WiredWX Hobby Weather ToolsLog in

 


Trojan.Sirefef

2 posters

descriptionTrojan.Sirefef EmptyTrojan.Sirefef

more_horiz
Hello, I noticed a problem with my computer today. I was getting some redirects when accessing the internet. I did an update on my Malwarebytes and then ran a quick scan. it showed 19 items which it quarantined and deleted but then I ran a second complete scan and got the messeage of the torjan.sirefef. The two scans are attached.
Thanks!!
1. Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.10.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
davidcore2 :: DAVIDCORE2-PC [administrator]
7/10/2012 9:21:04 AM
mbam-log-2012-07-10 (09-21-04).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241538
Time elapsed: 7 minute(s), 56 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 17
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004479.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\4479 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044444479} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055445579} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4479 (PUP.CrossFire.SA) -> Data: Giant Savings -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Program Files (x86)\Giant Savings\Giant Savings.dll (PUP.GamePlayLab) -> Quarantined and deleted successfully.
(end)



2. Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.10.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
davidcore2 :: DAVIDCORE2-PC [administrator]
7/10/2012 12:55:08 PM
mbam-log-2012-07-10 (12-55-08).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1123773
Time elapsed: 2 hour(s), 48 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
D:\My Old 60GB Drive\WINDOWS\SYSTEM32\DRIVERS\NVAX9X.SYS (Trojan.Sirefef) -> Quarantined and deleted successfully.
(end)

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
Also, here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:45:22 PM, on 7/11/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\PrinterShare\paConsole.exe
C:\Users\davidcore2\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Program Files (x86)\Tango\Tango.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\EasySetPackage.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files (x86)\Nova Development\Photo Explosion\4.0\ReminderApp.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
C:\Program Files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/?cid={0097FB4A-97CC-41B1-AA09-9DF1C6300DB8}&mid=f56fbdf8fea547d0bd14d168c3f4e136-774740bc110510fb2ff01ffde0be0c931ca602db&lang=en&ds=ft011&pr=sa&d=2012-07-07 21:47:12&v=11.1.0.12&sap=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {bde6f3a2-2ce8-4430-94e0-cd4ce39eeb0d} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AddressBookReminderApp] C:\Program Files (x86)\Nova Development\Photo Explosion\4.0\ReminderApp.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [PrinterShare] C:\Program Files (x86)\PrinterShare\paConsole.exe -minimized
O4 - HKCU\..\Run: [SmileboxTray] "C:\Users\davidcore2\AppData\Roaming\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [Tango] C:\Program Files (x86)\Tango\Tango.exe -r
O4 - HKCU\..\Run: [Google Update] "C:\Users\davidcore2\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ElevatedDiagnostics] rundll32.exe
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [ElevatedDiagnostics] rundll32.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1142693848-1022031478-3082097540-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1142693848-1022031478-3082097540-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [ElevatedDiagnostics] rundll32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ElevatedDiagnostics] rundll32.exe (User 'Default user')
O4 - Startup: PMCRemoteLauncher.lnk = C:\Users\davidcore2\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe
O4 - Global Startup: EasySetPackage.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://72.215.137.17:8091/activex/AMC.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://rsvpn.raytheon.com/dana-cached/sc/JuniperSetupClient.cab
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13708 bytes

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************************
Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:

Trojan.Sirefef NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

Trojan.Sirefef NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Trojan.Sirefef RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Trojan.Sirefef Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AntiVir Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
VAT-Spy
Malwarebytes Anti-Malware version 1.61.0.1400
Java(TM) 6 Update 30
Java version out of Date!
Adobe Reader X (10.1.3)
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Combofix log to follow in next post

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
Combofix log:

ComboFix 12-07-11.03 - davidcore2 07/11/2012 22:16:23.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2111 [GMT -4:00]
Running from: c:\users\davidcore2\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-12 to 2012-07-12 )))))))))))))))))))))))))))))))
.
.
2012-07-12 02:21 . 2012-07-12 02:21 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-12 02:21 . 2012-07-12 02:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-11 21:45 . 2012-07-11 21:45 388096 ----a-r- c:\users\davidcore2\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-11 21:45 . 2012-07-11 21:45 -------- d-----w- c:\program files (x86)\Trend Micro
2012-07-08 01:53 . 2012-07-08 01:58 -------- d-----w- c:\users\davidcore2\AppData\Roaming\Nero
2012-07-08 01:51 . 2012-07-10 13:45 -------- d-----w- c:\program files (x86)\AskTBar
2012-07-08 01:50 . 2012-07-08 01:51 -------- d-----w- c:\program files (x86)\Nero
2012-07-08 01:50 . 2012-07-08 01:52 -------- d-----w- c:\program files (x86)\Common Files\Nero
2012-07-08 01:50 . 2012-07-08 01:51 -------- d-----w- c:\programdata\Nero
2012-07-08 01:45 . 2012-07-08 01:45 -------- d--h--w- c:\programdata\Common Files
2012-07-08 01:45 . 2012-07-08 01:45 -------- d-----w- c:\users\davidcore2\AppData\Local\Giant Savings
2012-07-08 01:45 . 2012-07-10 13:43 -------- d-----w- c:\program files (x86)\Giant Savings
2012-06-21 22:21 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 22:21 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 22:21 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 22:21 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 22:21 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 22:21 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 22:21 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 22:21 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 22:21 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 21:37 . 2012-05-27 06:50 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-11 21:37 . 2011-07-01 13:27 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-31 04:04 . 2012-07-10 13:14 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{55957BA4-E16E-40B3-B6D2-5A8BF5F78242}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-06 39408]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"PrinterShare"="c:\program files (x86)\PrinterShare\paConsole.exe" [2011-09-08 1124352]
"SmileboxTray"="c:\users\davidcore2\AppData\Roaming\Smilebox\SmileboxTray.exe" [2012-05-15 325448]
"Tango"="c:\program files (x86)\Tango\Tango.exe" [2011-11-04 13489992]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"AddressBookReminderApp"="c:\program files (x86)\Nova Development\Photo Explosion\4.0\ReminderApp.exe" [2009-09-04 144672]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\users\davidcore2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PMCRemoteLauncher.lnk - c:\users\davidcore2\AppData\Local\Pinnacle\TVC\Tools\PMCRemoteCtrl.exe [2011-7-9 54544]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
EasySetPackage.lnk - c:\program files (x86)\LG Soft India\EasySetPackage\bin\EasySetPackage.exe [2011-9-12 159744]
Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2011-2-23 323584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 136176]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-08-25 13672]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 250056]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 136176]
R3 HP8207_8307;HP-HP8207_8307;c:\windows\system32\DRIVERS\HP8207_8307.sys [2010-02-05 15360]
R3 LGDDCDevice;LGDDCDevice;c:\windows\system32\LGI2CDriver.sys [x]
R3 LGII2CDevice;LGII2CDevice;c:\windows\system32\LGPII2CDriver.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-02 1255736]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 DCamUSBVM;Lenovo Q350 USB PC Camera;c:\windows\system32\Drivers\usbVM31b.sys [2005-09-19 142336]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-02 187392]
S3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys [2011-09-07 70016]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-27 21:37]
.
2012-07-09 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 14:15]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-07-06 14:15]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1142693848-1022031478-3082097540-1000Core.job
- c:\users\davidcore2\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 02:34]
.
2012-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1142693848-1022031478-3082097540-1000UA.job
- c:\users\davidcore2\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-25 02:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://isearch.avg.com/?cid={0097FB4A-97CC-41B1-AA09-9DF1C6300DB8}&mid=f56fbdf8fea547d0bd14d168c3f4e136-774740bc110510fb2ff01ffde0be0c931ca602db&lang=en&ds=ft011&pr=sa&d=2012-07-07 21:47&v=11.1.0.12&sap=hp
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.215.137.17:8091/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bde6f3a2-2ce8-4430-94e0-cd4ce39eeb0d} - (no file)
Wow6432Node-HKCU-Run-ElevatedDiagnostics - (no file)
Wow6432Node-HKU-Default-Run-ElevatedDiagnostics - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{BDE6F3A2-2CE8-4430-94E0-CD4CE39EEB0D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
c:\program files (x86)\LG Soft India\EasySetPackage\bin\TestDDCCI.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2012-07-11 22:32:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-12 02:32
.
Pre-Run: 310,215,426,048 bytes free
Post-Run: 311,054,241,792 bytes free
.
- - End Of File - - 00EA742DD108A9047FA274E095A84F09

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.


First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
*****************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**********************************************
Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    DDS::
    Trusted Zone: intuit.com\ttlc
    Firefox::
    Trusted Zone: intuit.com\ttlc

  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Trojan.Sirefef Cfscriptb4

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see the log from this action.

********************************************************
Please download Rooter and Save it to your desktop.

  • Double click it to start the tool.Vista and Windows7 run as administrator.
  • Click Scan.
  • Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
I can't seem to post the log. Everytime I try I get an HTTP interal server error and now the machine is running super slow!

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2012 at 01:33 AM

Application Version : 5.5.1012

Core Rules Database Version : 8892
Trace Rules Database Version: 6704

Scan type : Complete Scan
Total Scan Time : 07:13:33

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 652
Memory threats detected : 0
Registry items scanned : 68650
Registry threats detected : 0
File items scanned : 1346989
File threats detected : 1785

Adware.Tracking Cookie
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\EIBKN8GW.txt [ /accounts.google.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\V4PF135I.txt [ /statcounter.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0JHDQFSV.txt [ /ad.yieldmanager.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1WZAA6YO.txt [ /counters.gigya.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HXQ7FZCM.txt [ /adtech.de ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZRH4NO4G.txt [ /apmebf.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZO07RNQ2.txt [ /tribalfusion.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\LMCI4OX1.txt [ /media6degrees.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CW0TYEZT.txt [ /ads.saymedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CS3UE5ET.txt [ /ads.pubmatic.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\F5MXFJGP.txt [ /yadro.ru ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\G6V5SLIR.txt [ /intermundomedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\99J37AAJ.txt [ /potomacfallsexpresslube.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\TBS7GWK3.txt [ /adserver.adtechus.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\TT9UFEOI.txt [ /tripod.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\R4MA2GBI.txt [ /kanoodle.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\MDRYBP32.txt [ /ad.360yield.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1HNIY0IV.txt [ /pro-market.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QLV6ZNMO.txt [ /specificclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\BJ5A4VXC.txt [ /insightexpressai.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HEFVK1G6.txt [ /fastclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KBNDA4QH.txt [ /clickbooth.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\871CASU8.txt [ /www.burstnet.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CM1FYF5J.txt [ /ads.nba.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HXTOHQTD.txt [ /dc.tremormedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\5J19RTH0.txt [ /a1.interclick.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\A9T2GYPX.txt [ /adinterax.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\LMXQB9QR.txt [ /adviva.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\XFR2N21O.txt [ /gntbcstglobal.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\XWZVMFZ2.txt [ /1sadx.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\BCOXD4MR.txt [ /legolas-media.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\6ZZWTT68.txt [ /atdmt.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1UWW8QF8.txt [ /yieldmanager.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WYQ5SUA9.txt [ /ads.pointroll.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\N27BE01R.txt [ /revsci.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8NJMUAEJ.txt [ /ru4.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\14DYRGCO.txt [ /ads.undertone.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\1GFY9J61.txt [ /traveladvertising.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZV1DKUE2.txt [ /adserver.twitpic.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\3M4KCKFC.txt [ /invitemedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QE3WZD9Z.txt [ /interclick.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QWPKLW2H.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\FECWECF3.txt [ /realmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\J7SWUK6O.txt [ /bs.serving-sys.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\C64MHLGT.txt [ /247realmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\69E98FPH.txt [ /a.intentmedia.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CFBM5G4M.txt [ /in.getclicky.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\129DYFCC.txt [ /statse.webtrendslive.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KQDCTYTP.txt [ /d.mediaforge.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\008POVL5.txt [ /burstnet.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\N4TE20M6.txt [ /doubleclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\BFSZTVBZ.txt [ /2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\625QS854.txt [ /network.realmedia.com ]

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\R3IYCPSQ.txt [ /advertising.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\5BFFI2AD.txt [ /imrworldwide.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WS5VFBNP.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WHG0M479.txt [ /ads.meredithads.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\V32WMEU7.txt [ /ad.wsod.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\YIT00Q3I.txt [ /atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\CBV8Z60T.txt [ /tacoda.at.atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\073KKXOR.txt [ /ihg.db.advertising.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\QHBOGZP9.txt [ /ads.as4x.tmcs.ticketmaster.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\NL0WBKQ5.txt [ /c.atdmt.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\R54ZW1DB.txt [ /zedo.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\Y7BS4P8P.txt [ /serving-sys.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\2ARPD5GV.txt [ /questionmarket.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\V0AIBTGU.txt [ /mediaplex.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8WIR6751.txt [ /gsimedia.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\E97ODK58.txt [ /adbrite.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\LEQ08PVS.txt [ /at.atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0H8T1E7J.txt [ /collective-media.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\H13BRADL.txt [ /tradedoubler.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\P1F6R1YD.txt [ /pointroll.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\H6PI3M3Y.txt [ /amazon-adsystem.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\O3B1DYQ2.txt [ /lucidmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WAQ8MVND.txt [ /casalemedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8L55NCKJ.txt [ /adfarm1.adition.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZHWK0GIL.txt [ /e-2dj6wjnyaiczslo.stats.esomniture.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\FRPV8RKG.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\X6OMNDXR.txt [ /caloriecount.about.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\RDX2ES6M.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\B6DY43IP.txt [ /www.peoplefinders.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\PSYA06OS.txt [ /dsw.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\F5X1YK70.txt [ /findnsave.macon.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\RK8YNBFS.txt [ /mediacast.hcbe.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\SX55EZB9.txt [ /kontera.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KJPT322B.txt [ /ad2.adfarm1.adition.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\KNB3OE6Z.txt [ /overture.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\OEAFSEK9.txt [ /ox-d.mediaforge.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\U4S55O8L.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\SLD0WV8G.txt [ /otterproducts.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0VATS8BC.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\JKG3KMMP.txt [ /adxpose.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ZBQ20U6E.txt [ /houstoncountyga.org ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\J74R3O18.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\U09BPOED.txt [ /usatoday1.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\Y1US8ESB.txt [ /ar.atwola.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8NRJLQZE.txt [ /mediaservices-d.openxenterprise.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\8IFMU502.txt [ /warnerbros.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\DFOYAF7E.txt [ /lfstmedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\PW19TZS1.txt [ /www.dynastats.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\F3YIN97C.txt [ /nextag.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\I89L3YL6.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\J9ME5FKK.txt [ /ewscripps.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\0SMZMNTI.txt [ /liveperson.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\283H2CBK.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\SCFR8MYP.txt [ /ussearch.122.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\9MJBHILW.txt [ /traffic.prod.cobaltgroup.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\132CCEG0.txt [ /trafficmp.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\7GB37CHF.txt [ /media.adfrontiers.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\HPTJTTOV.txt [ /overtons.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\9XCI4RRO.txt [ /ad-g.doubleclick.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\H35KIU2Q.txt [ /peoplefinders.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\RT8DIEOT.txt [ /mediaforge.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\70L672ID.txt [ /eyewonder.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\2ETHB5XN.txt [ /tracking.quisma.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\GXG2NC8L.txt [ /ads.eqads.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\XZ5X5NOM.txt [ /adlegend.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\09XH9YPV.txt [ /www.nextag.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\ID0JLSRQ.txt [ /ads.bridgetrack.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\18MPTXZH.txt [ /saymedia.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\3KV5NL4S.txt [ /limaconsulting.112.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\WZ23WQEH.txt [ /timeinc.122.2o7.net ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\X5SILSFK.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\Z613UG49.txt [ /www.googleadservices.com ]
C:\Users\davidcore2\AppData\Roaming\Microsoft\Windows\Cookies\IJY6MS0Y.txt [ /www.googleadservices.com ]
C:\USERS\DAVIDCORE2\AppData\Roaming\Microsoft\Windows\Cookies\Z1KBSW42.txt [ Cookie:davidcore2@delivery.ctasnet.com/adserver/www/delivery/ ]
C:\USERS\DAVIDCORE2\Cookies\EIBKN8GW.txt [ Cookie:davidcore2@accounts.google.com/ ]
C:\USERS\DAVIDCORE2\Cookies\V4PF135I.txt [ Cookie:davidcore2@statcounter.com/ ]
C:\USERS\DAVIDCORE2\Cookies\0JHDQFSV.txt [ Cookie:davidcore2@ad.yieldmanager.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1WZAA6YO.txt [ Cookie:davidcore2@counters.gigya.com/ ]
C:\USERS\DAVIDCORE2\Cookies\HXQ7FZCM.txt [ Cookie:davidcore2@adtech.de/ ]
C:\USERS\DAVIDCORE2\Cookies\ZRH4NO4G.txt [ Cookie:davidcore2@apmebf.com/ ]
C:\USERS\DAVIDCORE2\Cookies\ZO07RNQ2.txt [ Cookie:davidcore2@tribalfusion.com/ ]
C:\USERS\DAVIDCORE2\Cookies\CW0TYEZT.txt [ Cookie:davidcore2@ads.saymedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\F5MXFJGP.txt [ Cookie:davidcore2@yadro.ru/ ]
C:\USERS\DAVIDCORE2\Cookies\G6V5SLIR.txt [ Cookie:davidcore2@intermundomedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\99J37AAJ.txt [ Cookie:davidcore2@potomacfallsexpresslube.com/ ]
C:\USERS\DAVIDCORE2\Cookies\TBS7GWK3.txt [ Cookie:davidcore2@adserver.adtechus.com/ ]
C:\USERS\DAVIDCORE2\Cookies\TT9UFEOI.txt [ Cookie:davidcore2@tripod.com/ ]
C:\USERS\DAVIDCORE2\Cookies\R4MA2GBI.txt [ Cookie:davidcore2@kanoodle.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1HNIY0IV.txt [ Cookie:davidcore2@pro-market.net/ ]
C:\USERS\DAVIDCORE2\Cookies\QLV6ZNMO.txt [ Cookie:davidcore2@specificclick.net/ ]
C:\USERS\DAVIDCORE2\Cookies\BJ5A4VXC.txt [ Cookie:davidcore2@insightexpressai.com/ ]
C:\USERS\DAVIDCORE2\Cookies\HEFVK1G6.txt [ Cookie:davidcore2@fastclick.net/ ]
C:\USERS\DAVIDCORE2\Cookies\KBNDA4QH.txt [ Cookie:davidcore2@clickbooth.com/ ]
C:\USERS\DAVIDCORE2\Cookies\HXTOHQTD.txt [ Cookie:davidcore2@dc.tremormedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\5J19RTH0.txt [ Cookie:davidcore2@a1.interclick.com/ ]
C:\USERS\DAVIDCORE2\Cookies\A9T2GYPX.txt [ Cookie:davidcore2@adinterax.com/ ]
C:\USERS\DAVIDCORE2\Cookies\XFR2N21O.txt [ Cookie:davidcore2@gntbcstglobal.112.2o7.net/ ]
C:\USERS\DAVIDCORE2\Cookies\XWZVMFZ2.txt [ Cookie:davidcore2@1sadx.net/ ]
C:\USERS\DAVIDCORE2\Cookies\BCOXD4MR.txt [ Cookie:davidcore2@legolas-media.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1UWW8QF8.txt [ Cookie:davidcore2@yieldmanager.net/ ]
C:\USERS\DAVIDCORE2\Cookies\WYQ5SUA9.txt [ Cookie:davidcore2@ads.pointroll.com/ ]
C:\USERS\DAVIDCORE2\Cookies\N27BE01R.txt [ Cookie:davidcore2@revsci.net/ ]
C:\USERS\DAVIDCORE2\Cookies\8NJMUAEJ.txt [ Cookie:davidcore2@ru4.com/ ]
C:\USERS\DAVIDCORE2\Cookies\1GFY9J61.txt [ Cookie:davidcore2@traveladvertising.com/ ]
C:\USERS\DAVIDCORE2\Cookies\ZV1DKUE2.txt [ Cookie:davidcore2@adserver.twitpic.com/ ]
C:\USERS\DAVIDCORE2\Cookies\QE3WZD9Z.txt [ Cookie:davidcore2@interclick.com/ ]
C:\USERS\DAVIDCORE2\Cookies\QWPKLW2H.txt [ Cookie:davidcore2@liveperson.net/hc/75520543 ]
C:\USERS\DAVIDCORE2\Cookies\FECWECF3.txt [ Cookie:davidcore2@realmedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\J7SWUK6O.txt [ Cookie:davidcore2@bs.serving-sys.com/ ]
C:\USERS\DAVIDCORE2\Cookies\C64MHLGT.txt [ Cookie:davidcore2@247realmedia.com/ ]
C:\USERS\DAVIDCORE2\Cookies\69E98FPH.txt [ Cookie:davidcore2@a.intentmedia.net/ ]
C:\USERS\DAVIDCORE2\Cookies\CFBM5G4M.txt [ Cookie:davidcore2@in.getclicky.com/ ]
C:\USERS\DAVIDCORE2\Cookies\129DYFCC.txt [ Cookie:davidcore2@statse.webtrendslive.com/ ]

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
Please post the Rooter log.

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
is it suppose to take a while to run the Rooter? It just says please wait at the bottom and seems to be stuck

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
So I let it run all night and I still that the screen where at the top it says
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
.
C:\Rooter$\Rooter_3.txt - (15/07/2012 | 09:05.18)

and at the bottom it says
Please wait....

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the Trojan.Sirefef EsetOnline button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on Trojan.Sirefef EsetSmartInstall to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the Trojan.Sirefef EsetSmartInstallDesktopIcon-1 icon on your desktop.

•Check Trojan.Sirefef EsetAcceptTerms
•Click the Trojan.Sirefef EsetStart button.
•Accept any security warnings from your browser.
•Check Trojan.Sirefef EsetScanArchives
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push Trojan.Sirefef EsetListThreats
•Push Trojan.Sirefef EsetExport, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the Trojan.Sirefef EsetBack button.
•Push Trojan.Sirefef EsetFinish
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
The scan ran for more than 24 hours and this is what it got...

C:\Users\davidcore2\AppData\Local\Google\Chrome\User Data\Default\Default\aahkpjhhkcigepgfchakibcojeoafbec\background.html Win32/BHO.OEI trojan cleaned by deleting - quarantined
C:\Users\davidcore2\Downloads\Nero9.4.12.3d_free.exe Win32/Toolbar.AskSBar application deleted - quarantined

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
So, how's your computer working now? Any other issues?

descriptionTrojan.Sirefef EmptyRe: Trojan.Sirefef

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum