Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Siredef.C Infection - Need help to remove it


  • Please log in to reply
11 replies to this topic

#1 TKI

TKI

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 27 October 2015 - 04:19 PM

On Friday, I believe my computer was infected with a Siredef.C  Trojan.  I believe I was infected by accidentally clicking on a link in an email posing as an email from Starbucks.  After clicking the link, I was redirected to a website asking for a review of Home Depot. 

 

My McAfee Total Protection software missed it, but Malwarebytes detected and quarantined the virus during a regularly scheduled scan.  I deleted the Trojan, but I want to confirm that all trace of it is gone.  I have heard that this is a particularly difficult Trojan to remove which is the reason for my post here.

 

My operating system is Windows 7. 

 

I have rebooted and run both McAfee and Malwarebytes scans several times since getting rid of the infection.  I have also scanned my external back up drive and all scans have come up clean.  

 

Thank you for your help with this!



BC AdBot (Login to Remove)

 


m

#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:45 PM

Posted 27 October 2015 - 05:41 PM

Hello,

 

let's do some check:

 

Please download Rkill to your Desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

 

rKill.exehttp://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7, 8 or 10 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from Safe Mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

----------

 

ESET Online Scanner

§  Click here to download the installer for ESET Online Scanner and save it to your Desktop.

§  Disable all your antivirus and antimalware software - see how to do that here.

§  Right click on esetsmartinstaller_enu.exe and select Run as Administrator.

§  Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.

§  Select Enable detection of potentially unwanted applications.

§  Click Advanced Settings, then place a checkmark in the following:

o    Remove found threats

o    Scan archives

o    Scan for potentially unsafe applications

o    Enable Anti-Stealth technology

§  Click Start to begin scanning.

§  ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.

§  When the scan is done, click List threats (only available if ESET Online Scanner found something).

§  Click Export, then save the file to your desktop.

 

§  Click Back, then Finish to exit ESET Online Scanner.

-------------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 27 October 2015 - 08:58 PM

Hi Severac,

 

Thank you for your quick reply!  My internet went down this afternoon/evening and I just got back online.  I will download Rkill and ESET and follow your directions.  Will post as soon as i have it done.

 

Thanks again!



#4 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 29 October 2015 - 11:08 AM

Hi Severac,

 

Finally got internet up and computer working.  Below is the log from Rkill.  Downloading and running ESET Online Scanner next.  Will post results.  Thanks!!

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/29/2015 10:01:44 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 10/29/2015 10:02:06 AM
Execution time: 0 hours(s), 0 minute(s), and 21 seconds(s)


#5 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 29 October 2015 - 02:27 PM

I just completed the ESET scan.  Results found 3 instances of Win32/Bundled.Toolbar.  They were quarantined and removed.  There was no log generated though.  Ran it again and it came up clean.  

 

Running McAfee and Malwarebytes again.  If those come up clean, does that mean my computer is clean?

 

Thanks so much for your patience and help!



#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:45 PM

Posted 29 October 2015 - 04:49 PM

Sound good. 

 

Let's do some junk removal.

 

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

 

---------

Please download Junkware Removal Tool  to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 29 October 2015 - 05:30 PM

I just ran AdwCleaner.  Below is the log file.  Running Junkware Removal Tool next.

 

# AdwCleaner v5.015 - Logfile created 29/10/2015 at 16:20:54
# Updated 26/10/2015 by Xplode
# Database : 2015-10-29.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Teddy - TEDDY-VAIO
# Running from : C:\Users\Teddy\Desktop\adwcleaner_5.015.exe
# Option : Cleaning
 
***** [ Services ] *****
 
[-] Service Deleted : CouponPrinterService
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\Coupons
[!] Folder Not Deleted : C:\Program Files (x86)\Coupons
[-] Folder Deleted : C:\ProgramData\Ask
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
[!] Folder Not Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
[-] Folder Deleted : C:\Users\Teddy\AppData\LocalLow\HPAppData
[-] Folder Deleted : C:\Users\Teddy\AppData\Roaming\download Manager
[-] Folder Deleted : C:\Users\Teddy\AppData\Roaming\Mozilla\Firefox\Profiles\x1c4ht9q.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
 
***** [ Files ] *****
 
[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
[-] File Deleted : C:\Users\Teddy\AppData\Roaming\Mozilla\Firefox\Profiles\x1c4ht9q.default\user.js
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.7
[!] Key Not Deleted : [x64] HKCU\Software\YahooPartnerToolbar
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Teddy\AppData\Roaming\Mozilla\Firefox\Profiles\lna2lqtc.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultengine", "Ask.com");
[-] [C:\Users\Teddy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : websearch.ask.com
[-] [C:\Users\Teddy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Teddy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2228 bytes] ##########


#8 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 29 October 2015 - 05:49 PM

And here is the JRT log file:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Professional x64
Ran by Teddy on Thu 10/29/2015 at 16:32:40.80
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~~~ Services
 
~~~ Tasks
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9FC39A72-7EF3-4E54-A872-6EE20CB792D5}
 
~~~ Files
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Users\Teddy\AppData\Roaming\getrighttogo
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\Teddy\AppData\Roaming\mozilla\firefox\profiles\lna2lqtc.default\prefs.js
 
user_pref(browser.search.defaultenginename, Secure Search);
user_pref(browser.search.defaultenginename.US, Secure Search);
user_pref(browser.search.order.1, Secure Search);
user_pref(browser.search.selectedEngine, Secure Search);
Emptied folder: C:\Users\Teddy\AppData\Roaming\mozilla\firefox\profiles\lna2lqtc.default\minidumps [96 files]
 
~~~ Chrome
 
[C:\Users\Teddy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Teddy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Teddy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Teddy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 10/29/2015 at 16:37:50.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#9 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:45 PM

Posted 29 October 2015 - 05:54 PM

You should be fine now.

 

Empty your temp folders using TFC (Temporary File Cleaner)

§  Please download TFC by Old Timer and save it to your desktop.
alternate download link

§  Save any unsaved work. (TFC will close ALL open programs including your browser!)

§  Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)

§  Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

§  Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

--------

 

This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download  DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

§  Activate UAC (optional; some users prefer to keep it off)

§  Remove disinfection tools

§  Create registry backup

§  Purge System Restore

Now click "Run" and wait patiently.
Once finished, a logfile will be created. You don't have to attach it to your next reply.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#10 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 29 October 2015 - 06:23 PM

Okay, I downloaded and ran both TFC and DelFix.  Everything appears good.  Am I good to go now?



#11 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:09:45 PM

Posted 29 October 2015 - 06:24 PM

Yes.  :thumbup2:


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#12 TKI

TKI
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 29 October 2015 - 06:33 PM

That's GREAT!!!  Thank you very much!!  I appreciate all your patient help.  You Rock!!   :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users