Trojan:Win32/Sirefef.O detected, disabled AV and AM tools

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

digicam

Thread Starter
Joined
Oct 29, 2011
Messages
2
Hello!

I downloaded some freeware apps that were part of the top lists of two freeware review sites. I don't know what file triggered it but suddenly everytime I surf the web, I will be redirected to advertisements instead of those sites i was trying to go to.

My newly upgraded Avira was also disabled at first ( it can be opened and the update worked but the realtime protection can't be enabled). Then after a few hours when I try to open the AV it wont open anymore, and this warning shows:



I tried Malwarebytes, Threatfire, Spyware doctor but all failed. My comodo firewall was also disabled. Only the windows defender worked and reported a virus called Trojan:Win32/Sirefef.O . I cleaned it with the WD and it would say clean but it comes back after I reboot. The AM tools would open, then suddenly disappear, then when opened again, this warning pops up:



Then after a while, the icons of the AM tools would change to
.


I was able to run HiJackThis but another warning said:



I did what it said and got was able to get this log for HiJackThis:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


*******************************************************************************************

The DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by d!v!na at 0:45:41 on 2011-10-30
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.63.1033.18.1977.848 [GMT 8:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\3193993074:2374541121.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
C:\Users\d!v!na\AppData\Local\Temp\RtkBtMnt.exe
C:\Users\d!v!na\Documents\RCA Detective\RCADetective.exe
C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
C:\Windows\system32\StikyNot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\ytbb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\ThreatFire\TFTray.exe
c:\program files\avira\antivir desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uWinlogon: Shell=c:\users\d!v!na\appdata\local\727760be\X
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EfficientLadysOrganizerFree]
mRun: [<NO NAME>]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\users\d!v!na\appdata\roaming\micros~1\windows\startm~1\programs\startup\rcadet~1.lnk - c:\users\d!v!na\documents\rca detective\RCADetective.exe
StartupFolder: c:\users\d!v!na\appdata\roaming\micros~1\windows\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\windows\installer\{f761359c-9ced-45ae-9a51-9d6605cd55c4}\Evernote.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: slu.edu.ph\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{94713A53-1CC2-4944-9A60-A24857F1F8CA} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{94713A53-1CC2-4944-9A60-A24857F1F8CA}\2416765796F6F534964797F58416C6C6D223 : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{94713A53-1CC2-4944-9A60-A24857F1F8CA}\2416765796F6F534964797F58416C6C6D223 : DhcpNameServer = 192.168.1.2
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs:
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\d!v!na\appdata\roaming\mozilla\firefox\profiles\oh91ppuv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\d!v!na\appdata\roaming\mozilla\firefox\profiles\oh91ppuv.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\d!v!na\appdata\roaming\mozilla\plugins\np-mswmp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: PermissionResearch: {32c1ae0f-a1ed-4128-b922-7e83a47d79b7} - %profile%\extensions\{32c1ae0f-a1ed-4128-b922-7e83a47d79b7}
FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: SimilarWeb: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Zemanta: [email protected] - %profile%\extensions\[email protected]
FF - Ext: ScribeFire: {F807FACD-E46A-4793-B345-D58CB177673C} - %profile%\extensions\{F807FACD-E46A-4793-B345-D58CB177673C}
FF - Ext: Mega Manager Integration: {40a1f5d7-afc2-498f-b264-02668d616ff6} - %profile%\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-13 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-10-29 207280]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-29 36000]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-29 74640]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-10-29 365280]
R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-6-19 604672]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-29 41272]
RUnknown TfFsMon;TfFsMon; [x]
RUnknown TfNetMon;TfNetMon; [x]
RUnknown TfSysMon;TfSysMon; [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-29 86224]
S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-29 110032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2011-9-3 94880]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-10-29 1141712]
S2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-19 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-12-2 8576]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-5-25 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-28 1343400]
SUnknown jcczdnqi;jcczdnqi; [x]
.
=============== Created Last 30 ================
.
2011-10-29 15:59:14 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2011-10-29 15:59:14 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2011-10-29 15:59:14 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2011-10-29 15:55:53 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-29 15:51:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 15:21:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-10-29 15:21:40 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-10-29 15:21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-10-29 15:21:31 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-10-29 15:21:27 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-10-29 15:21:21 -------- d-----w- c:\users\d!v!na\appdata\roaming\PC Tools
2011-10-29 15:21:21 -------- d-----w- c:\program files\Spyware Doctor
2011-10-29 15:21:21 -------- d-----w- c:\program files\common files\PC Tools
2011-10-29 14:59:22 -------- d-----w- c:\program files\ESET
2011-10-29 14:02:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-10-29 13:30:49 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d3f40e0d-cb92-405a-a5fa-8e357558114f}\offreg.dll
2011-10-29 12:07:18 -------- d-----w- c:\windows\system32\wbem\repository
2011-10-29 12:04:10 -------- d-----w- c:\users\d!v!na\appdata\roaming\Avira
2011-10-29 12:03:20 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-29 12:03:20 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-29 12:03:19 -------- d-----w- c:\programdata\Avira
2011-10-29 10:53:38 48016 --sha-w- c:\windows\system32\c_88951.nl_
2011-10-29 10:26:05 -------- d-----w- c:\program files\VideoLAN
2011-10-29 09:59:08 -------- d-----w- c:\users\d!v!na\.gconfd
2011-10-29 09:59:07 -------- d-----w- c:\users\d!v!na\.gnome2_private
2011-10-29 09:59:07 -------- d-----w- c:\users\d!v!na\.gnome2
2011-10-29 09:57:40 -------- d-----w- c:\program files\gnucash
2011-10-29 09:50:30 -------- d-----w- C:\TCASH4
2011-10-29 09:47:55 -------- d-----w- c:\users\d!v!na\.gnucash
2011-10-29 09:44:38 -------- d-----w- c:\users\d!v!na\.pdfsam
2011-10-29 09:26:33 -------- d-----w- c:\users\d!v!na\appdata\roaming\MusicBee
2011-10-29 09:25:13 -------- d-----w- c:\program files\MusicBee
2011-10-29 09:24:15 -------- d-----w- c:\program files\RocketDock
2011-10-29 09:12:49 -------- d-----w- c:\programdata\Panda Security
2011-10-29 09:12:40 -------- d-----w- c:\program files\Panda USB Vaccine
2011-10-29 09:10:55 -------- d-----w- c:\users\d!v!na\appdata\roaming\avidemux
2011-10-29 09:10:42 -------- d-----w- c:\program files\Avidemux 2.5
2011-10-29 09:05:01 758018 ----a-w- c:\windows\system32\xvidcore.dll
2011-10-29 09:05:01 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-10-29 09:05:01 139264 ----a-w- c:\windows\system32\xvid.ax
2011-10-29 09:05:00 -------- d-----w- c:\program files\iWisoft Free Video Converter
2011-10-29 08:40:38 -------- d-----w- c:\program files\Ask.com
2011-10-29 08:34:59 -------- d-----w- c:\program files\Jaangle
2011-10-29 08:33:59 -------- d-----w- c:\users\d!v!na\appdata\local\DuplicateCleaner
2011-10-29 08:33:46 -------- d-----w- c:\program files\Duplicate Cleaner
2011-10-29 08:29:38 -------- d-----w- c:\users\d!v!na\appdata\roaming\Zoner
2011-10-29 08:29:37 -------- d-----w- c:\users\d!v!na\appdata\local\Zoner
2011-10-29 08:29:13 -------- d-----w- c:\program files\Zoner
2011-10-29 08:25:36 -------- d-----w- c:\programdata\Comodo
2011-10-29 08:22:20 -------- d-----w- c:\programdata\Comodo Downloader
2011-10-29 08:13:06 -------- d-----w- c:\program files\VS Revo Group
2011-10-29 08:06:22 -------- d-----w- c:\program files\zabkat
2011-10-29 08:02:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-10-29 08:02:10 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-10-29 08:02:10 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-10-29 08:02:10 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-10-29 08:02:10 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-10-29 08:02:10 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-10-29 08:02:10 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-10-29 08:02:10 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-10-29 08:00:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-29 07:24:38 -------- d-----w- c:\users\d!v!na\appdata\roaming\HdO Adventure
2011-10-29 04:56:52 -------- d-----w- c:\program files\Foxit Software
2011-10-29 04:56:02 -------- d-----w- c:\programdata\PC Tools
2011-10-29 04:56:02 -------- d-----w- c:\program files\ThreatFire
2011-10-29 04:32:02 41680 ----a-w- c:\windows\system32\drivers\cvatfzoz.sys
2011-10-29 04:20:44 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d3f40e0d-cb92-405a-a5fa-8e357558114f}\mpengine.dll
2011-10-29 01:33:22 41680 ----a-w- c:\windows\system32\drivers\edzybtcv.sys
2011-10-28 16:35:18 -------- d-----w- c:\programdata\Big Fish Games
2011-10-28 09:19:25 -------- d-----w- c:\users\d!v!na\appdata\roaming\EscapeTheMuseum2
2011-10-28 08:42:38 -------- d-----w- c:\programdata\Trymedia
2011-10-28 08:40:14 -------- d-----w- c:\program files\Private Eye - Greatest Unsolved Mysteries
2011-10-28 08:40:13 -------- d-----w- c:\program files\BFG
2011-10-28 07:12:56 -------- d-----w- c:\program files\Echoes of the Past Royal House of Stone
2011-10-28 06:01:11 -------- d-sh--w- c:\users\d!v!na\appdata\local\727760be
2011-10-28 05:46:56 -------- d-----w- C:\BigFishGamesCache
2011-10-28 01:41:19 -------- d-----w- c:\windows\Hidden Expedition - Everest
2011-10-28 00:33:08 -------- d-----w- c:\users\d!v!na\appdata\roaming\Orneon
2011-10-27 14:45:26 -------- d-----w- c:\program files\ReflexiveArcade
2011-10-26 18:49:56 12800 ----a-w- c:\program files\mozilla firefox\plugins\npwachk.dll
2011-10-26 13:16:17 -------- d-----w- c:\users\d!v!na\appdata\roaming\Student dog
2011-10-26 12:59:56 -------- d-----w- c:\users\d!v!na\.Get Organized
2011-10-26 12:59:47 -------- d-----w- c:\program files\Get Organized
2011-10-26 12:35:22 -------- d-----w- c:\users\d!v!na\appdata\roaming\Titanium
2011-10-26 12:34:51 -------- d-----w- c:\program files\Wunderlist
2011-10-26 12:25:02 -------- d-----w- c:\users\d!v!na\appdata\local\StudyMinder_Software
2011-10-26 12:13:09 -------- d-----w- c:\users\d!v!na\appdata\roaming\StudyMinder4
2011-10-26 12:13:09 -------- d-----w- c:\programdata\StudyMinder Software
2011-10-26 11:28:21 22528 ----a-w- c:\windows\exeshl.dll
2011-10-26 11:26:53 -------- d-----w- c:\program files\StudyMinder_Lite
2011-10-26 07:36:31 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-10-17 12:16:29 -------- d-----w- c:\windows\system32\SPReview
2011-10-17 12:13:24 -------- d-----w- c:\windows\system32\EventProviders
2011-10-14 04:08:20 -------- d-----w- c:\users\d!v!na\appdata\roaming\SoftOrbits
2011-10-14 03:57:37 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2011-10-14 03:57:36 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-10-14 03:57:34 -------- d-----w- c:\program files\ffdshow
2011-10-14 03:57:26 -------- d-----w- c:\program files\Haali
2011-10-14 03:55:48 -------- d-----w- c:\program files\Hamster Soft
2011-10-12 07:11:17 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 07:11:13 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 07:03:14 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 07:03:13 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 07:03:13 204288 ----a-w- c:\windows\system32\MSNP.ax
2011-10-12 07:03:12 72704 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 07:03:12 59904 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 06:29:08 2334720 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-10-17 12:33:47 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-10-01 02:42:56 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-20 04:31:05 981504 ----a-w- c:\windows\system32\wininet.dll
2011-08-17 02:17:40 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
============= FINISH: 0:47:24.70 ===============


*********************************************************************************

I was not able to get the log from GMER since it disappeared before I hit Scan. After using all three tools, the apps also won't open anymore with the same warning as above (first pic).
I searched a little and tried to follow instruction about how to eliminate that certain trojan but the problem is, the file aliases they said i should delete was not there in the supposed place. Maybe the alias changed already, I dont know.

Please help. I really dont know what to do. :(:(:confused: Im not a techie much but I can do watever as long as I have a guide. I wud really appreciate the help :p Thank you and good day
 

digicam

Thread Starter
Joined
Oct 29, 2011
Messages
2
I forgot to attach the other log made from DDS...:eek:

By the way I'll paste here the instructions I got from researching the web:

Trojan:Win32/Sirefef.O Manual Removal Guide:

To get rid of Trojan:Win32/Sirefef.O from the infected system, manual removal is the first choice. For your antivirus software doesn&#8217;t work if PC is already suffered from the threat. There are 3 steps you should follow to clean Trojan:Win32/Sirefef.O:

Step 1: Press Ctrl+Alt+Del keys together and stop Trojan:Win32/Sirefef.O processes in the Windows Task Manager.

[random.exe]

Step 2: Open the Registry Editor, search for and delete these Registry Entries creating by Trojan:Win32/Sirefef.O.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run &#8220;.exe&#8221;

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run &#8220;Trojan:win32/sirefef.o&#8221;

Step 3: Detect and remove Trojan:Win32/Sirefef.O associated files listed below:

%AllUsersProfile%\Application Data\.dll

%AllUsersProfile%\Application Data\.exe(looks like trojan:win32/sirefef.o)





I tried to find the files said in this post but it just wasn't there:(
 

Attachments

Joined
Aug 9, 2011
Messages
808
Hi and welcome to TSG.

I am reviewing your logs and will respond with a reply as soon as I can.

Please note that all my replies are reviewed by a qualified Analyst before I post. This ensures that you will continue to receive quality expert assistance.

Thank you for your patience.
 
Joined
Aug 9, 2011
Messages
808
Hy
my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.



Please post in your next reply
TDSSKiller Log
 
Joined
Aug 9, 2011
Messages
808
Hello, are you still with us?

If you do not reply within 24 hours I will unsubscribe this thread and wont be notified about new replies.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,263
As it's important to reply in a timely manner when dealing with malware, and even more so when a trainee is assisting so as not to hinder their progress, please note that due to your failure to reply, Larusso will be moving on to help others who are patiently waiting for assistance. I will revert the thread status back to "NEW" and leave it open until it automatically closes due to inactivity. :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top