: C:\Windows\system32\services.exe **INFECTED** Win32:Sirefef-ZT [Trj]

I cant get this removed. : C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
00:54:31.133 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
00:54:32.319 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]

avast said it cleaned the last two but I ran all programs listed on the help page. I guess there are still there. I don’t know how long there have been there or what they do.
Thank you in advance for all your help

p.s. I hope I did this all right.

Monitoring

thank you :slight_smile:

:wink:

Step#1

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



C:\Windows\assembly\GAC_32\Desktop.ini;f
C:\Windows\assembly\GAC_64\Desktop.ini;f
iedefaults;
emptyclsid;
[-HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{336D0C35-8A85-403a-B9D2-65C292C39087}];r64
[-HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}];r64
C:\PROGRAM FILES\IB UPDATER;fs
C:\PROGRAM FILES\UPDATER BY SWEETPACKS;fs
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\L;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\L\00000004.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\00000004.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\00000008.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\80000000.@;f
C:\install.exe;f
Conduit;z
Conduit;a
DataMngr;z
DataMngr;a
emptyalltemp;
autoclean;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

zoek results, doing next step

I disabled avast but when I go to run the last step it still says its running. It also says that spybot is running and I don’t show that it is. Help

if you have disabled then just ignore the Messages and run…

ok thanks

and magna86 will be back later, he is in and out of the forum all day :wink:

ugh here are the files

http://www.mycity.rs/images/smiles/Emoticon%208.png

Re-run ComboFix and attach here fresh Combofix.txt logreport.


Re-run Zoek as you did before with this script:

[-HKEY_USERS\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3678120768-2371748754-349669163-1000\Software\IB Updater];r
[-HKEY_USERS\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Updater By SweetPacks];r
kiplfnciaokpcennlkldkdaeaaomamof;chr
C:\Users\me\AppData\Local\Torch;fs
C:\Program Files (x86)\TornTV.com;fs
nbmafkdmkkckhggblphicnnhlgljnoje;chr
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
c:\programdata\iolo;vs
c:\users\me\AppData\Local\Savings Addon;f
c:\program files (x86)\GUTF603.tmp;f
c:\program files (x86)\GUTBEFC.tmp;f
tixati.exe;z
resetIEproxy;
emptyclsid;
emptyalltemp;
autoclean;

Click on RunScript button and attach here fresh zoek log.

first scan today

last one

Thank you again so much. Can you tell mehow long I have had this? What kind of damage does it do?

I don’t mean to be a pain and I know we are different time zones but I was wondering if my computer is ok now. I posted my last information so I just have been waiting for a answer.

Thank you

You had an userland rootkit so-called Zerro Access or 0access. Also you had an varius crapware bad files&extensions that we had to remove.


It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Re-run Zoek with this script:


kiplfnciaokpcennlkldkdaeaaomamof;chr
C:\Users\me\AppData\Local\Torch;fs
mocblcnaofikinigmceddfghppkkjbog;chr
C:\Users\me\AppData\Roaming\PlusWinks;fs
c:\programdata\iolo;f
emptyalltemp;
emptyclsid;

How is your computer running now?

Thank you for your response. :wink: Due to the time zone difference I am already in bed when I saw your answer. Iil o it when I get up. It already seems better. :slight_smile: . Your kick ass!!! I KNOW i had alot a crap that I had tried to get rid of before but :wink: it wouldnt go away. Thank you for that too!! Are there any programs that you might recomend? You still want me to attatch my last file right? The issue I did have it wasnt the kind that was stealing information or anything like that was it or causing damage? Once again you are KICKASS!!! :slight_smile: Thank you so much. I would say I would return the favor but I dont have the knowledge to help you. Lol. I guess I owe you a couple (???) Have a great day talk to yo :)u later. Keepkicking ass!! :wink:

ok I uninstalled combo/fix and ran zoek. Am a good now. File attached

oops am I good now?

oops I meant am I good now?

You tell me? :smiley:

We have removed from your computer ZA rootkit and crapware … logs looks clean. :slight_smile:

Thank you soooo much for your help.