Hi guys, can anyone help me out?
I decided to run a complete system scan on my PC using Avast last night and now I’m really worried because he found these files to be infected

http://i45.tinypic.com/a4yfte.jpg

How should I proceed in order to get rid of these safely?
Thanks in advance

Just incase the imagem doesn’t show up, these are the files infected:

C:\Windows\assembly\GAC_32\Desktop.ini -- Win32:Sirefef-PL [Rtk]
C:\Windows\assembly\GAC_64\Desktop.ini -- Win32:Sirefef-PL [Rtk]
C:\Windows\System32\services.exe -- Win32:Sirefef-ZT [Trj]
C:\Windows\assembly\GAC_32\Desktop.ini -- Win32:Sirefef-PL [Rtk]
C:\Windows\System32\services.exe -- Win32:Sirefef-ZT [Trj]

hey and welcome to the forum.

this need further investigation of a malware expert so i suggest you follow this guide and attach your logs.

http://forum.avast.com/index.php?topic=53253.0

good luck.

Thank you for the guidance mikaelrask
Only the aswMBR log isn’t attached because the program crashes before finishing so I didn’t get any log

Here is the screenshot of when it crashes:

http://i45.tinypic.com/19v8cx.jpg

And here are the other logs

Thanks again

try running aswMBR from safe mode…

I’m on it …

@leeds

Step#1

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

Step#2

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

Step#3

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

netsvcs
dir /s /a "C:\Windows\Installer\{03e6c62c-80f0-c701-6906-080b7a3a4571}" /c
BASESERVICES
CREATERESTOREPOINT

[*]Then click the RunScan button at the top.
[*]Let the program run unhindered… attach here fresh OTL.txt

@Pondus
Ok, I tryied to run aswMBR from safe mode but unfortunately I got the same error

@magna86
Thank you for the help, just give me a few minutes and I’ll reply with the results

Also, I’m not sure if this is relevant or not, but after I restarted my PC, two hidden “desktop.ini” files appeared on my desktop

Thanks guys

Ok, here is the TDSSKiller log

Can I continue with Steps#2 and #3 or should I wait for you to check this log?

Yes, you may continue to run MBAR and as last step OTL custom scan.

Sorry for taking so long, my PC is pretty slow, mbar scan took a while to finish
Here are the mbar and fresh OTL logs

Hi,

Download new&fresh Malwarebytes Anti Rootkit from link above.
Re-run MBAR one more time as before.

Attach here fresh system-log.txt and mbar-log-year-month-day (hour-minute-second).txt logreport.

reboot windows

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

dir /s /a "C:\Windows\Installer\{03e6c62c-80f0-c701-6906-080b7a3a4571}" /c
BASESERVICES
CREATERESTOREPOINT
/md5start
services.exe
/md5stop 

[*]Then click the RunScan button at the top.
[*]Let the program run unhindered… attach here fresh OTL.txt

There you go
I downloaded and ran a new&fresh Malwarebytes Anti Rootkit and also ran OTL scan again like you said
Here are the logs

Well, one thing is for sure
After the last reboot Avast didn’t pop up saying there were infected files like it did before, so I’m guessing this is pretty good!

I’ll have to go out for a few hours now but I’ll definitely be back later to check if there are more steps to follow
And also, to thank you for the amazing support

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:Otl
O3 - HKU\S-1-5-21-4151882156-2371627609-445896018-1000\..\Toolbar\WebBrowser: (no name) - {E0301295-AB3E-4AF3-979F-3D453C5F9F48} - No CLSID value found.

:files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

How is your computer running now?

Hello again magna86,
Ok, I followed your last post steps but my system didn’t reboot automatically after the scan
It finished and prompted me with the OTL.txt log like it did the last time
Is that ok?
I attached the log file

It’s looking pretty good now, no errors, no more messages on boot from Avast telling me I got infected files, my PC actually feels quicker than before, maybe I’m just happy that all those nasty stuff is gone for good! who knows… haha

Should I run another Virus Scan on Avast to make sure my PC is clean?

Ah, I already told my friends that you guys rock, best support I had in ages, definitely recommending Avast for them
The tutorials here on forum are pretty straight forward and easy to understand, everything is very detailed, it’s really that great
And… damn, you guys are fast! haha

Let me know if I need to do something else, I’ll come back here tomorrow
Thanks to mikaelrask, Pondus and especially magna86 for helping me out here

Hi,
You pressed RunScan button instead of Run Fix.
Re-run OTLFix one more time.

But copy this script in box of “Custom Scans/Fixes”

:Otl
O3 - HKU\S-1-5-21-4151882156-2371627609-445896018-1000\..\Toolbar\WebBrowser: (no name) - {E0301295-AB3E-4AF3-979F-3D453C5F9F48} - No CLSID value found.

:files
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c

:commands
[emptytemp]
[reboot]

Then be free to remove & uninstall used tools

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

Re-run Malwarebytes one more time.
If MBAM find something, it will be only the remains and inactive pieces, remove them and that’s it, we’re done here.

Reports (logs) for OTLFix and MBAM do not need. So, don’t need to attach it here.

Haha yea, you are right, I did press Run Scan instead of Run Fix, that’s my bad :-X

Ok, I re-ran OTL with that code (this time I clicked on the Run Fix button and it rebooted like ou said)
Also re-ran OTL for CleanUP
After reboot I ran Malwarebytes and it didn’t found anything

Thanks again magna86 for helping me out
Avast better pay you guys well because you rock ;D