As said in the title ive got some nasty sirefef trojan in my system… - hopefully you will help me even though I dont use Avast. I use Nod32 and it warns me about sirefef.ez, sirefef.fb etc - I´ve run several scans with Malwarebytes and Spydefender etc.
Nod32 cannot remove the problem and what it seems im not the only one when I googled this. Essexboy seems to be the man, so i beg of you to help me because I dont want to reformat my drives.
Here is logs from MWB and OTL:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.07

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
[administrator]

Protection: Disabled

2012-07-17 15:22:52
mbam-log-2012-07-17 (15-22-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235459
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Windows\Installer{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\L\00000008.@ (Trojan.BitMiner) → Delete on reboot.
C:\Windows\Installer{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\U\00000004.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.
C:\Windows\Installer{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\U\000000cb.@ (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\Installer{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\U\80000000.@ (Trojan.Sirefef) → Quarantined and deleted successfully.

(end)

Hi,

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:Files
C:\Windows\Installer\{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\
C:\Users\Oskar\AppData\Local\{b4aac626-c8c1-fb70-99e6-bfaca6bad120}\

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

In your next reply please attach the logs made by OTL and ComboFix.

Do I have to turn off Malwarebyte and Nod32 if I´m in safe mode. (no tray icons) And I´m not sure they are running in the background - or am I wrong.
Is it safe to boot in safe mode with network turned on or is it so that I can just boot like normal?

Nevermind… I ran it anyway and even though I thought it freezed at the creating log part it went ok… - Here are the logs:

Hi,

You are running everything just fine.

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then attach the contents in your next reply

Here you go mister:

Hi,

CKScanner has detected illegal software on your system. Besides being illegal, it’s the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal. If I were to continue helping you with illegal software installed, it could be construed in the eyes of the law as aiding and abetting a crime.

This may or may not be related to your computer issues, however, if you wish me to continue helping you, then you must remove both the keygen and crack files as well as the related programs. If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean. Please let me know if you wish to continue.

I am well aware of that and what you see is an old keygen for a navigator i got on my phone some years ago… - the other files (the one that says cracked paint etc is brushes/addons for photoshop and is nothing illegal.) The keygen is deleted and the others are not illegal… (if not DICE has put some trojans on their installation-cds for Battlefield 2 and 2142)

But I can uninstall all those programs too if you´re not satisfied

Ok… let’s keep moving

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{73CAAC31-C506-4249-9B24-00C2FE5B6EE0}: "URL" = http://startsear.ch/?aff=1&q={searchTerms}
IE - HKU\S-1-5-21-3782446620-3515829599-4045719703-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.superstart.se/
IE - HKU\S-1-5-21-3782446620-3515829599-4045719703-1000\..\URLSearchHook: {687578b9-7132-4a7a-80e4-30ee31099e03} - No CLSID value found
IE - HKU\S-1-5-21-3782446620-3515829599-4045719703-1000\..\SearchScopes,DefaultScope = {73CAAC31-C506-4249-9B24-00C2FE5B6EE0}
IE - HKU\S-1-5-21-3782446620-3515829599-4045719703-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3782446620-3515829599-4045719703-1000\..\SearchScopes\{73CAAC31-C506-4249-9B24-00C2FE5B6EE0}: "URL" = http://startsear.ch/?aff=1&q={searchTerms}
FF - prefs.js..browser.search.defaultengine: "Web Search"
FF - prefs.js..browser.search.defaultenginename: "Web Search"
FF - prefs.js..browser.search.order.1: "Web Search"
FF - prefs.js..browser.startup.homepage: "http://www.superstart.se/"
[2011-07-11 20:04:02 | 000,000,633 | ---- | M] () -- C:\Users\Oskar\AppData\Roaming\Mozilla\Firefox\Profiles\z84dwarv.default\searchplugins\startsear.xml
[2010-01-01 10:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O33 - MountPoints2\{266ca514-c0d1-11df-8022-001bfcc562f1}\Shell\AutoRun\command - "" = J:\DVAP.exe
O33 - MountPoints2\{29553072-e9ad-11de-877d-001bfcc562f1}\Shell - "" = AutoRun
O33 - MountPoints2\{29553072-e9ad-11de-877d-001bfcc562f1}\Shell\AutoRun\command - "" = F:\Startme.exe
O33 - MountPoints2\{e961d478-9684-11df-952a-001bfcc562f1}\Shell - "" = AutoRun
O33 - MountPoints2\{e961d478-9684-11df-952a-001bfcc562f1}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\F\Shell\AutoRun\command - "" = "F:\Install FreeAgent Tools.exe" /run
O33 - MountPoints2\G\Shell\AutoRun\command - "" = "G:\Install FreeAgent Tools.exe" /run

:Files
dir C:\Users\Oskar\AppData\Roaming\xsecva /s /c
dir C:\Users\Oskar\AppData\Roaming\Xaib /s /c
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Here it is… - do you guys get paid for helping people like this?, because you should :o

Hi,

Nah…we volunteer so we don’t get paid.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

[*]Right-click and Run as Administrator SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:

:dir
C:\Users\Oskar\AppData\Roaming\xsecva /s
C:\Users\Oskar\AppData\Roaming\Xaib /s

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

As told:
(Btw I´m still in safe mode… but I guess you saw that in the OTL-log)

Thanks. Are you able to get into Normal Mode or have you just been staying in Safe Mode on your own?

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
[2012-07-15 17:07:17 | 000,000,000 | ---D | C] -- C:\Users\Oskar\AppData\Roaming\xsecva
[2012-07-11 16:24:37 | 000,000,000 | ---D | C] -- C:\Users\Oskar\AppData\Roaming\Xaib
[2012-07-09 11:41:27 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012-07-09 11:41:26 | 000,000,000 | ---D | C] -- C:\Users\Oskar\AppData\Local\Conduit
[2012-06-23 18:34:51 | 000,098,816 | ---- | M] () -- C:\Users\Oskar\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

I just stayed in safe mode… -Do you want me to boot in normal mode?

And:

Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]If there are threats that are found, please press List of found threats and then in the next window that opens press Export to text file…
[*]Copy and paste/or attach that log as a reply to this topic

Note If not threats are found there will not be a log created.

In your next reply please attach the logs made by Malwarebytes and ESET scanner.

Malwarebyte didn´t find anything, but Eset found the same as before except in other folders. (probably quarantined)
Here are the logs:

Yes…those are already quarantined. How is your system running?

Download Security Check by screen317 from here or here.
[*]Save it to your Desktop.[*]Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.[*]A Notepad document should open automatically called checkup.txt [*]Please post the contents of that document.

I haven´t run in normal mode since we began so I don´t really know (but safe mode is running excellent ;D ) I uninstalled old java versions before we started, so that may be why they are not up to date and i found a thread about what to do after an attack(update Java, Adobe reader etc.), so I will follow that guide.
I see two dimmed out desktop.ini- icons on my desktop but i guess that´s nothing to worry about?
Do you want me to start in normal mode?