1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan:Win32/Sirefef.O detected, disabled AV and AM tools

Discussion in 'Virus & Other Malware Removal' started by digicam, Oct 29, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. digicam

    digicam Thread Starter

    Joined:
    Oct 29, 2011
    Messages:
    2
    Hello!

    I downloaded some freeware apps that were part of the top lists of two freeware review sites. I don't know what file triggered it but suddenly everytime I surf the web, I will be redirected to advertisements instead of those sites i was trying to go to.

    My newly upgraded Avira was also disabled at first ( it can be opened and the update worked but the realtime protection can't be enabled). Then after a few hours when I try to open the AV it wont open anymore, and this warning shows:

    [​IMG]

    I tried Malwarebytes, Threatfire, Spyware doctor but all failed. My comodo firewall was also disabled. Only the windows defender worked and reported a virus called Trojan:Win32/Sirefef.O . I cleaned it with the WD and it would say clean but it comes back after I reboot. The AM tools would open, then suddenly disappear, then when opened again, this warning pops up:

    [​IMG]

    Then after a while, the icons of the AM tools would change to [​IMG] .


    I was able to run HiJackThis but another warning said:

    [​IMG]

    I did what it said and got was able to get this log for HiJackThis:

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost


    *******************************************************************************************

    The DDS log:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
    Run by d!v!na at 0:45:41 on 2011-10-30
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.63.1033.18.1977.848 [GMT 8:00]
    .
    AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\3193993074:2374541121.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
    C:\Users\d!v!na\AppData\Local\Temp\RtkBtMnt.exe
    C:\Users\d!v!na\Documents\RCA Detective\RCADetective.exe
    C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
    C:\Windows\system32\StikyNot.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ytbb.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\ThreatFire\TFTray.exe
    c:\program files\avira\antivir desktop\avgnt.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
    mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
    uWinlogon: Shell=c:\users\d!v!na\appdata\local\727760be\X
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
    TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Skytel] Skytel.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [EfficientLadysOrganizerFree]
    mRun: [<NO NAME>]
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
    mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
    StartupFolder: c:\users\d!v!na\appdata\roaming\micros~1\windows\startm~1\programs\startup\rcadet~1.lnk - c:\users\d!v!na\documents\rca detective\RCADetective.exe
    StartupFolder: c:\users\d!v!na\appdata\roaming\micros~1\windows\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\windows\installer\{f761359c-9ced-45ae-9a51-9d6605cd55c4}\Evernote.ico
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: slu.edu.ph\www
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{94713A53-1CC2-4944-9A60-A24857F1F8CA} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{94713A53-1CC2-4944-9A60-A24857F1F8CA}\2416765796F6F534964797F58416C6C6D223 : NameServer = 156.154.70.22,156.154.71.22
    TCP: Interfaces\{94713A53-1CC2-4944-9A60-A24857F1F8CA}\2416765796F6F534964797F58416C6C6D223 : DhcpNameServer = 192.168.1.2
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs:
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\d!v!na\appdata\roaming\mozilla\firefox\profiles\oh91ppuv.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\users\d!v!na\appdata\roaming\mozilla\firefox\profiles\oh91ppuv.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - plugin: c:\users\d!v!na\appdata\roaming\mozilla\plugins\np-mswmp.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: PermissionResearch: {32c1ae0f-a1ed-4128-b922-7e83a47d79b7} - %profile%\extensions\{32c1ae0f-a1ed-4128-b922-7e83a47d79b7}
    FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
    FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
    FF - Ext: SimilarWeb: F[email protected] - %profile%\extensions\[email protected]
    FF - Ext: Zemanta: [email protected] - %profile%\extensions\[email protected]
    FF - Ext: ScribeFire: {F807FACD-E46A-4793-B345-D58CB177673C} - %profile%\extensions\{F807FACD-E46A-4793-B345-D58CB177673C}
    FF - Ext: Mega Manager Integration: {40a1f5d7-afc2-498f-b264-02668d616ff6} - %profile%\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-13 64288]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-10-29 207280]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-29 36000]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-29 74640]
    R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-10-29 365280]
    R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-6-19 604672]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
    R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-29 41272]
    RUnknown TfFsMon;TfFsMon; [x]
    RUnknown TfNetMon;TfNetMon; [x]
    RUnknown TfSysMon;TfSysMon; [x]
    S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-29 86224]
    S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-29 110032]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2011-9-3 94880]
    S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-10-29 1141712]
    S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-12-2 8576]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-25 15872]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-28 1343400]
    SUnknown jcczdnqi;jcczdnqi; [x]
    .
    =============== Created Last 30 ================
    .
    2011-10-29 15:59:14 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
    2011-10-29 15:59:14 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
    2011-10-29 15:59:14 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
    2011-10-29 15:55:53 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-10-29 15:51:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-29 15:21:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-10-29 15:21:40 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
    2011-10-29 15:21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-10-29 15:21:31 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-10-29 15:21:27 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-10-29 15:21:21 -------- d-----w- c:\users\d!v!na\appdata\roaming\PC Tools
    2011-10-29 15:21:21 -------- d-----w- c:\program files\Spyware Doctor
    2011-10-29 15:21:21 -------- d-----w- c:\program files\common files\PC Tools
    2011-10-29 14:59:22 -------- d-----w- c:\program files\ESET
    2011-10-29 14:02:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2011-10-29 13:30:49 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d3f40e0d-cb92-405a-a5fa-8e357558114f}\offreg.dll
    2011-10-29 12:07:18 -------- d-----w- c:\windows\system32\wbem\repository
    2011-10-29 12:04:10 -------- d-----w- c:\users\d!v!na\appdata\roaming\Avira
    2011-10-29 12:03:20 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-10-29 12:03:20 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-10-29 12:03:19 -------- d-----w- c:\programdata\Avira
    2011-10-29 10:53:38 48016 --sha-w- c:\windows\system32\c_88951.nl_
    2011-10-29 10:26:05 -------- d-----w- c:\program files\VideoLAN
    2011-10-29 09:59:08 -------- d-----w- c:\users\d!v!na\.gconfd
    2011-10-29 09:59:07 -------- d-----w- c:\users\d!v!na\.gnome2_private
    2011-10-29 09:59:07 -------- d-----w- c:\users\d!v!na\.gnome2
    2011-10-29 09:57:40 -------- d-----w- c:\program files\gnucash
    2011-10-29 09:50:30 -------- d-----w- C:\TCASH4
    2011-10-29 09:47:55 -------- d-----w- c:\users\d!v!na\.gnucash
    2011-10-29 09:44:38 -------- d-----w- c:\users\d!v!na\.pdfsam
    2011-10-29 09:26:33 -------- d-----w- c:\users\d!v!na\appdata\roaming\MusicBee
    2011-10-29 09:25:13 -------- d-----w- c:\program files\MusicBee
    2011-10-29 09:24:15 -------- d-----w- c:\program files\RocketDock
    2011-10-29 09:12:49 -------- d-----w- c:\programdata\Panda Security
    2011-10-29 09:12:40 -------- d-----w- c:\program files\Panda USB Vaccine
    2011-10-29 09:10:55 -------- d-----w- c:\users\d!v!na\appdata\roaming\avidemux
    2011-10-29 09:10:42 -------- d-----w- c:\program files\Avidemux 2.5
    2011-10-29 09:05:01 758018 ----a-w- c:\windows\system32\xvidcore.dll
    2011-10-29 09:05:01 180224 ----a-w- c:\windows\system32\xvidvfw.dll
    2011-10-29 09:05:01 139264 ----a-w- c:\windows\system32\xvid.ax
    2011-10-29 09:05:00 -------- d-----w- c:\program files\iWisoft Free Video Converter
    2011-10-29 08:40:38 -------- d-----w- c:\program files\Ask.com
    2011-10-29 08:34:59 -------- d-----w- c:\program files\Jaangle
    2011-10-29 08:33:59 -------- d-----w- c:\users\d!v!na\appdata\local\DuplicateCleaner
    2011-10-29 08:33:46 -------- d-----w- c:\program files\Duplicate Cleaner
    2011-10-29 08:29:38 -------- d-----w- c:\users\d!v!na\appdata\roaming\Zoner
    2011-10-29 08:29:37 -------- d-----w- c:\users\d!v!na\appdata\local\Zoner
    2011-10-29 08:29:13 -------- d-----w- c:\program files\Zoner
    2011-10-29 08:25:36 -------- d-----w- c:\programdata\Comodo
    2011-10-29 08:22:20 -------- d-----w- c:\programdata\Comodo Downloader
    2011-10-29 08:13:06 -------- d-----w- c:\program files\VS Revo Group
    2011-10-29 08:06:22 -------- d-----w- c:\program files\zabkat
    2011-10-29 08:02:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-10-29 08:02:10 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-10-29 08:02:10 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-10-29 08:02:10 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-10-29 08:02:10 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-10-29 08:02:10 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-10-29 08:02:10 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-10-29 08:02:10 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-10-29 08:00:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-29 07:24:38 -------- d-----w- c:\users\d!v!na\appdata\roaming\HdO Adventure
    2011-10-29 04:56:52 -------- d-----w- c:\program files\Foxit Software
    2011-10-29 04:56:02 -------- d-----w- c:\programdata\PC Tools
    2011-10-29 04:56:02 -------- d-----w- c:\program files\ThreatFire
    2011-10-29 04:32:02 41680 ----a-w- c:\windows\system32\drivers\cvatfzoz.sys
    2011-10-29 04:20:44 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d3f40e0d-cb92-405a-a5fa-8e357558114f}\mpengine.dll
    2011-10-29 01:33:22 41680 ----a-w- c:\windows\system32\drivers\edzybtcv.sys
    2011-10-28 16:35:18 -------- d-----w- c:\programdata\Big Fish Games
    2011-10-28 09:19:25 -------- d-----w- c:\users\d!v!na\appdata\roaming\EscapeTheMuseum2
    2011-10-28 08:42:38 -------- d-----w- c:\programdata\Trymedia
    2011-10-28 08:40:14 -------- d-----w- c:\program files\Private Eye - Greatest Unsolved Mysteries
    2011-10-28 08:40:13 -------- d-----w- c:\program files\BFG
    2011-10-28 07:12:56 -------- d-----w- c:\program files\Echoes of the Past Royal House of Stone
    2011-10-28 06:01:11 -------- d-sh--w- c:\users\d!v!na\appdata\local\727760be
    2011-10-28 05:46:56 -------- d-----w- C:\BigFishGamesCache
    2011-10-28 01:41:19 -------- d-----w- c:\windows\Hidden Expedition - Everest
    2011-10-28 00:33:08 -------- d-----w- c:\users\d!v!na\appdata\roaming\Orneon
    2011-10-27 14:45:26 -------- d-----w- c:\program files\ReflexiveArcade
    2011-10-26 18:49:56 12800 ----a-w- c:\program files\mozilla firefox\plugins\npwachk.dll
    2011-10-26 13:16:17 -------- d-----w- c:\users\d!v!na\appdata\roaming\Student dog
    2011-10-26 12:59:56 -------- d-----w- c:\users\d!v!na\.Get Organized
    2011-10-26 12:59:47 -------- d-----w- c:\program files\Get Organized
    2011-10-26 12:35:22 -------- d-----w- c:\users\d!v!na\appdata\roaming\Titanium
    2011-10-26 12:34:51 -------- d-----w- c:\program files\Wunderlist
    2011-10-26 12:25:02 -------- d-----w- c:\users\d!v!na\appdata\local\StudyMinder_Software
    2011-10-26 12:13:09 -------- d-----w- c:\users\d!v!na\appdata\roaming\StudyMinder4
    2011-10-26 12:13:09 -------- d-----w- c:\programdata\StudyMinder Software
    2011-10-26 11:28:21 22528 ----a-w- c:\windows\exeshl.dll
    2011-10-26 11:26:53 -------- d-----w- c:\program files\StudyMinder_Lite
    2011-10-26 07:36:31 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
    2011-10-17 12:16:29 -------- d-----w- c:\windows\system32\SPReview
    2011-10-17 12:13:24 -------- d-----w- c:\windows\system32\EventProviders
    2011-10-14 04:08:20 -------- d-----w- c:\users\d!v!na\appdata\roaming\SoftOrbits
    2011-10-14 03:57:37 57344 ----a-w- c:\windows\system32\ff_vfw.dll
    2011-10-14 03:57:36 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
    2011-10-14 03:57:34 -------- d-----w- c:\program files\ffdshow
    2011-10-14 03:57:26 -------- d-----w- c:\program files\Haali
    2011-10-14 03:55:48 -------- d-----w- c:\program files\Hamster Soft
    2011-10-12 07:11:17 233472 ----a-w- c:\windows\system32\oleacc.dll
    2011-10-12 07:11:13 571904 ----a-w- c:\windows\system32\oleaut32.dll
    2011-10-12 07:03:14 75776 ----a-w- c:\windows\system32\psisrndr.ax
    2011-10-12 07:03:13 465408 ----a-w- c:\windows\system32\psisdecd.dll
    2011-10-12 07:03:13 204288 ----a-w- c:\windows\system32\MSNP.ax
    2011-10-12 07:03:12 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
    2011-10-12 07:03:12 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
    2011-10-12 06:29:08 2334720 ----a-w- c:\windows\system32\win32k.sys
    .
    ==================== Find3M ====================
    .
    2011-10-17 12:33:47 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-08-17 02:17:40 348160 ----a-w- c:\windows\system32\msvcr71.dll
    .
    ============= FINISH: 0:47:24.70 ===============


    *********************************************************************************

    I was not able to get the log from GMER since it disappeared before I hit Scan. After using all three tools, the apps also won't open anymore with the same warning as above (first pic).
    I searched a little and tried to follow instruction about how to eliminate that certain trojan but the problem is, the file aliases they said i should delete was not there in the supposed place. Maybe the alias changed already, I dont know.

    Please help. I really dont know what to do. :(:(:confused: Im not a techie much but I can do watever as long as I have a guide. I wud really appreciate the help :p Thank you and good day
     
  2. digicam

    digicam Thread Starter

    Joined:
    Oct 29, 2011
    Messages:
    2
    I forgot to attach the other log made from DDS...:eek:

    By the way I'll paste here the instructions I got from researching the web:

    Trojan:Win32/Sirefef.O Manual Removal Guide:

    To get rid of Trojan:Win32/Sirefef.O from the infected system, manual removal is the first choice. For your antivirus software doesn&#8217;t work if PC is already suffered from the threat. There are 3 steps you should follow to clean Trojan:Win32/Sirefef.O:

    Step 1: Press Ctrl+Alt+Del keys together and stop Trojan:Win32/Sirefef.O processes in the Windows Task Manager.

    [random.exe]

    Step 2: Open the Registry Editor, search for and delete these Registry Entries creating by Trojan:Win32/Sirefef.O.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run &#8220;.exe&#8221;

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run &#8220;Trojan:win32/sirefef.o&#8221;

    Step 3: Detect and remove Trojan:Win32/Sirefef.O associated files listed below:

    %AllUsersProfile%\Application Data\.dll

    %AllUsersProfile%\Application Data\.exe(looks like trojan:win32/sirefef.o)





    I tried to find the files said in this post but it just wasn't there:(
     

    Attached Files:

  3. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hi and welcome to TSG.

    I am reviewing your logs and will respond with a reply as soon as I can.

    Please note that all my replies are reviewed by a qualified Analyst before I post. This ensures that you will continue to receive quality expert assistance.

    Thank you for your patience.
     
  4. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hy
    my name is Daniel and I will be assisting you with your Malware related problems.

    Before we move on, please read the following points carefully.
    • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
    • Perform everything in the correct order. Sometimes one step requires the previous one.
    • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
    • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
    • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
    • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
    • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
    • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



    Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

    Download TDSSKiller.exe and save it to your desktop
    • Execute TDSSKiller.exe by doubleclicking on it.
    • Press Start Scan
    • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
    • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

    Please post the contents of that log in your next reply.



    Please post in your next reply
    TDSSKiller Log
     
  5. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hello, are you still with us?

    If you do not reply within 24 hours I will unsubscribe this thread and wont be notified about new replies.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,830
    First Name:
    Karen
    As it's important to reply in a timely manner when dealing with malware, and even more so when a trainee is assisting so as not to hinder their progress, please note that due to your failure to reply, Larusso will be moving on to help others who are patiently waiting for assistance. I will revert the thread status back to "NEW" and leave it open until it automatically closes due to inactivity. :)
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1024574

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice