Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32sirefef.ez trojan cannot be deleted.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 16th, 2013, 2:39 am

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Christian at 5:52:18 on 2013-02-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1496 [GMT 1:00]
.
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\USB 2.0 PC CAMERA\Camera Snap.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Bentley Shared\IEG\IEGLCS\IEGLicSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uProxyServer = proxy1.emirates.net.ae:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [amva] c:\windows\system32\amvo.exe
uRun: [E06ADXRC_9368640] "c:\program files\microsoft encarta\encarta premium 2006\EDICT.EXE" -m
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [Google Update] "c:\documents and settings\christian\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [DrvIcon] c:\program files\vista drive icon\DrvIcon.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Snap] c:\program files\usb 2.0 pc camera\Camera Snap.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [ypops] c:\program files\mypops\ypops.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\styler.lnk - c:\documents and settings\christian\application data\microsoft\installer\{e9ecf354-2422-4fdb-9abf-d8adac0ef941}\_585b207a.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:159
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 1841156685
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/sh ... wflash.cab
TCP: Interfaces\{FB50725F-E1F5-47EB-A65A-84C1E5042BA1} : NameServer = 213.42.20.20,195.229.241.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 IEGLicSrv;Bentley License Client;c:\program files\common files\bentley shared\ieg\ieglcs\IEGLicSrv.exe [2007-3-8 45056]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2012-10-13 10752]
S2 27011@127.0.0.1;27011@127.0.0.1;c:\simulia\license\lmgrd.exe [2012-7-17 1392016]
S2 EFix4;Nod32 AV;c:\windows\regedit.exe [2004-8-4 224256]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S2 MyDNS;Window Net Dns;c:\program files\internet explorer\svchost.exe --> c:\program files\internet explorer\svchost.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 usbcamcl;Driver for usbcamcl Device;c:\windows\system32\drivers\usbcamcl.sys [2012-6-9 28416]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\ct_ztemt_u_usbser.sys --> c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [?]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile="c:\windows\system32\NOTEPAD.EXE" "%1"
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~3\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2013-02-15 13:28:24 -------- d-----w- c:\program files\ESET
2013-02-15 11:22:20 -------- d-----w- c:\windows\system32\wbem\repository\FS
2013-02-15 11:22:20 -------- d-----w- c:\windows\system32\wbem\Repository
2013-02-15 11:13:07 -------- d-----w- c:\program files\common files\Palo Alto Software
2013-02-15 09:42:56 21264 ----a-w- c:\windows\system32\drivers\SirefefRemover.sys
2013-02-15 08:24:19 -------- d-----w- c:\program files\PDF Password Remover
2013-02-02 09:19:31 -------- d-----w- c:\documents and settings\christian\local settings\application data\Deployment
2013-01-28 16:01:20 139264 ----a-w- c:\windows\system32\igfxres.dll
2013-01-28 14:03:52 -------- d-----w- c:\program files\NetWaiting
.
==================== Find3M ====================
.
2013-02-08 00:16:20 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 00:16:20 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8A8C6AB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\00000087[0x8A866960]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Ide\IAAStorageDevice-0[0x8A8A7030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 5:53:48.59 ===============
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am
Advertisement
Register to Remove

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 16th, 2013, 7:49 am

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


=======================================


Rootkit

You are indeed infected with win32/sirefef

Please refer to this topic.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 17th, 2013, 3:46 am

I have gone through the link you highlighted melboy. What do i do next? As it stands, I don't have access to internet cos my DNS seem to have been reconfigured by the virus.

What is next please?
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 17th, 2013, 5:21 am

Hi xrisem

It's now down to a choice of what you want to do to remove this from your computer. You basically have two choices as outlined here: viewtopic.php?p=613755#p613755
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 17th, 2013, 12:39 pm

I have gone through the link you provided and will like to remove them without formatting my machine totally.
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 18th, 2013, 3:21 am

ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your security applications (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How to disable your security applications
  • Double click combofix.exe & follow the prompts.
  • Combofix may reboot your computer several times.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: This tool is not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 18th, 2013, 3:45 pm

Hi Melboy, I have done a system default reset but still suspected the virus is still there cos mbr reading was still unsuccessful, so I did a boot scan with avast free download. After the scan, I ran aswmbr from avast, and it read mbr successfully. I still don't much at the moment.
My apologies for running these scans on my own but I had no choice cos I couldn't sleep well since virus invaded my machine. It's more like invading my physical body, lol.

Where can we go from here?
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 18th, 2013, 4:35 pm

Hi

Please clarify what you mean by a "system default reset"

Did you restore the computer to factory defaults? Or did you do a Windows System Restore?

Please post the log from aswMBR - aswMBR.txt - It should be found on your desktop.

You should also see a file named attach.txt from when you ran DDS. Please post the contents of that too.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 18th, 2013, 4:44 pm

Hi Melboy, yes I mean system default from f10 function and system was restored to original factory settings.
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 18th, 2013, 4:47 pm

Please post aswMBR.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 18th, 2013, 11:39 pm

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-02-18 22:13:33
-----------------------------
22:13:33.984 OS Version: Windows 5.1.2600 Service Pack 3
22:13:33.984 Number of processors: 2 586 0xE0C
22:13:33.984 ComputerName: CHRISTIAN UserName: Chris
22:13:35.031 Initialize success
22:13:35.296 AVAST engine defs: 13021800
22:15:11.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:15:11.062 Disk 0 Vendor: Size: 0MB BusType: 0
22:15:11.125 Disk 0 MBR read successfully
22:15:11.140 Disk 0 MBR scan
22:15:11.156 Disk 0 Windows XP default MBR code
22:15:11.156 Disk 0 MBR hidden
22:15:11.171 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104375 MB offset 63
22:15:11.218 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 9060 MB offset 213776955
22:15:11.250 Disk 0 Partition 3 00 D7 NTFS 1027 MB offset 232332030
22:15:11.328 Disk 0 scanning C:\WINDOWS\system32\drivers
22:15:21.171 Service scanning
22:15:26.578 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
22:15:26.687 Service kl2 C:\WINDOWS\system32\DRIVERS\kl2.sys **LOCKED** 5
22:15:26.828 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
22:15:26.906 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
22:15:34.578 Modules scanning
22:15:40.296 Disk 0 trace - called modules:
22:15:40.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
22:15:40.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a32d030]
22:15:40.359 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\0000008b[0x8a3b7980]
22:15:40.375 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a393030]
22:15:40.828 AVAST engine scan C:\WINDOWS
22:15:53.437 AVAST engine scan C:\WINDOWS\system32
22:17:28.156 AVAST engine scan C:\WINDOWS\system32\drivers
22:17:45.921 AVAST engine scan C:\Documents and Settings\Chris
22:20:09.640 AVAST engine scan C:\Documents and Settings\All Users
22:22:32.250 Scan finished successfully
22:22:43.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
22:22:43.140 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-02-18 22:13:33
-----------------------------
22:13:33.984 OS Version: Windows 5.1.2600 Service Pack 3
22:13:33.984 Number of processors: 2 586 0xE0C
22:13:33.984 ComputerName: CHRISTIAN UserName: Chris
22:13:35.031 Initialize success
22:13:35.296 AVAST engine defs: 13021800
22:15:11.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:15:11.062 Disk 0 Vendor: Size: 0MB BusType: 0
22:15:11.125 Disk 0 MBR read successfully
22:15:11.140 Disk 0 MBR scan
22:15:11.156 Disk 0 Windows XP default MBR code
22:15:11.156 Disk 0 MBR hidden
22:15:11.171 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 104375 MB offset 63
22:15:11.218 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 9060 MB offset 213776955
22:15:11.250 Disk 0 Partition 3 00 D7 NTFS 1027 MB offset 232332030
22:15:11.328 Disk 0 scanning C:\WINDOWS\system32\drivers
22:15:21.171 Service scanning
22:15:26.578 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
22:15:26.687 Service kl2 C:\WINDOWS\system32\DRIVERS\kl2.sys **LOCKED** 5
22:15:26.828 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
22:15:26.906 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
22:15:34.578 Modules scanning
22:15:40.296 Disk 0 trace - called modules:
22:15:40.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
22:15:40.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a32d030]
22:15:40.359 3 CLASSPNP.SYS[f74e7fd7] -> nt!IofCallDriver -> \Device\0000008b[0x8a3b7980]
22:15:40.375 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a393030]
22:15:40.828 AVAST engine scan C:\WINDOWS
22:15:53.437 AVAST engine scan C:\WINDOWS\system32
22:17:28.156 AVAST engine scan C:\WINDOWS\system32\drivers
22:17:45.921 AVAST engine scan C:\Documents and Settings\Chris
22:20:09.640 AVAST engine scan C:\Documents and Settings\All Users
22:22:32.250 Scan finished successfully
22:22:43.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
22:22:43.140 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"
22:24:24.578 Verifying
22:24:34.734 Disk 0 Windows 501 MBR fixed successfully
22:24:45.250 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
22:24:45.281 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 19th, 2013, 9:19 am

Hi

As you've restored to factory settings, please supply new DDS logs - Both DDS.txt and attach.txt

viewtopic.php?p=491381#p491381
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 20th, 2013, 9:13 am

Hi Melboy,
Sorry about the delay. Please see below the report of the dds scan.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Chris at 17:08:38 on 2013-02-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1530 [GMT 4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Kaspersky PURE 2.0 *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Norton Internet Worm Protection *Disabled*
FW: Kaspersky PURE 2.0 *Disabled*
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky pure 2.0\ievkbd.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files\kaspersky lab\kaspersky pure 2.0\klwtbbho.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky pure 2.0\avp.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure 2.0\ie_banner_deny.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky pure 2.0\ievkbd.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky pure 2.0\klwtbbho.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2013-2-18 88632]
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2011-10-20 135984]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-2-18 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-2-18 361032]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2013-2-18 39352]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-10-20 13104]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2013-2-18 581464]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-2-18 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-2-18 44808]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky pure 2.0\avp.exe [2012-8-30 202328]
R2 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2011-3-10 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\pev.3XE [2011-6-26 256000]
.
=============== Created Last 30 ================
.
2013-02-18 16:30:13 -------- d-----w- c:\documents and settings\chris\local settings\application data\Google
2013-02-18 16:30:10 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-18 16:29:48 41224 ----a-w- c:\windows\avastSS.scr
2013-02-18 16:29:27 -------- d-----w- c:\program files\AVAST Software
2013-02-18 16:29:27 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2013-02-18 11:13:26 -------- d-sha-r- C:\cmdcons
2013-02-18 11:00:41 98816 ----a-w- c:\windows\sed.exe
2013-02-18 11:00:41 256000 ----a-w- c:\windows\PEV.exe
2013-02-18 11:00:41 208896 ----a-w- c:\windows\MBR.exe
2013-02-18 11:00:32 -------- d-s---w- C:\ComboFix
2013-02-18 09:12:42 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2013-02-18 08:13:47 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2013-02-18 04:02:05 -------- d-sh--w- c:\documents and settings\chris\Temporary Internet Files
2013-02-18 04:02:05 -------- d-sh--w- c:\documents and settings\chris\History
2013-02-18 03:56:18 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2013-02-18 03:56:18 10752 ----a-w- c:\windows\system32\c_iscii.dll
2013-02-18 03:56:17 5632 ----a-w- c:\windows\system32\kbdusa.dll
2013-02-18 03:56:16 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2013-02-18 03:56:05 21504 ----a-w- c:\windows\system32\hidserv.dll
2013-02-18 03:56:02 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2013-02-18 03:55:57 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2013-02-18 03:55:56 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-02-17 21:17:12 -------- d-----r- C:\Backup
2013-02-17 21:16:14 98168 ----a-w- c:\windows\system32\drivers\klick.dat
2013-02-17 21:16:14 116189 ----a-w- c:\windows\system32\drivers\klin.dat
2013-02-17 21:15:17 -------- d-----w- c:\program files\common files\InfoWatch
2013-02-17 21:15:14 -------- d-----w- c:\program files\Kaspersky Lab
2013-02-17 21:15:14 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2013-02-17 20:51:45 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2013-02-17 20:51:43 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2013-02-17 20:49:05 -------- d-----w- c:\windows\system32\appmgmt
2013-02-17 20:36:46 -------- d-----w- c:\windows\ie8updates
2013-02-17 20:36:13 -------- d-----w- c:\program files\MSXML 4.0
2013-02-17 20:29:11 456320 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2013-02-17 20:28:51 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2013-02-17 20:28:40 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2013-02-17 20:28:40 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2013-02-17 20:28:20 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2013-02-17 20:27:27 290560 ------w- c:\windows\system32\dllcache\atmfd.dll
2013-02-17 20:27:16 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2013-02-17 20:27:15 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2013-02-17 20:27:10 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2013-02-17 20:27:05 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2013-02-17 20:26:23 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2013-02-17 20:26:08 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2013-02-17 20:26:00 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2013-02-17 20:25:58 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2013-02-17 20:25:23 105472 ------w- c:\windows\system32\dllcache\mup.sys
2013-02-17 20:25:14 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2013-02-17 20:25:14 35328 ------w- c:\windows\system32\dllcache\sc.exe
2013-02-17 20:25:14 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2013-02-17 20:25:14 110592 ------w- c:\windows\system32\dllcache\services.exe
2013-02-17 20:25:13 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2013-02-17 20:25:13 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2013-02-17 20:25:13 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2013-02-17 20:25:13 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2013-02-17 20:24:04 139784 ------w- c:\windows\system32\dllcache\rdpwd.sys
2013-02-17 20:23:58 536576 ------w- c:\windows\system32\dllcache\msado15.dll
2013-02-17 20:23:41 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2013-02-17 20:22:37 718336 ------w- c:\windows\system32\dllcache\ntdll.dll
2013-02-17 20:22:36 2193024 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2013-02-17 20:22:36 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2013-02-17 20:22:36 2069760 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2013-02-17 20:22:36 2027520 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2013-02-17 20:22:34 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2013-02-17 20:22:29 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2013-02-17 20:22:25 3072 ------w- c:\windows\system32\iacenc.dll
2013-02-17 20:22:25 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2013-02-17 20:20:53 45568 ------w- c:\windows\system32\dllcache\wab.exe
2013-02-17 20:20:51 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2013-02-17 20:20:51 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2013-02-17 20:20:37 -------- d-----w- c:\windows\system32\PreInstall
2013-02-17 20:16:54 -------- d-----w- c:\windows\system32\SoftwareDistribution
2013-02-17 20:14:08 -------- d-----w- c:\program files\MSECache
2013-02-17 20:07:44 -------- d-sh--w- c:\documents and settings\chris\PrivacIE
2013-02-17 20:04:34 -------- d-sh--w- c:\documents and settings\chris\IETldCache
2013-02-17 19:56:14 -------- d-----w- c:\windows\ServicePackFiles
2013-02-17 19:54:30 19569 ----a-w- c:\windows\002676_.tmp
2013-02-17 19:47:01 -------- dc-h--w- c:\windows\ie8
2013-02-17 19:43:47 -------- d-----w- c:\program files\Microsoft Download Manager
2013-02-17 19:10:57 -------- d-s---w- c:\documents and settings\chris\UserData
2013-01-26 03:55:44 552448 ------w- c:\windows\system32\dllcache\oleaut32.dll
.
==================== Find3M ====================
.
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Harddisk0\DR0[0x8A35EAB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\0000008b[0x8A35F980]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1F0] -> \Device\Ide\IAAStorageDevice-0[0x8A38D030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 17:09:27.73 ===============
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby melboy » February 20th, 2013, 1:51 pm

Please post the contents of Attach.txt?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Win32sirefef.ez trojan cannot be deleted.

Unread postby xrisem » February 20th, 2013, 2:06 pm

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/18/2013 8:00:06 AM
System Uptime: 2/20/2013 3:44:19 PM (2 hours ago)
.
Motherboard: Quanta | | 30BB
Processor: Intel(R) Core(TM) Duo CPU T2450 @ 2.00GHz | U2E1 | 1596/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 102 GiB total, 85.036 GiB free.
D: is FIXED (FAT32) - 9 GiB total, 1.435 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 2/18/2013 8:00:10 AM - System Checkpoint
RP2: 2/17/2013 9:08:58 PM - Norton Antivirus post configuration restore point
RP3: 2/17/2013 11:43:47 PM - Installed Microsoft Download Manager
RP4: 2/17/2013 11:46:00 PM - Installed Windows XP KB932823-v3.
RP5: 2/17/2013 11:47:14 PM - Installed Windows Internet Explorer 8.
RP6: 2/17/2013 11:54:36 PM - Installed Windows XP Service Pack 3.
RP7: 2/18/2013 12:14:14 AM - Installed Compatibility Pack for the 2007 Office system
RP8: 2/18/2013 12:20:33 AM - Software Distribution Service 3.0
RP9: 2/18/2013 12:34:26 AM - Software Distribution Service 3.0
RP10: 2/18/2013 12:52:33 AM - Installed Kaspersky PURE 2.0.
RP11: 2/18/2013 1:11:03 AM - Installed Windows XP WgaNotify.
RP12: 2/18/2013 1:15:09 AM - Installed Kaspersky PURE 2.0.
RP13: 2/18/2013 3:01:39 AM - Software Distribution Service 3.0
RP14: 2/18/2013 9:19:15 AM - Removed NetWaiting
RP15: 2/18/2013 9:19:47 AM - Removed Quicken 2006
RP16: 2/18/2013 9:21:45 AM - Removed muvee autoProducer 5.0
RP17: 2/18/2013 9:22:23 AM - Removed Vongo
RP18: 2/18/2013 9:23:11 AM - Removed Sonic Update Manager
RP19: 2/18/2013 8:29:27 PM - avast! Free Antivirus Setup
RP20: 2/18/2013 8:44:49 PM - Restore Operation
RP21: 2/18/2013 10:07:29 PM - Software Distribution Service 3.0
RP22: 2/20/2013 4:13:08 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Reader 7.0.5
AutoUpdate
avast! Free Antivirus
Compatibility Pack for the 2007 Office system
Conexant HD Audio
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DivX
Easy Internet Sign-up
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
HP Help and Support
HP Imaging Device Functions 6.0
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Rhapsody
HP Update
HP User Guides 0035
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 6
Kaspersky PURE 2.0
LightScribe 1.4.97.1
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft Download Manager
Microsoft Money 2006
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Soft Data Fax Modem with SmartCP
Synaptics Pointing Device Driver
Unload
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
Vongo
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Wireless Home Network Setup
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
2/19/2013 7:36:20 AM, error: Dhcp [1002] - The IP address lease XXX.XXX.XXX.XXX for the Network Card with network address 001CBF074CBD has been denied by the DHCP server XXX.XXX.XXX.XXX (The DHCP Server sent a DHCPNACK message).
2/18/2013 9:06:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSnx aswSP aswTdi CSVirtualDiskDrv Fips intelppm KLIF
2/18/2013 9:06:29 PM, error: Service Control Manager [7001] - The Message Queuing Triggers service depends on the Message Queuing service which failed to start because of the following error: The dependency service or group failed to start.
2/18/2013 9:06:29 PM, error: Service Control Manager [7001] - The Message Queuing service depends on the Distributed Transaction Coordinator service which failed to start because of the following error: The dependency service or group failed to start.
2/18/2013 9:05:11 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/18/2013 12:52:00 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
2/18/2013 12:39:05 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2742597).
2/18/2013 10:05:04 PM, error: System Error [1003] - Error code 000000ca, parameter1 00000004, parameter2 881823f0, parameter3 00000000, parameter4 00000000.
2/18/2013 1:50:58 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Kaspersky Anti-Virus Service service, but this action failed with the following error: An instance of the service is already running.
2/18/2013 1:50:48 PM, error: Service Control Manager [7031] - The Kaspersky Anti-Virus Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
.
==== End Of File ===========================
xrisem
Regular Member
 
Posts: 16
Joined: February 16th, 2013, 1:32 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 309 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware