Sirefef-PL [RTK]

[magna86]

Ok, there is no aktive malware. However, we still need to fix something what ZA rootkit mest up ... 



Download Comodo Uninstaller tool:

Info:
https://forums.comodo.com/install-setup-configuration-help-cis/uninstaller-tool-for-comodo-products-t71897.0.html

Download:
https://sites.google.com/site/jacobcprt/Setup.zip?attredirects=0


---------------------------------


Lets try to finish this case with Combofix shell we? 

Delete current Combofix and Download fresh Combofix from here to your Desktop!
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disabe temporaly avast antivirus. Argus hase wrote how to do it.

• Click Start (or ) then Run.
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

"%userprofile%\desktop\ComboFix.exe" /KillAll

• then click OK (or press Enter ).

Combofix will re-run. Wait for scan process is complete and attach here Combofix.txt log

[Sonofnelak]

I followed the instructions to disable avast. When I ran ComboFix I got a warning message alerting me that avast was still running. What should I do?

[magna86]

I followed the instructions to disable avast. When I ran ComboFix I got a warning message alerting me that avast was still running. What should I do?

If you are disabled avast then just ignore Combofix warning

[Sonofnelak]

Alright got that settled. Here's the ComboFix Log.

[magna86]

We are almost done:

Step1

• Download AdwCleaner (by Xplode) on your desktop.
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, notepad with the report will appears.
• Click on the [Delete] Wait for the programme completes his work.
  The program will close all active programs. Click OK to confirm that.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
• Save the notepad report on the Desktop
• Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]


**********************


Step2


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]




SkipFix::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,26,f0,eb,eb,b2,78,47,ae,ae,cf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,26,f0,eb,eb,b2,78,47,ae,ae,cf,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you. I dont need that log.
Be free and go to Step3.



****************************



Step3





It is necessary to uninstall the ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


******************************



>> How is your computer running now? 



--------------------------------------



They are some leftovers...you may remove them with AppRemover. You may do later but do it

You may download AppRemover (~ 6MB) on Desktop .
Run it by double-clicking

Click Next, choose the second option (Clean Up a Failed Uninstall), confirm with Continue, go to Next, wait to be finished, choose what it find, scan and remove it by clicking on the Next .

[Sonofnelak]

Alright, here's AdwCleaner[S1]. My computer's working quite well, no problems as far as I can see. Are there any further steps?

[magna86]

Yes, i wish to check somting.

Please, re -run FSS and attach flesh FSS.txt log

[Sonofnelak]

Alright, here's the FSS file.

[magna86]

Download this file:
https://www.dropbox.com/s/z4okz2emva35hwg/BITS7.reg?m

Doble-click to run it and click on Yes/Ok. Reboot your computer. That it. We are done.

[Sonofnelak]

What am I supposed to do with the file? I assume I downloaded the correct thing, I clicked the link and got a text document called BITS7.reg. What comes next?

[Sonofnelak]

I'm not sure what I'm supposed to be doing.

[Sonofnelak]

You're still tracking my posts right? You didn't just stop after you said you were finished did you? Because I have no idea what to do with this text file.

[Sonofnelak]

Am I supposed to run it with another program?

[Pondus]

You're still tracking my posts right? You didn't just stop after you said you were finished did you? Because I have no idea what to do with this text file.

patient.....he will be back

the man also have a life, sleep   etc etc

[magna86]

@Sonofnelak
-Only what you need to do is to download that file ( BITS7.reg ) to your desktop.
-Doble-click to run the file. You will get some pop-up window with warning abaut editing registry. Just click on Yes or Ok button.
-Reboot windows.
-Thats it. No more steps,just that... 

Do not forget to uninstall Combofix for some post cleaning.


Then, re-run OTL , click on CleanUp button. OTL will asc for reboot windows.
After the reboot all the tools we used should be gone.