Persistent Sirefef, etc

I’ve had a rather persistent infection for a little while now, and my usual tricks don’t seem to be working. Rather strapped for time to figure it out, so I thought I would try here and see what’s what.

Logs attached.

Hi SiliconScales, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Download ComboFix from :

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If you recieve a message after running combofix similar to “Illegal operation attempted on a registry marked for deletion” simplt reboot the computer to reolve it.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Sorry for the delay in my response, I just wanted to verify that this is correct:

ComboFix is not producing any form of log. Specifically, there are no results for “combofix.txt” in the entirety of my hard drive. No files have been produced on the desktop, C, or elsewhere. There are no error messages during it’s operation, and both Avast and MBAM are disabled for that period. It appears to run normally, then closes on completion with no further results.

Hi SiliconScales,

Download the latest version of TDSSKiller from here and save it to your Desktop.

* when running this tool do not delete anything unless instructed *

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.[/b]

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (10000 characters).

Attaching .txt instead…

Hi SiliconScales,

Download ComboFix from one of these locations:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If you recieve a message after running combofix similar to “Illegal operation attempted on a registry marked for deletion” simply reboot the computer to resolve it.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

OK, combofix is still not producing any kind of a log, anywhere.

Suggestion?

Hi SiliconScales,

Let’s get a new OTL log.

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]In the window under Custom Scans/Fixes copy and paste the following

[B]
%systemdrive%$Recycle.Bin|@;true;true;true
/md5start
services.*
/md5stop

[/B]
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, [b]OTL.Txt[/b, no] and Extras.Txt this time.

log

Hi SiliconScales,

Can you have a look in C:\Qoobox and see if there is a file named ComboFix-quarantined-files.txt . Also check if there is a file in the folder named Combofix2.txt. It may be named with a different number.

How’s the computer?

This infection is known to corrupt some of windows services. We’ll have a look.
Next

Please download Farbar Service Scanner and save it to your desktop.
[*]Check all the boxes and click scan
[*]Please copy and paste the log to your reply.

Please post back with
[]ComboFix-quarantined-files.txt
[
]Combofix.txt if you can find one
[*]FSS log

Qoobox is there, as is the Quarantine folder, but zero text files by any such names. Honestly, that’s probably the part that is confusing me the most.

I’m not getting any warnings at the moment (granted, I haven’t rebooted again since after the last scans), so the only thing I’ve noticed is that the taskbar is now graphically broken. Slightly annoying.

Log

Hi SiliconScales,

Delete all copies of combofix.exe that you have and download a new copy.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Link 1

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, before you save it to your desktop, rename Combofix to jgh.exe

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
[*]combofix log
How is the computer?

Thanks