Sirefef-PL [RTK]

[Sonofnelak]

My computer has recently been infected by that obnoxious Sirefef-PL [RTK]. Attached are my various scan logs. If any additional information is required other than what I've submitted, I'll be sure to provide it ASAP. Thank you very much for your assistance.

[Pondus]

you may also attach a malwarebytes quick scan log

[Sonofnelak]

you may also attach a malwarebytes quick scan log

Alright, here's the quickscan.

[Pondus]

malware removers are notified, it may take hours before one arrive so be patient

[Sonofnelak]

malware removers are notified, it may take hours before one arrive so be patient

Much appreciated, thank you very much.

[argus]

Hi Sonofnelak,

Need to uninstall Comodo Internet Security if the active anti-virus component.
If only a firewall, do not touch.


Step1


Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{A59C167F-298F-30E1-8F0D-B7ED3F450647}: "URL" = http://www.startnow.com/s/?q={searchTerms}&src=defsearch&provider=Bing&provider_code=Z057&partner_id=333&product_id=519&affiliate_id=&channel=SB1&toolbar_id=200&toolbar_version=2.0&install_country=US&install_date=20110703&user_guid=DE0CBDDCE28F4133A2EDD28F58C65553&machine_id=cd500c751680770a42910e0ef821e741&browser=IE&os=win&os_version=6.1-x64-SP1
IE - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\SearchScopes\{F5906B4E-31E9-486B-94AE-AC9FBAF9A19C}: "URL" = http://start.funmoods.com/results.php?f=4&a=bndlr&q={searchTerms}
[2011/09/21 19:47:20 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\Paul Kallen\AppData\Roaming\Mozilla\Firefox\Profiles\7040a65o.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2012/04/18 22:00:49 | 000,001,799 | ---- | M] () -- C:\Users\Paul Kallen\AppData\Roaming\Mozilla\Firefox\Profiles\7040a65o.default\searchplugins\funmoods.xml
O2:[b]64bit:[/b] - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Loader Class) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1703362208-2428590436-2978447147-1000\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)

:files
C:\Program Files (x86)\Windows iLivid Toolbar
C:\Users\Paul Kallen\AppData\Local\facemoods.bmp
C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a
C:\Users\Paul Kallen\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[CLEARRESTOREPOINTS]
[EMPTYJAVA]
[Reboot]




• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

**************


Step2

> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.




Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[Sonofnelak]

I've done all the necessary steps so far, however I'm having a problem with installing ComboFix. The program doesn't finish installing past this message:
Output folder: C: \32788R22FWJFW
The program stayed at this part of the installation for some time, not progressing. Is it normal for it to take that long to install?

[argus]

The program stayed at this part of the installation for some time, not progressing. Is it normal for it to take that long to install?

Stop the ComboFix.

• Download FRST64 to a USB flash drive.
  
• Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

• Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  
• Select Repair your computer.
  
• Select Language and click Next
  
• Enter password (if necessary) and click OK, you should now see the screen below ...

• Select the Command Prompt option.
  
• A command window will open.
• Type notepad then hit Enter.
  
• Notepad will open.
• Click File > Open then select Computer.
  
• Note down the drive letter for your USB Drive.
  
• Close Notepad.
• Back in the command window ....
• Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  
• FRST will start to run.
  
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
    
  • When finished scanning it will make a log FRST.txt on the flash drive.
• Next
  
  • Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
    
  • FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
    
  • Exit FRST.
• Close the command window.
• Boot back into normal mode and post me the FRST.txt and Search.txt logs please.

[Sonofnelak]

Is there any chance that the virus will be transferred via flashdrive if it's put into another computer?

[Sonofnelak]

Alright, here's the FRST.txt and Search.txt logs.

[argus]

Is there any chance that the virus will be transferred via flashdrive if it's put into another computer?

No 


We will reply later'm currently busy.

[magna86]

@Sonofnelak
Argus is currently busy, so I will take your case. 

First, i see avast & comodo on your systems.
Is Comodo just a firewall or it have an antivirus moduls too?


Open notepad.

• Click Start
  
• Type notepad.exe in the search programs and files box and click Enter.
  
• A blank Notepad page should open.
• Copy/Paste the contents of the code box below into Notepad.

Code: [Select]


Start
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L
C:\Windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end




• Save it to your USB flashdrive as fixlist.txt
  

>>  Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

•     Press the Fix button once and wait.
  
•     FRST will process fixlist.txt
•     When finished, it will produce a log fixlog.txt on your USB flashdrive.
  
  Next
  
• >> Press Scan button and attach here fresh FRST.txt logreport.
  

>>  Exit out of Recovery Environment and post me the log please.

[Sonofnelak]

Alright, here's the new FRST.txt.

[magna86]

First, i see avast & comodo on your systems.
Is Comodo just a firewall or it have an antivirus moduls too?

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

    * When done, DDS will open two (2) logs:
        1. DDS.txt
        2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

[Sonofnelak]

Alright, here's DDS.txt and Attach.txt.