Help: Win32:Trojan-gen, Win32:Sirefef-AAO[Trj] & now Win32:Malware-gen

[adhawan]

Hello,

I have the same problem as RAZ. Installed Combo fix and ran it. I've attached the output txt file for your review.

Any further guidance you can give me would be hugely appreciated!

BIG THANKS!
Ankur

[mikaelrask]

hey you should start your own topic instead of hijack already started 

then follow this guide and attach your logs. a malware expert will gladly help you from there.

http://forum.avast.com/index.php?topic=53253.0


Magna86. no it was nothing else just wanna be kind a nd welcome you back to the forum seens i have not seen you online in a few weeks.

[magna86]

Magna86. no it was nothing else just wanna be kind a nd welcome you back to the forum seens i have not seen you online in a few weeks.

 

@mikaelrask
I'm a little preoccupied with some personal obligations, but I'm still following avast threads&topics.

But I'm somehow missed this one...

@adhawan
Please delete current copy of Combofix (just drog&drop to recucle bin ) and download fresh one.

Please re-run Combofix and attach here fresh Combofix.txt log.
And tell me how is you computer running now?

[adhawan]

@ mikaelrask
Sorry mate, thought it made sense posting here, as the RAZ had the same issue. Will post under new threads in the future.

@ magna86
Thanks. Uninstalled Combofix, and downloaded and ran the new one. Attached the new log to this thread. After the first run, loads of stuff was cleaned up, and AVAST stopped detecting the 3 trojans: Win32:Trojan-gen, Win32:Sirefef-AAO[Trj] & Win32:Malware-gen. Computer runs much faster now and generally no problems. However the new run seems to have detected some more problems. Not sure what it’s all about, and what I should be doing now! Any advise would be much appreciated.

Many thanks in advance.
Ankur

[magna86]

Hi,

It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


***********************



Download OTL from one of the following links:

• Download link1
  
• Download link2
  

Remember to save it on your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Paste this into Custom Scans/Fixes box at the bottom
  
  
  Code: [Select]
  
:files
c:\users\adhawana\AppData\Local\Avg2013

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"FAStartup"=-

:commands
[CREATERESTOREPOINT]
[emptytemp]

  • Click the Run Fix button.
    
    • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
  ****************************
  
  
  Your system is clean now. How is your computer running now?
  

[adhawan]

Hi magna86,

Amazing, thank for you so much for your continued support, and super quick responses. Really appreciate it!

I did as you advised - Uninstalled Combofix, and then got OTL, and ran it with the code you provided. Rebooted, and attached the log to this thread. The computer has been running just fine. Since the first Combofix in fact, and continues to do so now.

Let me know if I need to do anything else.

Best regards,
Ankur

[magna86]

I think we are done here. 

> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.


======================================


I recommended to use Malwarebytes Anti-Malware.
http://www.malwarebytes.org/


I also recommended to use MCShield if you will.
You may download it from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.



These two free software can be a great assistance to your current antivirus.


Be safe 

[adhawan]

Hey Bro! Amazing. I can't thank you enough for all your help and patient advice.

If there is anyway I can help (reviews or rating or some such) please do let me know.

Thanks again!

Best,
Ankur

[Mike2235]

I'm sorry to sound so ignorant but I am getting the distinct feeling that trying to remove the "Win32:Sirefef-AOO[Trj]"virus is not a simple process. There is no single program to download that will rid my computer of this virus. Is that correct?
Since I do not feel comfortable doing some of the things described by many of the respondents, should I take it to a computer "specialist"?
Would that be the safest way? (Normally I would have my son handle this but he lives three hours away)

[magna86]

Mike, the problem is that rootkit does not just set&install some of his files as loading points. Antivirus/antimalware know thouse files but they cannot easily delete thouse.
Why? The trick is that this malware also patching some system file (it patching Service Control Manager's executable file). Patched file should not be deleted
because file is system file and used by the OS. It is necessary to find a legitimate copy of the file and replace with patched-one.
(just to note that even the replacement is not simple procedure)
And here arises the problem for AV/AM.

So it's not just enough to locate and try to do some violent deletion of thouse files (malware loading points) because the file system is still infected with patching one and malware on reboot continues to live.
Some tools have been updated and they have learned where to find a legitimate copy of the file with some Heuristic and triying to perform the replacement (if they even succeed).

But if a rootkit hiding a legitimate file to a different location or AV/AM does not know where to find or even there is no a valid copy of the legitimate file on the system... 
...without this type of malware removal and scripting is generally not possible to completely (or fully) disinfect malware and then remove thouse loading points.


---------------------


If you need help with malware removal, you need to open a new thread and follow this instructions:
http://forum.avast.com/index.php?topic=53253.0

[magna86]

@adhawan

Your wellcome  Glad to help.