How to remove W32:Sirefef-ZT [Trj] Windows 7 x64

Viruses and worms
1

Hello,

I have been advised by avast! that I have the above named trojan in C:\windows\System32\services.exe and also in C:\windows\system64\services.exe

I have followed the instructions as posted elsewhere on the forum but cannot post the OTL log as it is 912kb which exceeds the attachment size limit of 512kb and I am unable to upload a zip file.

I have attached the Extras Log and AswMBR log.

Please can somebody assist me in the removal of this?

This is the Malware bytes file - which does not show the infection!!!?

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.09.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Bob :: BOB-PC [administrator]

09/11/2012 12:14:06
mbam-log-2012-11-09 (12-14-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 345441
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Bob\AppData\Local\Temp\VIO_Player_Setup.exe (PUP.Bundle.Installer.OI) → Quarantined and deleted successfully.

(end)

Many thanks in advance.

Bob

2

Do you also have AdwCleaner log?

Did you save OTL as ansi?.. See instructions in guide

if still problems upload to a file share site and give download link here

3

Sorry I missed the ANSI bit - will re-run and attach in a few moments. In the mean time here is the AdwLog

4

If necessary attach the log in two parts

5

OTL Log in ANSI Format

6

You have a lot of jpg files in your syswow folder … Did you put them there ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O20 - AppInit_DLLs: (c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll) - File not found
[2012/11/09 12:22:22 | 000,004,608 | -HS- | M] () -- C:\Windows\assembly\GAC_32\Desktop.ini
[2012/11/09 12:22:22 | 000,006,144 | -HS- | M] () -- C:\Windows\assembly\GAC_64\Desktop.ini

:Files
C:\$Recycle.bin\S-1-5-21-4057120532-3475153636-1526320591-1000
C:\Windows\tasks\At*.job

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

7

Thanks I will run the processes you outlined and let you know the results. A for the .gif’ s (I don’t see any .jpg’s) in the SysWow64 folder, nope! didnt put them there. I have looked at some of them and they appear to be beige squares 426x320 and all 9k in size!!

8

Ok methinks I will remove them next time around as that is not the place for them