it by clicking on the Next .
-
Alright, here's AdwCleaner[S1]. My computer's working quite well, no problems as far as I can see. Are there any further steps?
-
Yes, i wish to check somting.
Please, re -run FSS and attach flesh FSS.txt log
-
Alright, here's the FSS file.
-
Download this file:
https://www.dropbox.com/s/z4okz2emva35hwg/BITS7.reg?m
Doble-click to run it and click on Yes/Ok. Reboot your computer. That it. We are done.
-
What am I supposed to do with the file? I assume I downloaded the correct thing, I clicked the link and got a text document called BITS7.reg. What comes next?
-
I'm not sure what I'm supposed to be doing.
-
You're still tracking my posts right? You didn't just stop after you said you were finished did you? Because I have no idea what to do with this text file.
-
Am I supposed to run it with another program?
-
You're still tracking my posts right? You didn't just stop after you said you were finished did you? Because I have no idea what to do with this text file.
patient.....he will be back
the man also have a life, sleep etc etc
-
@Sonofnelak
-Only what you need to do is to download that file ( BITS7.reg ) to your desktop.
-Doble-click to run the file. You will get some pop-up window with warning abaut editing registry. Just click on Yes or Ok button.
-Reboot windows.
-Thats it. No more steps,just that... :)
Do not forget to uninstall Combofix for some post cleaning.
Then, re-run OTL , click on CleanUp button. OTL will asc for reboot windows.
After the reboot all the tools we used should be gone.