Help removing Win64/32:Sirefef-All [Trj/Rtk] & services.exe

Hi,

I have been helping a friend whose computer has been neglected for quite some time, I have done the best job I can cleaning most of the system but then I was confronted with what was likely the start of it all, the so-called Zeroaccess Trojan. I have found many topics discussing removal of this but as always suggested I did not want to use any of the user specific solutions on his computer. I believe that the Rootkit may have been hidden in the Synaptics Pointing Device Driver as I was experiencing issues with the touchpad’s functionality and even purchased and installed a new touchpad, which still had problems, but when I prevented startup of the driver using the msconfig utility the issues stopped. Thanks in advance for any and all help!

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:

[] The fixes are specific to your problem and should only be used for the issues on this machine.
[
] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[
] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[
]Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that…
http://i1224.photobucket.com/albums/ee380/jeffce74/vegeta_zps7f4345cf.gif
Let’s get going!!

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
[*] Double click dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbr-1-1.jpg
Please download aswMBR to your desktop.

[*]Double click the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[]If you are asked to update the Avast Virus database please allow it to do so.
[
]When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg

Click the image to enlarge it

Jeff,

Thank you, attached is support package generated by avast! it shows some of what I have already removed. Below is the log(s) from DDS

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19019
Run by Anthony at 20:27:23 on 2013-06-14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3002.1161 [GMT -6:00]
.
SP: Windows Defender Disabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.bearshare.net
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} -
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} -
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - c:\users\anthony\appdata\roaming\defaulttab\defaulttab\DefaultTabBHO.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\program files\bearshare applications\mediabar\datamngr\toolbar\wincorebsdtx.dll
BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
BHO: {E4E6BF2A-1667-11DF-A01F-1F9655D89593} -
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Wincore Mediabar: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - c:\program files\bearshare applications\mediabar\datamngr\toolbar\wincorebsdtx.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] “c:\program files\avast software\avast\avastUI.exe” /nogui
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the ‘Force scan all domains’ option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the ‘Force scan all domains’ option.
.
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 205.171.3.25 205.171.2.25
TCP: Interfaces{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} : DHCPNameServer = 10.1.10.1
TCP: Interfaces{AE3C9073-47F9-4148-BE79-00D6DC5AA36C} : DHCPNameServer = 205.171.3.25 205.171.2.25
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\bearshare applications\mediabar\datamngr\datamngr.dll c:\progra~1\bearshare applications\mediabar\datamngr\IEBHO.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - “c:\program files\common files\lightscribe\LSRunOnce.exe”
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - “c:\program files\google\chrome\application\27.0.1453.110\installer\chrmstp.exe” --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================

Continued…

.
FF - ProfilePath - c:\users\anthony\appdata\roaming\mozilla\firefox\profiles\wq35e0l5.default
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll
FF - ExtSQL: 2013-06-08 14:07; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-6-8 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-6-8 174664]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-6-8 765736]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-6-8 368944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-6-8 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-6-8 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-6-8 46808]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-6-14 40776]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2013-5-31 20080]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S4 DefaultTabUpdate;DefaultTabUpdate;c:\users\anthony\appdata\roaming\defaulttab\defaulttab\DTUpdate.exe [2012-8-22 107520]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-10-27 1153368]
S4 Web Assistant;Web Assistant;c:\program files\web assistant\ExtensionUpdaterService.exe [2012-8-22 188760]
.
=============== Created Last 30 ================
.
2013-06-15 02:00:15 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-06-08 20:08:22 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-06-08 20:08:21 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-06-08 20:08:21 174664 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-06-08 20:08:20 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-06-08 20:06:53 41664 ----a-w- c:\windows\avastSS.scr
2013-06-08 19:58:26 -------- d-----w- c:\windows\pss
2013-05-31 21:44:29 173582 ----a-w- c:\windows\system32\cc_20130531_154420.reg
2013-05-31 18:20:04 -------- d-----w- c:\program files\CCleaner
2013-05-31 17:51:27 -------- d-----w- c:\users\anthony\appdata\roaming\Malwarebytes
2013-05-31 17:51:16 -------- d-----w- c:\programdata\Malwarebytes
2013-05-31 17:51:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-31 17:51:15 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2013-05-31 17:50:37 -------- d-----w- c:\program files\PeerBlock
.
==================== Find3M ====================
.
2013-05-31 03:53:27 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-31 03:53:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-07 08:52:34 27136 ----a-w- c:\windows\system32\ImHttpComm.dll
2012-08-22 03:45:29 699536 ----a-w- c:\program files\39Uninstall MapsGalaxy.dll
2012-08-22 03:45:29 172440 ----a-w- c:\program files\39res.dll
.
============= FINISH: 20:28:58.56 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/23/2008 6:56:02 PM
System Uptime: 6/14/2013 7:24:44 PM (1 hours ago)
.
Motherboard: Wistron | | 3612
Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | CPU | 1600/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 287 GiB total, 61.319 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.818 GiB free.
E: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
µTorrent
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4)
Adobe Shockwave Player
Adobe Shockwave Player 12.0
avast! Free Antivirus
AVG 2012
BearShare
Canon iP2600 series
CCleaner
Conexant HD Audio
CutePDF Writer 2.8
CWA Reminder by We-Care.com v4.1.18.3
DefaultTab
ErrorTeck 1.6
ESU for Microsoft Vista
Fix-it-up - Kates Adventure
gBurner
Google Chrome
Google Earth Plug-in
Google Toolbar for Internet Explorer
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Quick Launch Buttons 6.40 H2
HP Total Care Advisor
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPTCSSetup
IB Updater Service
Intel(R) Graphics Media Accelerator Driver
Java™ 6 Update 7
LabelPrint
LG USB Modem driver
LightScribe System Software 1.14.17.1
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My HP Games
NetWaiting
Norton Internet Security
PeerBlock 1.1 (r518)
PIXMA Extended Survey Program
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Spybot - Search & Destroy
swMSM
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
V CAST Music with Rhapsody
VLC media player 1.0.3
VZAccess Manager
Web Assistant 2.0.0.572
Wincore MediaBar
WinRAR archiver
Yahoo! Software Update
.
==== End Of File ===========================

Sorry about that…you can just attach the logs. :slight_smile:

Did you get aswMBR ran?

aswMBR Log;

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-14 20:38:29

20:38:29.600 OS Version: Windows 6.0.6001 Service Pack 1
20:38:29.600 Number of processors: 2 586 0x170A
20:38:29.600 ComputerName: MIKE-PC UserName: Anthony
20:38:31.597 Initialize success
20:38:33.719 AVAST engine defs: 13061402
20:38:46.511 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
20:38:46.511 Disk 0 Vendor: WDC_WD3200BEVT-60ZCT1 13.01A13 Size: 305245MB BusType: 3
20:38:46.620 Disk 0 MBR read successfully
20:38:46.620 Disk 0 MBR scan
20:38:46.620 Disk 0 unknown MBR code
20:38:46.620 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 294097 MB offset 63
20:38:46.682 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11144 MB offset 602312704
20:38:46.682 Disk 0 scanning sectors +625135616
20:38:46.729 Disk 0 scanning C:\Windows\system32\drivers
20:39:01.440 Service scanning
20:39:19.208 Modules scanning
20:39:25.589 Disk 0 trace - called modules:
20:39:25.620 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
20:39:25.620 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x858cf450]
20:39:25.635 3 CLASSPNP.SYS[805e3745] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x856cd030]
20:39:26.930 AVAST engine scan C:\Windows
20:39:29.941 AVAST engine scan C:\Windows\system32
20:40:45.039 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-AII [Rtk]
20:41:54.038 AVAST engine scan C:\Windows\system32\drivers
20:42:14.115 AVAST engine scan C:\Users\Anthony
20:46:27.631 AVAST engine scan C:\ProgramData
20:48:56.736 Scan finished successfully
20:49:04.161 Disk 0 MBR has been saved successfully to “C:\Users\Anthony\Desktop\MBR.dat”
20:49:04.177 The log file has been saved successfully to “C:\Users\Anthony\Desktop\aswMBR.txt”

Good job… :slight_smile:

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :slight_smile:

ComboFix

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please attach the C:\ComboFix.txt for further review.

Ran combofix here is the log file.

after combofix rebooted the system message popped up saying, “Illegal operation attempted on a registry key that has been marked for deletion”, system was restarted as suggested. Thanks

Good job…do me a favor and run ComboFix again and attach the new log please. :slight_smile:

Log attached…

Good…how is your system running now?

Well I left the wireless adapter off just in case, but it started to pop up with “Illegal operation attempted on a registry key that has been marked for deletion” whenever I tried to open any executable file. So I restarted again and reconnected to the internet, I am able to freely use the computer and Avast has not informed me of any more blocked attempts by Sirefef-All which were occurring almost every 20 min. before. Thank you, do you believe the system is cleaned now?

One of the original problems that I was having, that I thought had also been caused by the virus was the touchpad freezing up after a certain time period while the Synaptics pointing device software was running, so i disabled the software on startup and it worked just fine. Then thinking that the computer might be clean I just re enabled the software on startup and allowed the computer to reboot again now the touchpad is giving out again, do you think this was ever related or is this a separate hardware/software issue?

Nevermind the previous post, I performed a “Deep reset” by unplugging, removing battery and holding the power button for 30 seconds, apparently this is to do a deep static discharge when static has built up in touchpad. Whatever the logic behind it, it seems to have worked, have not had any issue with the touchpad in over 2 hours. Thanks for all of your help

Hi,

Good to hear that things are running better. :slight_smile:

Let’s get some updates and check for anything else hiding…

http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg
Java

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp

http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg

See this page for instructions on how to clear java’s cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
[*]Under Temporary Internet Files, click the Delete Files button.[*]There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Installed Applications and Applets
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Java Control Panel.


http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg
Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

Please attach the logs made from Malwarebytes and ESET. :slight_smile:

No matter how many times I try to clear the Java Cache the Java program freezes. I have restarted the computer but it still allows me to check all three I hit ok and the program freezes, any ideas? Thanks, should I still run MBAM and ESET without the Java cache cleared?

Just move past Java and go to Malwarebytes and ESET. :slight_smile:

MBAM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.15.05

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Mike :: MIKE-PC [administrator]

6/15/2013 5:20:06 PM
mbam-log-2013-06-15 (17-20-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272331
Time elapsed: 37 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I am running ESET now and it already shows two threats, as soon as it is done I will post.

50% and 5 threats found looking like a bunch of win32 backdoor rootkits and trojans