Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need Help Removing Win32/Sirefef.EZ trojan [Solved]


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you download the attached file to the desktop
[attachment=59082:sharedaccess.reg]
Right click and select merge
Reboot the computer and retry the firewall

Also re-run Farbar as before
  • 0

Advertisements


#17
liquidjo

liquidjo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Firewall is now on and functioning.



Farbar Service Scanner Version: 19-07-2012
Ran by Daci (administrator) on 20-07-2012 at 15:17:17
Running from "C:\"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\\EnableFirewall value. The value does not exist.
ATTENTION!=====> Unable to retrieve HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall value. The value does not exist.


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINXP\system32\dhcpcsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\afd.sys => MD5 is legit
C:\WINXP\system32\Drivers\netbt.sys => MD5 is legit
C:\WINXP\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINXP\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINXP\system32\dnsrslvr.dll => MD5 is legit
C:\WINXP\system32\ipnathlp.dll => MD5 is legit
C:\WINXP\system32\netman.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\srsvc.dll => MD5 is legit
C:\WINXP\system32\Drivers\sr.sys => MD5 is legit
C:\WINXP\system32\wscsvc.dll => MD5 is legit
C:\WINXP\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINXP\system32\wuauserv.dll => MD5 is legit
C:\WINXP\system32\qmgr.dll => MD5 is legit
C:\WINXP\system32\es.dll
[2010-09-16 06:10] - [2010-09-16 06:10] - 0253952 ____A (Microsoft Corporation) F17F6226BDC0CD5F0BEF0DAF84D29BEC

C:\WINXP\system32\cryptsvc.dll => MD5 is legit
C:\WINXP\system32\svchost.exe => MD5 is legit
C:\WINXP\system32\rpcss.dll
[2010-09-16 06:11] - [2010-09-16 06:11] - 0401408 ____A (Microsoft Corporation) 9222562D44021B988B9F9F62207FB6F2

C:\WINXP\system32\services.exe
[2010-09-16 06:11] - [2010-09-16 06:11] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6


Extra List:
=======
Gpc(4) IPSec(6) NetBT(7) PSched(8) RFCOMM(3) Tcpip(5)
0x09000000060000000100000002000000030000000400000005000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****



------------------------------------------------------------------------------------------------------







Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012
Ran by Daci at 20-07-2012 15:12:43
Running from C:\
Service Pack 3 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The system was unable to find the specified registry key or value
Attention: System hive is missing.

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNTION PROPERLY.


============ One Month Created Files and Folders ==============

2012-07-20 15:09 - 2012-07-20 15:09 - 00002881 ____A C:\Documents and Settings\Daci\Desktop\sharedaccess.reg
2012-07-20 13:13 - 2012-07-20 13:13 - 00003020 ____A C:\FSS.txt
2012-07-20 13:12 - 2012-07-20 13:12 - 00694807 ____A (Farbar) C:\FSS.exe
2012-07-20 13:06 - 2012-07-20 13:07 - 00000000 ___SD C:\Gotcha
2012-07-20 12:33 - 2012-07-20 12:33 - 00000433 ____A C:\fixlist.txt
2012-07-20 11:47 - 2012-07-20 15:12 - 00000000 ____D C:\FRST
2012-07-20 10:33 - 2012-07-20 10:33 - 00892154 ____A (Farbar) C:\FRST.exe
2012-07-19 17:11 - 2012-07-19 17:11 - 00000000 ____D C:\Qoobox
2012-07-19 17:10 - 2012-07-20 13:05 - 04582461 ____R (Swearware) C:\Documents and Settings\Daci\Desktop\Gotcha.exe
2012-07-19 16:55 - 2012-07-19 16:56 - 02136664 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Daci\Desktop\tdsskiller.exe
2012-07-18 16:58 - 2009-06-29 14:45 - 00000000 ____D C:\Documents and Settings\Daci\Desktop\Misery Signals [EP] [2003]
2012-07-18 12:07 - 2012-07-18 12:07 - 00000000 ____D C:\_OTL
2012-07-17 18:37 - 2012-07-17 18:37 - 00000933 ____A C:\Documents and Settings\Daci\Desktop\Spybot - Search & Destroy.lnk
2012-07-17 18:36 - 2012-07-17 19:55 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2012-07-17 18:36 - 2012-07-17 18:39 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy
2012-07-17 18:28 - 2012-07-17 18:28 - 00002445 ____A C:\Documents and Settings\Daci\Desktop\HiJackThis.lnk
2012-07-17 18:28 - 2012-07-17 18:28 - 00000000 ____D C:\Program Files\Trend Micro
2012-07-16 16:38 - 2012-07-16 16:38 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Macromedia
2012-07-16 16:37 - 2012-07-16 16:37 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
2012-07-16 10:11 - 2012-07-16 10:11 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2012-07-16 10:10 - 2012-07-16 10:10 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2012-07-13 14:15 - 2012-07-13 14:15 - 00000703 ____A C:\Documents and Settings\Daci\Desktop\Magic APE FLAC CD Burner.lnk
2012-07-13 14:15 - 2012-07-13 14:15 - 00000000 ____D C:\Program Files\Magic APE FLAC CD Burner
2012-07-12 18:37 - 2012-07-12 18:37 - 00000000 ____D C:\Documents and Settings\Daci\Desktop\Mongol
2012-07-11 09:08 - 2012-07-11 09:08 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
2012-07-08 14:05 - 2012-07-08 14:05 - 00000591 ____A C:\Documents and Settings\Daci\Desktop\Shortcut to Azureus.lnk
2012-07-04 12:56 - 2012-07-04 12:56 - 00000000 ____D C:\Documents and Settings\Daci\My Documents\My Received Files
2012-07-04 12:56 - 2012-07-04 12:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\FLEXnet
2012-07-04 12:55 - 2012-07-04 12:55 - 00000000 ____D C:\Program Files\Common Files\Macrovision Shared
2012-07-04 12:52 - 2012-07-04 12:52 - 00000000 ____D C:\Intel
2012-07-04 12:47 - 2012-07-04 12:51 - 00000000 ____D C:\Documents and Settings\All Users\Documents\DriverGenius
2012-07-04 12:46 - 2012-07-04 12:47 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\DriverGenius
2012-07-04 12:44 - 2012-07-04 12:44 - 00000000 ____D C:\Program Files\Driver-Soft
2012-07-03 22:17 - 2012-07-03 22:17 - 00000000 ____D C:\Documents and Settings\Daci\Application Data\DDMSettings
2012-07-03 21:30 - 2012-07-04 12:06 - 00000000 ____D C:\Documents and Settings\Daci\Application Data\DivX
2012-07-03 21:29 - 2012-07-03 21:30 - 00000000 ____D C:\Program Files\Common Files\DivX Shared
2012-07-03 21:24 - 2012-07-03 21:31 - 00000000 ____D C:\Program Files\DivX
2012-07-03 21:23 - 2012-07-03 21:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\DivX
2012-07-03 17:56 - 2012-07-03 17:56 - 00000000 ____D C:\Documents and Settings\Daci\Local Settings\Application Data\ESET
2012-06-29 10:52 - 2012-06-29 10:52 - 00000000 ____D C:\Documents and Settings\Daci\Application Data\Google
2012-06-29 10:50 - 2012-06-29 10:51 - 00000000 ____D C:\Program Files\Google
2012-06-25 12:09 - 2012-06-25 12:10 - 00000000 ____D C:\Documents and Settings\Daci\Application Data\Apple Computer
2012-06-25 12:09 - 2012-06-25 12:09 - 00000000 ____D C:\Documents and Settings\Daci\Local Settings\Application Data\Apple Computer
2012-06-25 12:07 - 2012-06-25 12:09 - 00000000 ____D C:\Program Files\iTunes
2012-06-25 12:07 - 2012-06-25 12:09 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-06-25 12:07 - 2012-06-25 12:07 - 00000000 ____D C:\Program Files\iPod
2012-06-25 12:07 - 2012-06-25 12:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-06-25 12:06 - 2012-06-25 12:06 - 00000000 ____D C:\Program Files\Apple Software Update
2012-06-25 12:06 - 2012-06-25 12:06 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Apple Computer
2012-06-25 12:06 - 2012-06-25 12:06 - 00000000 ____D C:\Documents and Settings\Daci\Local Settings\Application Data\Apple
2012-06-25 12:05 - 2012-06-25 12:07 - 00000000 ____D C:\Program Files\Common Files\Apple
2012-06-25 12:05 - 2012-06-25 12:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple

============ 3 Months Modified Files ========================

2012-07-20 15:11 - 2011-09-14 18:31 - 00000062 __ASH C:\Documents and Settings\Daci\Local Settings\desktop.ini
2012-07-20 15:11 - 2011-09-14 18:16 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-07-20 15:10 - 2011-09-14 18:31 - 00000178 ___SH C:\Documents and Settings\Daci\ntuser.ini
2012-07-20 15:09 - 2012-07-20 15:09 - 00002881 ____A C:\Documents and Settings\Daci\Desktop\sharedaccess.reg
2012-07-20 13:13 - 2012-07-20 13:13 - 00003020 ____A C:\FSS.txt
2012-07-20 13:12 - 2012-07-20 13:12 - 00694807 ____A (Farbar) C:\FSS.exe
2012-07-20 13:09 - 2011-09-14 18:17 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-07-20 13:05 - 2012-07-19 17:10 - 04582461 ____R (Swearware) C:\Documents and Settings\Daci\Desktop\Gotcha.exe
2012-07-20 12:33 - 2012-07-20 12:33 - 00000433 ____A C:\fixlist.txt
2012-07-20 10:42 - 2012-02-14 13:44 - 00000178 __ASH C:\Documents and Settings\Administrator\ntuser.ini
2012-07-20 10:41 - 2012-02-14 13:44 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2012-07-20 10:33 - 2012-07-20 10:33 - 00892154 ____A (Farbar) C:\FRST.exe
2012-07-19 16:56 - 2012-07-19 16:55 - 02136664 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Daci\Desktop\tdsskiller.exe
2012-07-18 18:30 - 2011-09-14 20:13 - 00041472 ____A C:\Documents and Settings\Daci\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-17 18:37 - 2012-07-17 18:37 - 00000933 ____A C:\Documents and Settings\Daci\Desktop\Spybot - Search & Destroy.lnk
2012-07-17 18:28 - 2012-07-17 18:28 - 00002445 ____A C:\Documents and Settings\Daci\Desktop\HiJackThis.lnk
2012-07-13 14:15 - 2012-07-13 14:15 - 00000703 ____A C:\Documents and Settings\Daci\Desktop\Magic APE FLAC CD Burner.lnk
2012-07-08 14:05 - 2012-07-08 14:05 - 00000591 ____A C:\Documents and Settings\Daci\Desktop\Shortcut to Azureus.lnk
2012-07-04 12:30 - 2012-03-12 18:33 - 00000682 ____A C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2012-06-09 23:53 - 2012-06-09 23:53 - 00013943 ____A C:\Documents and Settings\Daci\hs_err_pid2404.log
2012-05-18 18:58 - 2012-05-18 18:58 - 00000719 ____A C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
2012-05-03 07:31 - 2011-09-16 13:42 - 00067368 ____A C:\Documents and Settings\Daci\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== Restore Points (XP) =====================


========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 1527.36 MB
Available physical RAM: 1298.45 MB
Total Pagefile: 3426.48 MB
Available Pagefile: 3374.07 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.14 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:55.89 GB) (Free:11.93 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 56 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 56 GB 32 KB
==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 56 GB Healthy System (partition with boot components)
==================================================================================
======================= End Of Log ==========================
  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
How is the computer behaving now .. What problems remain ?
  • 0

#19
liquidjo

liquidjo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Well, the firewall is on now and the laptop is running fine, but is the actual Sirefef trojan gone? Just dont want to be bothered by it again..
  • 0

#20
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Do you have an antivirus ?

If not then for the moment install this one to confirm it has gone

Download the latest version to your desktop from here

Install Avast
If you do not want chrome then deselect when the computer reboots on the finalisation page

Posted Image
  • 0

#21
liquidjo

liquidjo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I ran Avast and this is what I deleted after it found the threats:

Found 2 of these - C:\ProgramFiles\Magic Ape FLAC CD Burner\all2mp3.exe - Win32 Trojan-gen

and one of these - C:\_OTL\MovedFiles\07182012_120775\C Documents and Settings\Daci\Application Data\KB00373776 - Win32Agent-AOVN[trj]
  • 0

#22
liquidjo

liquidjo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Also did a boot time scan and found this this threat and deleted it:

C:\System Volume Information\_restore{DF0E5210-BC74-4202-8CDC-718DA5965F3C}\RP2\A0002111.exe - Win32 Trojan -gen
  • 0

#23
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Two of those are unimportant as they are quarantined

How is the computer behaving now ?
  • 0

#24
liquidjo

liquidjo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Its running great. Thanks essexboy, I appreciate it. Should I stay with the avast, or which other antivirus do you recommend?
  • 0

#25
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The choice of AV is yours, I only gave you Avast as that is the one I use. You could also use Avira or AVG. If you wish to change let me know


Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
    (Notice the space between the "x" and "/")
    then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Posted Image Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:
  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP