Help: Win32:Trojan-gen, Win32:Sirefef-AAO[Trj] & now Win32:Malware-gen

[Raz89]

Hi

I have recently received warnings from Avast! regarding the above three types of Virus. I have read through the Logs to assist in cleaning malware and have run the software and got the log files. It seems to have disabled my ability to run Windows update and also to turn on Windows Firewall and I would love some help with this. I would usually just download Malware Bytes, SpyBot and a few other programs and just have a shot myself but I have just bought a new computer so I'd like to get it done right.

I have downloaded ComboFix onto my desktop as well in preparation that I may need it but reading through some of the other posts it looks as though it is quite powerful so I don't think I want to be playing with it without some expert knowledge first.

Attached are the log files that I have attained. One that didn't open was Extras.txt when I ran OTL, and I am unsure of why that is. Anyways here they are, I hope these are all that are needed but if you require any further information please just ask.

Thanks so much in advance and I hope that someone can help me with this super annoying problem.

Cheers
Jarrod

[Raz89]

Hi

I just found the Extras.txt log file so I'll add it into the list. Sorry. Been a long day and I've got my tired eyes on.

Cheers
Jarrod

[mikaelrask]

hey and welcome to the forum. thanks for attaching the necessary logs. a malware expert will guide you from here.

[magna86]

@Raz89
Hello and wellcome to avast 

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• If you don't know or understand something, please don't hesitate to ask.
  
• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

*****************************


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[mikaelrask]

welcome back magna86 

[Raz89]

Thanks very much. I am at work at current and don't have access to the infected computer but I will go home at lunch time and run ComboFix and attach the log file for you. Thanks again for your reply and I look forward to working with you to fix this issue.

Cheers
Jarrod

[Raz89]

Hi

I have run Combo Fix fully with Avast! turned off as per your instructions. I am not 100% sure but it looks as though it may have fixed the problem (fingers crossed) although I won't assume anything and will let you decide whether or not it is fixed. Attached is the log that Combo Fix produced. I hope this can allow you to give me some good news, if not we'll see where we go from here.

Cheers
Jarrod

[magna86]

@mikaelrask

 
Thank you for nice words. But I'm always here, if nothing else, watching from background. 


@Raz89
The main work is done. This is now just polishing.
Also, we checking some deleted files, if they are legitimate we have to restore them. 

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Folder::
c:\windows\Installer\{c0689ee4-1979-c1cb-dac6-97c6d8bbc156}

ClearJavaCache::
 
FileLook::
C:\Qoobox\Quarantine\c\windows\TEMP\Temporary ASP.NET Files\root\7e973a63\6fd0db9\App_Code.0neyz3el.dll.vir
C:\Qoobox\Quarantine\c\windows\TEMP\Temporary ASP.NET Files\root\7e973a63\6fd0db9\assembly\dl3\ef939465\00f465cb_3a95cc01\WinTVExtender.EXE.vir



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[Raz89]

Magna86

Done and done. Ran Combo Fix again using the script with anti-virus etc turned off. Attached is the log that it produced.

Cheers
Jarrod

[magna86]

Hi,

Can you please go to mediafire.com or speedyshare.com (or some other filesharing site) and upload to me

C:\Qoobox\Quarantine <-- folder

Attach here download link.

-------------
When you upload Quarantine folder, follow this to restore leght files.


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

DeQuarantine::
C:\Qoobox\Quarantine\c\windows\TEMP\Temporary ASP.NET Files\root\7e973a63\6fd0db9\App_Code.0neyz3el.dll.vir
C:\Qoobox\Quarantine\c\windows\TEMP\Temporary ASP.NET Files\root\7e973a63\6fd0db9\App_Code.clbjghxr.dll.vir
C:\Qoobox\Quarantine\c\windows\TEMP\Temporary ASP.NET Files\root\7e973a63\6fd0db9\assembly\dl3\ef939465\00f465cb_3a95cc01\WinTVExtender.EXE.vir
Quit::



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[Raz89]

Hi again

I've uploaded the folder and also re-run Combo Fix with the script provided. Attached is the link to the folder contents and also the log file.

Quarantine Folder -->

Thanks heaps for all of this. I would never have been able to work all this out myself.

Cheers
Jarrod

[magna86]

Ok, i've got the link. Please edit now your post and just remove download link for quarantine folder (remove mediafire download link ).


> How's your computer running now?

[Raz89]

Hi Magna

Yeah the computer seems to be running fine. Avast! hasn't picked up either of the 3 files, or any others for that matter, since running all of your above suggestions. It seems like it may be infection free (fingers crossed). Thanks heaps for that mate. If I could plus one you I'd be all over that. Can't thank you enough. I definitely can't call myself a computer genius but I am far from uneducated, but without your help on this I would have been stumped. My best attempt would have been to run MalwareBytes and then SpyBot search and destroy (programs I used to use on my old Comp to fix malware etc. Your help certainly exceeded that!

Thanks again and I will definitely be in contact again if anything goes astray. Let me know if you think of anything else that I should/could have done to stop them in the first place.

Cheers for everything.
Jarrod

[magna86]

I'm glad to hear that 
Let's remove used tools and do some post-cleaning. 


It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


******************


> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.



*******************


I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.


...be safe  ;)

[Raz89]

Magna86

Thanks again for everything. All programs have now been unistalled and I have installed MCShield. Thanks for the advice and hopefully you won't see me on here with any more Malware or virus problems for a long time. Your help has been outstanding. Quick, concise and complete. It's good to know that there are people like you out there , people who help to fix and remove the crap that others put out there to access people's computers without permission . Many congrats to you. 

Cheers
Jarrod