Please Help remove infection by Win64:Sirefef-A + Win32:Sirefef-AO

Yesterday Avast reported finding these viruses and it reports finding them every 15-20 minutes since then.
I have tried a lot of things to rid my computer of this threat, and probably some of these things were not very smart butas they say :you live you learn.
One of them has been enabling my windows firewall again (because it appears something turned it off) and since then Avast is also sometimes saying I have an URL:Mal infection as well :frowning:

I donā€™t know what to do and Iā€™d appreciate any help.

As has been suggested I have attached the logs by OTL and copied the Malwarebytes AntiMalware log as well.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.05.08

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Vins :: VINSOV-KOMP [administrator]

5.5.2012 23:23:30
mbam-log-2012-05-05 (23-23-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282267
Time elapsed: 16 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

you should also attach the aswMBR log

i see some AVG files in thereā€¦did you use that before avast?

Hereā€™s the aswMBR log as well. And apparently another instance of Sirefef :stuck_out_tongue:

Yes, I used AVG before Avast. I had a lot of trouble with it (especially that upgrade to AVG 2012ā€¦took me 3 days to get my computer to work) and thatā€™s why I switched to Avast. But I canā€™t seem to remove all of the files (apparentlyx several versions worth of them) it left behind

run AVG uninstaller and reboot http://singularlabs.com/uninstallers/security-software/

The malware removal experts usually arrive here late UK time (in week days) anyway i guess you want see them until tomorrow

Hmā€¦I just tried that and my computer went a bit crazy :frowning: had to use a restore point to get it to work againā€¦so I think Iā€™m going to have to leave those files where they are for the momentā€¦

but thanks for the advice.

hope I get some advice on these malwares soonā€¦the notifications are driving me insane :slight_smile:

Now Iā€™ve started having other problems as well :frowning: after start up today my Task bar seems to be left hanging and no programs will run (not even restartā€¦I had to reboot it manually). Iā€™ve managed to get into Safe mode and use a Restore point to get it to work but I donā€™t know what will happen the next time it restarts.
All of this is very frustratingā€¦

The malware removers are notified, so they will see this when they arrive :wink:

The file in question is a dropper in your temporary files and has not been able to run. On completion of this could you let me know if you are still getting the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from ā€œStart with Windowsā€
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd) SRV - File not found [Auto | Stopped] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent) O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll File not found O4 - HKLM..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe" File not found O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03) O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)

:Files
ipconfig /flushdns /c
C:\Program Files\AVG

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

OKā€¦that didnā€™t work to say the least :frowning: the computer froze in the middle of the OTL processā€¦Iā€™ve waited 15 minutes for something to happen but it didnā€™t so I rebooted. Now it wonā€™t work at all in normal mode i.e. the same problem like in the morningā€¦apparently it remains hanging during the start of Task barā€¦

Now Iā€™m in safe mode. Any suggestions how to proceed?

Did you disable MBAM ? As that will cause OTL to hang

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofixā€™s window while it is running. That may cause it to stall.
  2. Do not ā€œre-runā€ Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I couldnā€™t do that since it was not onā€¦I apparently have a free version of MBAM which doesnā€™t even have the protection module enabled.

Iā€™ve tried the OTL fix againā€¦and it hangs at O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
there is no such file on the computer so perhaps thatā€™s the hangup I donā€™t knowā€¦

should I try Combofix now?

Yes please - I will check that out

well Iā€™ve done something perhaps not very smart i.e. I just removed the command which I thought was the problem in OTL and this time it ran through without any problems. Iā€™ve then performed a scan and Iā€™ll attach the logs now. Iā€™ve also scanned with MBAM (nothing found) and aswMBR.
But then Iā€™ve tried to restart the computer just to see what will happen. And the same thing as before happenedā€¦no applications want to runā€¦something is happening with Avast is my guess since everything goes haywire once it comes on, or the virus is blocking something.

Iā€™m in Safe mode again and I suppose the Combofix wonā€™t work here. What could I do next?

Combofix will run in safe modeā€¦ What error do you get when you try to run a programme ?

No errorsā€¦just nothing happens. After a few tryā€™s Iā€™ve managed to open the Task manager and it shows the processes being started but they donā€™t do anythingā€¦just hang (and no applications are started as a result at all). Windows Explorer seems to be working fine since I can browse through the files but I canā€™t start anything.
all the programs starting during start up are active thoughā€¦

Should I try to run Combofix in safe mode then?

Yes run Combofix in safe mode.

Iā€™ve just didā€¦and nothing happened :frowning: I mean it went through the installation phase and then just dissapeared. I donā€™t know how to start it or has it even been installed at all. I think not since it seems thereā€™s no trace of its filesā€¦

Hmm OK lets run a clean boot and then run combofix from normal mode

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

If you are prompted, log on to Windows.
When you receive the following message, click to select the Donā€™t show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.

THEN

Now run combofix please

Well the windows started up normally and thereā€™s no hangups this time.
But as for the Combofix the same thing as before happens. It starts says copying filesā€¦the green bar runs to completion and thenā€¦nothing at all.
which to be frank is not something which hasnā€™t happened beforeā€¦for instance some games Iā€™ve tried long time ago acted in the same way. But I just removed them and didnā€™t think about it.