Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJ_SIREFEF


  • This topic is locked This topic is locked
2 replies to this topic

#1 Loki222

Loki222

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 July 2012 - 09:59 PM

Please Help, running trend micro titanium 2012 and kept getting message saying TROJ_SIREFEF.GF/UP/etc.. was detected and removed. After about 3min would get the same message over and over again. Downloaded and ran combo fix and the problem has stopped. Is there anything else I need to do?
Here is my log....

ComboFix 12-07-10.01 - Owner 07/10/2012 19:12:29.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.2526 [GMT -7:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
AV: Trend Micro Titanium 2012 *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium 2012 *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


---- Previous Run -------

C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe
C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DB7BBF0D-9993-4980-8E16-54C40091C323}.xps
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F7573520-F224-4D0C-96E6-453BB5094290}.xps


((((((((((((((((((((((((( Files Created from 2012-06-11 to 2012-07-11 )))))))))))))))))))))))))))))))


2012-07-11 02:18:32 . 2012-07-11 02:18:32 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-07-11 02:03:52 . 2012-06-12 03:02:52 3147264 ----a-w- C:\windows\system32\win32k.sys
2012-07-07 00:55:53 . 2012-07-07 00:55:53 -------- d-----w- C:\Users\Owner\AppData\Local\Trend Micro
2012-07-07 00:55:20 . 2012-07-07 00:31:06 105744 ----a-w- C:\windows\system32\drivers\tmtdi.sys
2012-07-07 00:55:17 . 2012-07-07 00:31:06 91920 ----a-w- C:\windows\system32\drivers\tmactmon.sys
2012-07-07 00:55:17 . 2012-07-07 00:31:06 70928 ----a-w- C:\windows\system32\drivers\tmevtmgr.sys
2012-07-07 00:55:17 . 2012-07-07 00:31:06 167696 ----a-w- C:\windows\system32\drivers\tmcomm.sys
2012-07-07 00:54:31 . 2012-07-07 00:54:31 56 ----a-w- C:\windows\system32\SupportTool.exe.bat
2012-07-07 00:54:14 . 2012-07-07 00:54:25 -------- d-----w- C:\Program Files\Trend Micro
2012-07-07 00:30:58 . 2012-07-07 06:33:29 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-06-27 14:16:47 . 2012-06-02 22:19:42 57880 ----a-w- C:\windows\system32\wuauclt.exe
2012-06-27 14:16:47 . 2012-06-02 22:19:42 44056 ----a-w- C:\windows\system32\wups2.dll
2012-06-27 14:16:46 . 2012-06-02 22:19:43 2428952 ----a-w- C:\windows\system32\wuaueng.dll
2012-06-27 14:16:46 . 2012-06-02 22:15:31 2622464 ----a-w- C:\windows\system32\wucltux.dll
2012-06-27 14:16:37 . 2012-06-02 22:19:46 38424 ----a-w- C:\windows\system32\wups.dll
2012-06-27 14:16:37 . 2012-06-02 22:19:23 701976 ----a-w- C:\windows\system32\wuapi.dll
2012-06-27 14:16:37 . 2012-06-02 22:15:08 99840 ----a-w- C:\windows\system32\wudriver.dll
2012-06-27 14:16:23 . 2012-06-02 22:19:42 186752 ----a-w- C:\windows\system32\wuwebv.dll
2012-06-27 14:16:23 . 2012-06-02 22:15:12 36864 ----a-w- C:\windows\system32\wuapp.exe
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 12:41:07 37296]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 18:07:56 843712]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 22:02:04 254696]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 04:28:32 59240]
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 12:09:24 421736]
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 21:28:52 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\windows\SysWOW64\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-11-26 15:46:05 243360]

C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41:07 37296 ----a-w- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-01-13 07:08:34 75048 ------w- C:\Program Files (x86)\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-12-04 07:59:28 103720 ----a-w- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2009-04-15 14:54:44 50472 ------w- C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2009-07-16 11:08:20 91432 ------w- C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2010-01-11 11:27:46 210216 ------w- C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 22:27:14 138576]
R2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-06 20:03:34 136176]
R3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-06 20:03:34 136176]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-03-05 01:07:58 340240]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 04:34:24 4925184]
R3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2010-07-08 03:20:56 332272]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 20:35:42 187392]
R3 Svk2pl;GigawareX USB to Serial Driver;C:\windows\system32\DRIVERS\Svk2pl64.sys [2010-04-01 14:54:22 97280]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe [2010-11-25 03:37:05 1255736]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;C:\windows\system32\Drivers\SABI.sys [2010-03-31 00:35:26 13824]
S1 tmevtmgr;tmevtmgr;C:\windows\system32\DRIVERS\tmevtmgr.sys [2012-07-07 00:31:06 70928]
S1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 00:07:22 59904]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/07/08 12:00:36];C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [2010-01-12 14:08:30 146928]
S2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2010-06-07 06:34:20 408576]
S2 MediaMall Server;MediaMall Server;C:\Program Files (x86)\MediaMall\MediaMallServer.exe [2012-07-10 15:10:19 2976632]
S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-02-03 22:19:52 2320920]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2010-06-07 06:39:40 911872]
S3 bpenum;bpenum;C:\windows\system32\DRIVERS\bpenum.sys [2010-05-16 08:28:28 71168]
S3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\windows\system32\DRIVERS\bpmp.sys [2010-05-16 08:28:38 175104]
S3 bpusb;bpusb;C:\windows\system32\Drivers\bpusb.sys [2010-05-16 08:28:30 81920]
S3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 20:54:54 56344]
S3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 13:02:12 158976]
S3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-04 03:08:30 271872]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\system32\DRIVERS\NETw5s64.sys [2010-05-31 03:05:06 7689216]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 00:07:28 17920]
S3 wdkmd;Intel WiDi KMD;C:\windows\system32\DRIVERS\WDKMD.sys [2010-06-18 01:38:06 39832]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 09:22:00 395264]


Contents of the 'Scheduled Tasks' folder

2012-07-11 C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-06 20:03:49 . 2011-08-06 20:03:34]

2012-07-11 C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-08-06 20:03:49 . 2011-08-06 20:03:34]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2010-07-08 03:20:56 750064 ----a-w- C:\ProgramData\Partner\Partner64.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\windows\system32\igfxtray.exe" [2010-06-11 23:31:14 161304]
"HotKeysCmds"="C:\windows\system32\hkcmd.exe" [2010-06-11 23:31:02 386584]
"Persistence"="C:\windows\system32\igfxpers.exe" [2010-06-11 23:31:08 414744]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-15 02:46:28 9644576]
"IntelWireless"="C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 01:09:02 1928976]
"IntelWirelessWiMAX"="C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" [2010-06-08 05:25:22 1441792]
"Trend Micro Titanium"="C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-02-27 13:44:18 1304792]
"Trend Micro Client Framework"="C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 13:44:16 213824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0

------- Supplementary Scan -------

uLocal Page = C:\windows\system32\blank.htm
uStart Page = hxxp://www.startingpage.com/
mLocal Page = C:\Windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\fommen2f.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.startingpage.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Trend Micro BEP Firefox Extension: {38783831-6098-4faa-A9C9-1EE1E343F4D2} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\firefoxextension
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-UCam_Menu - C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdateLBPShortCut - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdateP2GoShortCut - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePDRShortCut - C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
MSConfigStartUp-UpdatePPShortCut - C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

Edited by Budapest, 11 July 2012 - 10:09 PM.
Moved from AII ~Budapest


BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:04:57 PM

Posted 12 July 2012 - 03:54 PM

Hello Loki222 and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

#3 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:04:57 PM

Posted 01 August 2012 - 02:03 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users