Multiple Trojan Sirefef and more

Go ahead and run the scan again, but make sure that Remove found threats and Scan unwanted applications are both checked

Good Morning,

I hope this post finds you doing well. I ran the ESET Online Scanner again. Below is the log:



ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=dc4e339414a9f94bbb12045f35f90d0f
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-04 09:08:02
# local_time=2012-08-04 05:08:02 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 19653460 19653460 0 0
# compatibility_mode=5893 16776573 100 94 0 95657384 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=34169
# found=0
# cleaned=0
# scan_time=568
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=dc4e339414a9f94bbb12045f35f90d0f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-06 10:38:41
# local_time=2012-08-06 06:38:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 19823093 19823093 0 0
# compatibility_mode=5893 16776573 100 94 0 95827017 0 0
# compatibility_mode=8192 67108863 100 0 83495 83495 0 0
# scanned=425827
# found=25
# cleaned=0
# scan_time=9175
C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll Win32/Toolbar.CrossRider application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application (unable to clean) 00000000000000000000000000000000 I
C:\ProgramData\Spybot - Search & Destroy\Recovery\WiIQfraud12.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\butter\AppData\Local\ATI\ATIUpdate\ATIupdt32.dll.vir a variant of Win32/Kryptik.XVY trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\butter\AppData\Roaming\Mozilla\Firefox\Profiles\931mcios.default\extensions\{edb6ee7a-a353-4082-a056-e12e01ff6547}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WiIQfraud12.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Users\butter\AppData\Roaming\Uniblue\RegistryBooster\_temp\ub.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Users\butter\Downloads\7zip-setup.exe Win32/DownloadAdmin.A.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Users\butter\Downloads\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Users\butter\Downloads\setup(2).exe Win32/Toolbar.Zugo application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZHQVQ0A\firstload_com[1].htm HTML/Hoax.FastDownload.C.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZHQVQ0A\mx_mainxu[1].htm HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZHQVQ0A\firstload_com[1].htm HTML/Hoax.FastDownload.C.Gen application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZHQVQ0A\mx_mainxu[1].htm HTML/Iframe.B.Gen virus (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/RegistryBooster application 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=dc4e339414a9f94bbb12045f35f90d0f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-07 05:40:08
# local_time=2012-08-07 01:40:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 19847897 19847897 0 0
# compatibility_mode=5893 16776573 100 94 0 95851821 0 0
# compatibility_mode=8192 67108863 100 0 108299 108299 0 0
# scanned=426426
# found=19
# cleaned=19
# scan_time=9656
C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll Win32/Toolbar.CrossRider application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files (x86)\Yontoo\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Spybot - Search & Destroy\Recovery\WiIQfraud12.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\butter\AppData\Local\ATI\ATIUpdate\ATIupdt32.dll.vir a variant of Win32/Kryptik.XVY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\butter\AppData\Roaming\Mozilla\Firefox\Profiles\931mcios.default\extensions\{edb6ee7a-a353-4082-a056-e12e01ff6547}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\butter\AppData\Roaming\Uniblue\RegistryBooster\_temp\ub.exe a variant of Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\butter\Downloads\7zip-setup.exe Win32/DownloadAdmin.A.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\butter\Downloads\registrybooster.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\butter\Downloads\setup(2).exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZHQVQ0A\firstload_com[1].htm HTML/Hoax.FastDownload.C.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZHQVQ0A\mx_mainxu[1].htm HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

Your logs are looking clean.

Before we do anything else, please take the time to install the following updates. Using outdated applications leaves you vulnerable to getting infected again.

-------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to Start > Control Panel and open Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).
They will have this icon next to them:
Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

-------

Firefox is out of date. Using an outdated version of a web browser leaves you extremely vulnerable to malware!
Please visit Mozilla site and update it to the latest version.

-------

Please let me know how the updates went, as failed updates may indicate additional malware.

Good Afternoon Mr. D-FRED-BROWN,

I hope that all is well with you today.

I have deleted the older versions of java and installed the new one. I also updated Firefox.

However, I notice on this page I am getting an X to the left side of my page where ads would pop up. Usually it looks like a cellphone or just a rectangular box that is almost the size of the cell phone pop up ads. I'm going to restart my computer and see if it goes away.

Mr. Brown, I want to let you know you are the BEST and I appreciate your help so much!

Is there anything else that I need to do?

I hope that all is well with you today.

Doing well, thanks!

I have deleted the older versions of java and installed the new one. I also updated Firefox.

Glad to hear the updates went well.

However, I notice on this page I am getting an X to the left side of my page where ads would pop up. Usually it looks like a cellphone or just a rectangluar box that is almost the size of the cell phone pop up ads. I'm going to restart my computer and see if it goes away.

Could you take a picture of it and upload it here? Let me know if you still encounter it.

Mr. Brown, I want to let you know you are the BEST and I appreciate your help so much!

No problem!

Is there anything else that I need to do?

I'll now provide you with some suggestions for security software, but first...


We Need to Clean Up our Mess
Our work on your machine has left considerable leftovers on your box. Let's clean those up real quick:

First, let's remove ComboFix:
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

-------------

Let's remove OTL as well:

• Reopen on your desktop.
• Click on
• You will be prompted to reboot your system. Please do so.

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.


It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.

avast!.
AntiVir
AVG

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

• Outpost Firewall Free
  
• Online Armor Firewall

A tutorial on understanding and using firewalls may be found here.


If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

Hello again,

It is good to hear that you have doing good today.

I have attached a picture of the pop-up ad.

Looks like just a banner ad, I wouldn't worry about it.

I'm a pretty big fan of the MVPS Hosts File (link here). If you'd like to avoid banner ads (and pretty much all web page advertisements), then you may wish to look into that .

Hi there,

I tried to uninstall Combo Fix but my pc said it could not locate the file. OTL clean was successful. I notice that Security Check and Malwarebytes are still on my desktop, is this alright?

I downloaded AntiVir, Spyblaster (I already had Spybot), and the Outpost Firewall. I also have the registry booster and SuperAntispyware are these alright?

I download the Opera browser. I usually use Google Chrome and sometimes Firefox, but I will give this a try. I hardly ever use IE.

Oh, and I downloaded the Host file too. I tried to edit my last post before you responded to add the other pop up, but you posted before I finish editing it. I think Host file will take care of this too.

Once again, I want to thank you Mr. D-Fred Brown for all of your help. You have inspired me so much, I am going to sign up for the training here.

I tried to uninstall Combo Fix but my pc said it could not locate the file. OTL clean was successful. I notice that Security Check and Malwarebytes are still on my desktop, is this alright?

Locate your existing copy of ComboFix.exe (if you deleted it, just download a new one, but don't run it). Rename ComboFix.exe to Uninstall.exe and double-click that. It should now uninstall.

I downloaded AntiVir, Spyblaster (I already had Spybot), and the Outpost Firewall. I also have the registry booster and SuperAntispyware are these alright?

That sounds good, though I would caution you against using so-called "registry boosters" or "registry cleaners"... they often do more harm than good.

You can read more about the dangers of registry cleaning programs here: http://chris.pirillo.com/are-registry-cleaners-safe-to-use/

I download the Opera browser. I usually use Google Chrome and sometimes Firefox, but I will give this a try. I hardly ever use IE.

I personally use Firefox and Chrome. Pretty much anything is safer than IE

Oh, and I downloaded the Host file too. I tried to edit my last post before you responded to add the other pop up, but you posted before I finish editing it. I think Host file will take care of this too.

Glad to hear that!

Once again, I want to thank you Mr. D-Fred Brown for all of your help. You have inspired me so much, I am going to sign up for the training here.

No problem! and I wish you the best of luck in your training

Hello again,

Ok, I have ran into a problem. I located the ComboFix file and renamed it Uninstall.exe. However, when I double click it, it runs it.

I have saved the file to my desktop again.

Could please tell me what to do now?

Try the ComboFix /Uninstall command procedure this time

Good afternoon Mr. Brown,

I hope you are doing good today.

Ok, I have tried to run the ComboFix /Uninstall command again. A box popped up asking if I would like to install the newer version of ComboFix. I selected no.

The program started and ran for almost 5 hours, without me using it. Then, my computer completely froze up and had to be restarted. Should this be happening?

Do you have the ComboFix.txt it created? If so, go ahead and post that here

Hi there,

I don't see a text log anywhere.

Okay, let's try this:

• Delete all of your existing copies of ComboFix.exe
• Download a new copy from here. Save it to your Desktop
• Right-click ComboFix.exe, and select Rename
• Type in Uninstall.exe and press Enter.
• Double-click Uninstall.exe

Let me know how things go.