Had removed win32sirefef ZT from friend NEED HELP WITH MINE NOW

[rperkins0911]

I had currently went through and removed the above virus from my friends computer and had so far he hasnt had any issues yet. Took alot of time and help with forums and posting logs. Now my computer has been acting up horribly yet nothing I find will find the said virus on my computer. I did have an issue with a hack tool bar. I seemed to have aggrivated it as it had changed system file routes and took permissions and I am unsure if remote hack was used. I went in and changed all of my remote setting to disabled and took system control from them so that they couldnt be altered by possibly hacked system files. From that point I have not had issues with things being altered or changed in my cmputer. I need to figure out what exactly I ned to do to rid myself of gunk that was in my computer. At the time of infection I was using avast home edition and then put norton on and that as well is not finding anything. I currently use malware bytes and this program is what origionally pointed out the problem but now is not reading anything. I have uninstalled it and reinstalled it to make sure that the files werent altered. still nothing and i run it as admin.

all files edited as ansi

[suspicious][/suspicious]

[Asyn]

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

[rperkins0911]

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

All are attatched

[essexboy]

Hi what problems are you experiencing ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1001\..\SearchScopes\{1D0CA9BE-371B-4907-9298-D45AD51D0F9D}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\SearchScopes\{1D0CA9BE-371B-4907-9298-D45AD51D0F9D}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1001\..\Toolbar\WebBrowser: (no name) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\Toolbar\WebBrowser: (no name) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No CLSID value found.

:Files
C:\Windows\tasks\At*.job

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[rperkins0911]

Hi what problems are you experiencing ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1001\..\SearchScopes\{1D0CA9BE-371B-4907-9298-D45AD51D0F9D}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q=
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2937
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - No CLSID value found
IE - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\SearchScopes\{1D0CA9BE-371B-4907-9298-D45AD51D0F9D}: "URL" = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms}
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1001\..\Toolbar\WebBrowser: (no name) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-996506892-1362797573-2999848284-1003\..\Toolbar\WebBrowser: (no name) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No CLSID value found.

:Files
C:\Windows\tasks\At*.job

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I'm running the scan on my desktop right now. I have been had many registry issues. The day before yesterday my computer was cycling instead of starting. I had to put a rescue disk in to turn all of my windows start processes back on before my computer would start. It's become laggy and freezes up on my Internet as well as an abnormally high amount of CPU usage for my computer. As well as this I've had file paths be changed where I had to use the rescue disk to gain permission of files to prevent program files and system files to be routed to my desktop, and lastly when showing hidden files I have many desktop.ini files thought my c drive. None of this began until the night after I fixed my cousins computer. Could it been transferred through files on my jump drive? This seems a lot more complex than the win 32 I combated.

[Pondus]

Could it been transferred through files on my jump drive?

recomended program  http://amf.mycity.rs/mcshield/
Install and forget.....wait until essexboy is done first

[rperkins0911]

For whatever reason after running that scan i was unable to post ,y results using internet explorer64 bit that i normally use regularily to upload schoolwork.

[rperkins0911]

Could it been transferred through files on my jump drive?

recomended program  http://amf.mycity.rs/mcshield/
Install and forget.....wait until essexboy is done first

I appreciate it! I am normally pretty good and being able to get rid of these thing but this thing I just don't get. normally my virus protection automatically scans for issues reguarding anything that is put in or plugged into my computer but for whatever reason (most likely my brother) it was disabled and I didn't think to check it until it was too late and my comp was showing signs of infection. although they did stop after I completely disabled my remote assistance processes

[essexboy]

What error do you get ?

[rperkins0911]

ive been getting an error saying my hp assistant can not load. I've gotten an error about drivers. alot of access denied errors. When it came to my internet explorer it just isnt allowing me to upload anything. Doesnt give me an error.

what in particaular are you talking about?

[essexboy]

I think the first thing we need to do is repair some of the problems you may have inadvertently caused

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished

[rperkins0911]

I also had a question reguarding my system properties in folder. Why is it in some folders there is only:
SYSTEM
Ross Family (RossFamily-HP\Ross Family)
Administrators (RossFamily-HP\Administrators)

and then others that have or have had extra hidden files in them have:
SYSTEM
Home Users (Ross Family-HP\HomeUsers)              <----This one when I initally open system properties shows a red question mark that quickly changes to one little person for the icon. ( the other three icons are two people side by side) not sure if the icons make a difference. and then there is
Ross Family (RossFamily-HP\Ross Family)
Administrators (RossFamily-HP\Administrators)

[essexboy]

Could you give a screenshot of that please

[rperkins0911]

Could you give a screenshot of that please

how do I upload a print screen on this?

[rperkins0911]

ok the hidden desktop ini are in my pictures folder. there is a copy of the security properties. Ross Family is the only user in this com. and the hidden microsoft word folder is in my school folder and I just created that document last night in preparation for an assignment.