Infected with Win32:Sirefef-HO [Rtk]

please help

log 2

aswMBR

combofix

certified malware remover is notified…

OK lets get at it

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\epfwtdi.dll

NetSvc::
bhmonitorservice

Driver::
bhmonitorservice

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O22 - SharedTaskScheduler: {CBE68977-972C-4977-8E29-0A5662FBE2A5} - SvjunoniDpn - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

after 30 mins the combine fix got a syntax error…
now every program has an illegal operation registry key that has been marked for deletion.
I am now on my kindle awaiting your instructions

Reboot to clear the illegal operation error

I should add that to the CF script run

The combofix did not supply a log this time. - it did leave to desktop.ini files.
here is the new OTL
thanks for all your help essex

It killed the protection driver though. It appears that OTL did not reset your host file or the shared task

Could you run the same OTL fix again please and post the log that pops up on reboot

thanks essex

Silly question - are you pressing the run fix button ?

Could you run the MSFixit on this page please http://support.microsoft.com/kb/972034

Not a silly question!!
I screwed up the first time and was running just fill scan.
The second time, I did run the Run Fix and posted the OTL.

I have now installed the microsoft fix
run otl quick scan again?

If you don’t mind - just to confirm that the Host file was reset and there is nothing hidden playing silly buggers ;D

NP!
thanks for all your help!!!

Could you go to C:\Windows\System32\drivers\etc
Right click the file called HOST and see if you can edit it in notepad

closest file to that name in that folder is :
hosts.ics
yes its editable

OK that suggests it has been hidden lets Use OTL to kill it and then re-run the MSFixit

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O1 - Hosts: 109.163.226.208 www.google-analytics.com. O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net. O1 - Hosts: 109.163.226.208 www.statcounter.com. O1 - Hosts: 67.215.245.19 www.google-analytics.com. O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net. O1 - Hosts: 67.215.245.19 www.statcounter.com.
[*]Then click the [b]Run Fix[/b] button at the top [*]Let the program run unhindered, reboot the PC when it is done [*]Open OTL again and click the [b]Quick Scan[/b] button. Post the log it produces in your next reply.

OTL will not run now.
ERROR:
Cannot create file c:\windows\system32\divers\etc\Hosts.

shits still here. just hijacked my browser again and sent me to some site. ARGH!