Author Topic: Infected with Win32:Sirefef-HO [Rtk]  (Read 24416 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #45 on: March 13, 2012, 03:22:50 PM »
Did you run the batch file ?

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #46 on: March 13, 2012, 09:11:43 PM »
yes i sure did. i thought it helped. it hadnt redirected in a long time.. it still does every so often.. not as bad as it used to

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #47 on: March 13, 2012, 09:13:48 PM »
Is it still the same sites - scour and hapii

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #48 on: March 13, 2012, 09:17:00 PM »
it seems like it goes through a bunch of redirects to point me to relevant ads. i will screenshot it the next time it happens.
thanks for your help

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #49 on: March 13, 2012, 09:18:23 PM »
Can you open the host file now at c:\windows\system32\drivers\etc

kinji

  • Guest
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #50 on: March 13, 2012, 10:16:03 PM »
still no host file, just the same as the screenshot i previously attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected with Win32:Sirefef-HO [Rtk]
« Reply #51 on: March 13, 2012, 10:31:43 PM »
Definitely something new here

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    Do you want to skip supplementary searches?
    click NO
    [/list]
    • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
    *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #52 on: March 13, 2012, 11:03:08 PM »
    silent runner
    « Last Edit: March 16, 2012, 05:05:48 AM by kinji »

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #53 on: March 13, 2012, 11:32:42 PM »
    Quote
    C:\Windows\System32\drivers\etc\HOSTS

    maps: 8 domain names to IP addresses,
          6 of the IP addresses are *not* localhost!
    It is still there

    Lets check out the registry key to see where it really points to

    Run OTL and paste the following in the custom scan box and press quick scan

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #54 on: March 14, 2012, 12:59:08 AM »
    OTL
    « Last Edit: March 16, 2012, 05:06:01 AM by kinji »

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #55 on: March 14, 2012, 02:12:04 AM »
    here is a redirect when i clicked reply -
    « Last Edit: March 16, 2012, 05:06:12 AM by kinji »

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #56 on: March 14, 2012, 01:43:17 PM »
    Hmm 'tis not hiding there

    Warning This fix is only relevant for this system and no other, using on another computer may cause problems

    Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

    If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following
      Quote
      :OTL
      DRV - [2012/03/10 17:28:18 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\system32\drivers\qofs.sys -- (esityaio)
      DRV - [2012/03/10 17:21:50 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\system32\drivers\mhlp.sys -- (gvjjxed)
      FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1266764D-FC4F-4FA7-B63B-884D53B1680F}: C:\Users\Kinji\AppData\Roaming\NetAssistant\ [2011/03/28 19:49:16 | 000,000,000 | ---D | M]
      O1 - Hosts: 109.163.226.208 www.google-analytics.com.
      O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
      O1 - Hosts: 109.163.226.208 www.statcounter.com.
      O1 - Hosts: 67.215.245.19 www.google-analytics.com.
      O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
      O1 - Hosts: 67.215.245.19 www.statcounter.com.
      O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll ()
      O3:64bit: - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll ()
      O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll ()
      O4:64bit: - HKLM..\Run: [Firebird] File not found
      [2012/03/11 14:35:28 | 000,000,374 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.ics
      [2012/03/10 17:28:18 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\qofs.sys
      [2012/03/10 17:21:50 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\mhlp.sys

      :Files
      ipconfig /flushdns /c

      :Commands
      [purity]
      [emptytemp]
      [CREATERESTOREPOINT]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #57 on: March 14, 2012, 02:54:36 PM »
    OTL ERROR:
    Cannot create file c:\windows\system32\divers\etc\Hosts.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #58 on: March 14, 2012, 03:09:19 PM »
    Quote
    O1 - Hosts: 109.163.226.208 www.google-analytics.com.
    O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
    O1 - Hosts: 109.163.226.208 www.statcounter.com.
    O1 - Hosts: 67.215.245.19 www.google-analytics.com.
    O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
    O1 - Hosts: 67.215.245.19 www.statcounter.com.
    Remove the above lines then, I was trying to sneak up on it

    kinji

    • Guest
    Re: Infected with Win32:Sirefef-HO [Rtk]
    « Reply #59 on: March 14, 2012, 03:31:13 PM »
    OTL's
    « Last Edit: March 16, 2012, 05:06:29 AM by kinji »