Malware/Trojan Horses: Sirefef and ZAccess

Hi, so mainly I’m having problems with the Sirefef and ZAccess viruses.
My Avast! Antivirus (free) repeateadly informs me that the malware/trojan horse has been blocked. It happens every 5 minutes or so, and it always pops up 3-4 messages at once.

I tried to find the solution by myself on the internet but if I understood correctly it seems that the removal procedure is different for every computer.
So here I attached all the logs like you said in your topic (“Logs to assist in cleaning malware”) and I hope you can assist me with the problem.

The last thing I did was scanning with the “aswMBR” and when the scanning finished I clicked “Fix”. After 2 minutes I encountered a BSOD, after that Windows itself tried to do a System Restore and that caused another BSOD. Then upon loading Windows, System Restore appeared once again, and after approximately 30 mins it finally started Windows.
Now Avast! isn’t showing any more “malware blocked” reports, but I fear it still might be infected since practically I didn’t do anything other that unsuccessfully tried to remove the viruses with TDSSkiller and Malwarebytes and clicked Fix after the aswMBR scan (followed by two BSOD-s).

Thank you in advance.

NOTE: the “extras.txt” log was not made at the same time as the “OTL.txt”, but it was made an hour or two before. For some reason when I made an OTL scan the second time, the “extras.txt” wasn’t created, but I hope that’s not a problem.

And here are the aswMBR and FSS log reports.

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

Monitoring 8)

@RaZeR162,
Hello and wellcome to avast. :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Step#1

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt ) back to topic.

Hello magna86, thank you for your quick reply.
Here are the logs you asked.

Hi,
Be warned!
ZeroAccess rootkits are very dangerous malware because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the bad gays.
If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised.


2012-12-07 18:54 . 2012-12-07 20:44    C:\TDSSKiller_Quarantine

Why did you run TDSSKiller?
TDSSK log shuld be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please attach it here.


2012-12-07 18:09 . 2012-12-07 18:09	C:\_OTL

I did not write OTLFix for you. What script did you run? Go to C:/_OTL > MovedFiles folder and attach notepad if it there.
Notepad name shuld be colled as month day year _time of running.txt.

Did you get help somewhere else?

Open notepad and copy/paste the text present inside the code box below:



Folder::
c:\windows\1C4551A64743409391E41477CD655043.TMP

ClearJavaCache::

FileLook::
C:\Windows\SysNative\services.exe


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Ok, thank you very much for your warning. Like you suggested I changed all the “important” password (like e-mail, eBay, PayPal, Steam…) from a different (hopefully, not infected) computer. But I’m still wondering, if someone (somehow through these viruses) found out my credit-card information, like the credit card number or something, would I still be in danger of being ripped off?

And btw no, I didn’t get any help from anyone in particular, I was just snooping around various forums and trying to find a solution by myself without bothering you guys. That was the reason why I ran TDSSkiller, I found on a website that this tool effective against ZAccess viruses.

But after I opened the topic here, I have done nothing else other than what you told me to do.

And about that OTL question, well before I sent you the OTL log, this was the script I ran:
netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

Other than that, yeah I think I tried to ran a “custom script - fix” (again, before I requested your help), and yeah I realised later that I probably shouldn’t have done that.
I also found that on a website while searching for some removal procedure of those malwares.

Logs attached below.

Hi,

I changed all the "important" password ... from a different (hopefully, not infected) computer.

You did not have to change pass from other computer because we have disinfect and remove rootkit. Your system is clean. 8)

But I'm still wondering, if someone (somehow through these viruses) found out my credit-card information, like the credit card number or something, would I still be in danger of being ripped off?
It should not. If you changed your main password you should be safe. The whole thing works (as far as I know) that ZA is trying to pass security and send certain info (your personal info) to the server belonging to the bad guys. If your account has not been compromised so far then your safe. For more information, call your bank.
And about that OTL question
You probably hit RunFix the first time you instead of RunScan so it was created a OTL backup folder. ;D

As i wrote above, your logs looks good and your system looks clean. How’s your computer running now?

Well it seems ok now. Avast! no longer gives those multiple alerts, and I scanned the “services.exe” file and it’s not infected any more.
I can’t thank you enough. I surely couldn’t have done this by myself ;D

Nice. 8)
I will remove my tools.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.


I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

be safe :wink:

Sry for my late reply.
I uninstalled the tools and downloaded MCShield.
I’ll try to be safe :slight_smile: and you… keep up the good work ;D!