infected with sirefef-ZEROACCESS

Hi, my PC is infected with sirefef and/or ZEROACCESS and i think i’ve followed your instructions on this post(if not please tell me…):http://forum.avast.com/index.php?topic=53253.0

i’m attaching the results on the tests and the logs. I’ll be so thankful for your help!

thanks in advance.

Also i have to say, that i have purchased the Avast!internet security for 2 years, and everytime i’m installing it, on the next reboot pc doesn’t load windows, then it automatically goes to windows will try to scan for errors and try to fix them, well Windows is not able to repair, so all i can do is turn off PC or go to restore windows to previous date, well i restore and then i go when the Antivirus is not installed…and this forever an ever in a loop…

thanks again.
P.D:i’m attaching the last file i have…

Hi,

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

File::
C:\Windows\SysNative\bb-run.dll
C:\Windows\SysNative\dds_log_ad13.cmd
C:\Windows\SysNative\dds_log_trash.cmd

Registry::
Netsvc::
snoopfreesvc

Driver::
snoopfreesvc

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Hi Jeffce,
thanks for your help, ok now i run combofix but i cannot see the report, also it never restarts the pc, seems like it has finished scanning, window disappear and that’s it…i’m not even touching the mouse or anything.

Hi,

Go to your [b]C:[/b] folder and look for a file named Combofix.txt If you see that please post that into your next reply. :slight_smile:

sorry but there is no combofix.txt file… :-\

would you like a tdsskiller report?

i was reading on the essexboy post, and when i have to run OTL he says select ALL USERS…what does it mean, i’m never asked for that or cannot even see that to check it.

Hi darkmata,

Seems like the ZeroAccess infection is preventing some of our tools that we need.

Go ahead and run TDSSKiller but use these instructions and not those posted previously and then post the log created.

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Right-click and Run as Administrator TDSSKiller.exe
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


Done.
No malicious found just one threat.i skiped.

thanks.

Hi darkmata,

We need to make all files and folders VISIBLE:

[*] Go to start>control panel>folder options>view
[*] Choose to “show hidden files and folders,”
[*] Uncheck the “hide protected operating system files” and the “hide extensions for know file types” boxes.
[*] Close the window with ok

Please delete your copy of ComboFix from your Desktop using right-click >> delete.

Now visit the link here >> http://www.mediafire.com/?3wuubumznr3cs8h and download the file to your Desktop. Once downloaded to your Desktop, run the program. There will be a log produced I will need in your next reply. :slight_smile:

Hi jeffce,

the same issue as before, it scans, looks like it has finished, but i’m not even able to close the window, it disappears and that’s all, also on C: there is no report at all…

this is a hard stuff!!

Hi jeffce

i have folder on C: named 32788R22FWJFW it’s like 12mb and it says that it shows all the harddrives and hardware connected to this pc… ???

is that normal?

Hi darkmata,

Don’t worry about the folder. I believe it is fine.

I am going to work up a fix using OTL and will return as quick as I can. :slight_smile:

hi jeffce

ok , here are some roguekiller reports, maybe this could help!

thanks a lot!

P.D.: if you fix it…i’ll send you good bottle of catalan wine! ::slight_smile:

oh! :frowning: i’m terribly sorry, i’ve noticed that those reports are on UTF-8, do you want them on ANSI?

Hi,

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\bb-run.dll -- (snoopfreesvc)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
IE - HKCU\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {FD63BF63-BFFF-4B8F-9D26-4267DF7F17DD}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell - "" = AutoRun
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
NetSvcs:[b]64bit:[/b] snoopfreesvc - C:\Windows\SysNative\bb-run.dll (Iomega)
[2012/03/12 13:33:01 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_log_ad13.cmd
[2012/03/02 12:54:55 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_log_trash.cmd
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

:Files
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Hi jeffce

i’ve done it all and post the log…
I don’t know if you need anything else.
thanks a lot for your hard work!

Hi jeffce

do i have to scan again with MBAM or any other prog.?

or maybe my pc is ok and i can do a party? :stuck_out_tongue:

Hi jeffce , sorry my fault didn’t do the otl scan… :-X

here is the file…

thnx!