SIREFEF and malware

[sarahk1225]

I see that there are other posts regarding these viruses, but I don't know very much about computers and don't know if I should follow the directions given to those posters or not since we have different computers. (?)
Anyway, problems started a week after I installed AVG Free edition. I have since uninstalled it and its components ( I think) and installed Avast instead, but every 5 or 10 seconds I am being warned of these 2 main threats: Win32:Sirefef-AHF
Please help me! This is my boyfriend's computer and I feel awful about ruining it

MBAM log:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.16.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Matt :: MATT-PC [administrator]

Protection: Enabled

8/16/2012 1:34:52 PM
mbam-log-2012-08-16 (13-34-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197625
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

[magna86]

Monitoring 

[magna86]

Hi,
I will be working on your Malware issues 


Multiple Antivirus Programs

You are running more than 1 Antivirus program!


AV: AVAST Software
AV: AVG Technologies



Running - more than one - antivirus program is not recommended because:[list=1]

• They can conflict with each other.
• Report the other antivirus software as malicious.
• Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
• Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc

I strongly suggest you uninstall one of them.  Which one, is your decision.


Then, download uninstaller tool from here for AntiVirus that you decide to remove:
http://singularlabs.com/uninstallers/security-software/




*******************************

Removal - step1



Download AVZ Antiviral Toolkit from the following link:

http://support.kaspersky.com/downloads/utils/avz4.zip

• Extract the archive to a folder.
• Run AVZ [/color] (double click on icon);
  
  
• Click on File > Custom Scripts ;
  
  
• In the new window that opens, Copy/Paste everything inside the field code:
  
  
  
  
  Code: [Select]
  
begin
ShowMessage('AVZ will automatically close all network connections' + #13#10 + 'After the computer restarts the network connection will be restored automatically');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
QuarantineFile('C:\Windows\assembly\GAC_32\Desktop.ini','');
QuarantineFile('C:\Windows\assembly\GAC_64\Desktop.ini','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\00000008.@','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\80000064.@','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\L\00000004.@','');
QuarantineFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@','');
QuarantineFile('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@','');
DeleteFile('C:\Windows\assembly\GAC_32\Desktop.ini');
DeleteFile('C:\Windows\assembly\GAC_64\Desktop.ini');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\00000008.@');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\U\80000064.@');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\L\00000004.@');
DeleteFile('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@');
DeleteFile('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}\@');
DeleteFileMask('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}', '*', true);
DeleteFileMask('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}', '*', true);
DeleteFileMask('%Tmp%' , '*.*' , true) ;
DeleteDirectory('C:\Windows\Installer\{792f4199-0b73-e2f4-7b46-706eb422a6b8}');
DeleteDirectory('C:\Users\Matt\AppData\Local\{792f4199-0b73-e2f4-7b46-706eb422a6b8}');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.



  • Click the Run and wait to execute the script.
  ****************************
  
  Step 2
  
  
  Re-run OTL, click on RunScan and attach here fresh OTL.txt log
  

[sarahk1225]

Hi! thanks for helping!
I thought I unintalled AVG and all of it's components?! Uh-oh. Can you see that in the logs I posted? I want to keep Avast so I will try the steps you listed, but I am still confused about having AVG on the comp still...I mean, I removed it BECAUSE I think the virus came from it since this computer had been used for over a year with no antivirus software on it, and one week after AVG is installed is when the craziness begins!

[Pondus]

run AVG removal tool so that all leftover files are gone     

http://singularlabs.com/uninstallers/security-software/

[sarahk1225]

Ok, so I ran the AVG removal tool again...a couple of times, actually. Still not sure if all traces of it are gone though.
The new Log is attached

[magna86]

Ok, i will remove AVG remains ...


Step1

• Run AVZ   (double click on icon);
  
  
• Click on File > Custom Scripts ;
  
  
• In the new window that opens, Copy/Paste everything inside the field code:
  
  
  
  

Code: [Select]


begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
StopService('avgtp');
DeleteService('avgtp');
QuarantineFile('C:\Windows\SysNative\drivers\avgtpx64.sys','');
DeleteFile('C:\Windows\SysNative\drivers\avgtpx64.sys');
QuarantineFile('C:\Program Files (x86)\Yontoo\YontooIEClient.dll','');
DeleteFile('C:\Program Files (x86)\Yontoo\YontooIEClient.dll');
DelBHO('{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}');
DelBHO('{95B7759C-8C7F-4BF1-B163-73684A933233}');
DelBHO('{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}');
QuarantineFile('C:\Users\Matt\Documents\AVGInstLog.cab','');
DeleteFile('C:\Users\Matt\Documents\AVGInstLog.cab');
DeleteFileMask('C:\Program Files (x86)\AVG', '*', true);
DeleteFileMask('C:\Users\Matt\AppData\Local\AVG Secure Search', '*', true);
DeleteFileMask('C:\Program Files (x86)\Yontoo', '*', true);
DeleteDirectory('C:\Program Files (x86)\AVG');
DeleteDirectory('C:\Users\Matt\AppData\Local\AVG Secure Search');
DeleteDirectory('C:\Program Files (x86)\Yontoo');
DeleteFileMask('%Tmp%' , '*.*' , true) ;
BC_ImportDeletedList;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.





• Click the Run and wait to execute the script.

**********************************
Step2



> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[sarahk1225]

I followed the steps exactly...now I can't click on anything (including the internet) to send the log to you. I get a bunch of crazy messages saying they have been removed. I am using a diff computer now. Did Combofix kill my computer??

[sarahk1225]

Everything I try to click on now (even Combofix) says "illegal operation on a registry key that has been marked for deletion"
OMG...please help. Now I'm really freaking out...

[magna86]

Did you try to restart your computer? 
Don't freak out, just reboot your computer and error will gone.
Attach here  C:\Combofix.txt

[Pondus]

magna......maybe you should have in the instructions "reboot twice" after combofix run     

[sarahk1225]

LOL...all is well. Freaking out is good sometimes because the feeling you have when you realize it's fine afterall is f***ing AMAZING!
Okay, reboot went great but Log is gone. Can I rerun Combofix? I searched entire computer for that log. Should have ctrl-C'd first, huh?
 

[magna86]

LOL...all is well. Freaking out is good sometimes because the feeling you have when you realize it's fine afterall is f***ing AMAZING!

Admit it, I've saved you 
I dont want to scare you again with Combofix (I think we will not need CF anymore), so, just do the following.

Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
   

• Click on Scan All Users
   
  
• Paste this into Custom Scans/Fixes box at the bottom
  
  

Code: [Select]


netsvcs
drives
%SYSTEMDRIVE%\*.exe
/md5start
services.*
/md5stop
CREATERESTOREPOINT



• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
         
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
             
    
  • Please attach them in this thread.

[sarahk1225]

You totally saved me.
Is there a bowing/subservient emoticon for this? lmao
I jumped the gun and ran combo again before i read your reply. Attached is the log...
and soon I will do the other steps (at work now, so my attention is incremental. lol sorry)

[magna86]

Hehe, you are some brave girl... 
No need for OTL now 

Malware hase been removed. Just some quick fix-es...


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Folder::
C:\$AVG
c:\program files (x86)\Yontoo
c:\program files (x86)\Common Files\AVG Secure Search

Driver::
vToolbarUpdater12.2.0;

ClearJavaCache::

RegLockDel::
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)




Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )