Please Help, Sirefef-pl detected and mostly neutralized with avast boottime scan

Noticed during a software install that my computer was acting buggy, immediately initiated a boottime scan and avast found sirefef-pl [rtk] and quarantined several files. There still seems to be a presence as I have popup coupon windows as well as altered google search results.

I’ve run full avast scans as well as malwarebytes scans, malwarebytes was last scan and found 5 items, none of which seemed related to sirefef (oh great)

Any help would be appreciated. Want to make sure it is eradicated so I can rest easy.

@samwisemueller
Helo and welcome to avast!

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

p.s: if you don’t see “Attachments and other options” bump your (this) topic until you have 3 posts

Here we go:

and the other:

Hi samwisemueller,
Logs shows system infected with 0Access RootKit.

As step#1, from Control Panel > Programs and Features uninstall following ( if you find there )

Mozilla Firefox (3.6.13) (x32 Version: 3.6.13 (en-US))
Mozilla Firefox 4.0b7 (x86 en-US) (x32 Version: 4.0b7)
SweetPacks Updater Service (x32 Version: 3.0.5.5)
Updater By SweetPacks 2.0.0.586 (Version: 2.0.0.586)
IncrediMail, Ltd.

THEN

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$7185adb03536b16566407e766640976e\n. ATTENTION! ====> ZeroAccess
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3960442023-2759247791-3210914792-1000\$7185adb03536b16566407e766640976e\n. ATTENTION! ====> ZeroAccess
MountPoints2: D - D:\LaunchU3.exe -a
MountPoints2: {3d675831-4c91-11df-b3c9-00269e4f2605} - D:\LaunchU3.exe -a
MountPoints2: {42b6bb56-2167-11df-80c5-00269e4f2605} - D:\LaunchU3.exe -a
MountPoints2: {43740f2f-909a-11e1-ab7b-00269e4f2605} - G:\TL-Bootstrap.exe
MountPoints2: {7fd91b0e-ba9d-11de-b12d-806e6f6e6963} - E:\Driver\Windows\PL2303_Prolific_WDMDriverInstaller_v1.6.1.exe
MountPoints2: {df9c2736-7a23-11df-971e-00269e4f2605} - F:\Launcher.exe
MountPoints2: {f8338d57-95e1-11df-b176-00269e4f2605} - D:\Autorun.exe
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
URLSearchHook: (No Name) - {4acda0f5-16f9-451e-a9d1-26cd832a9dac} -  No File
HKLM-x32 SearchScopes: DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2455324
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2455324
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
BHO: Updater By SweetPacks - {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - C:\Program Files\Updater By SweetPacks\Extension64.dll ()
BHO-x32: Zeit Tunes Media Toolbar - {4acda0f5-16f9-451e-a9d1-26cd832a9dac} - C:\Program Files (x86)\Zeit_Tunes_Media\tbZeit.dll (Conduit Ltd.)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Updater By SweetPacks - {7D4F1959-3F72-49d5-8E59-F02F8AA6815D} - C:\Program Files\Updater By SweetPacks\Extension32.dll ()
BHO-x32: SweetPacks Browser Helper - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKLM-x32 - Zeit Tunes Media Toolbar - {4acda0f5-16f9-451e-a9d1-26cd832a9dac} - C:\Program Files (x86)\Zeit_Tunes_Media\tbZeit.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKCU - No Name - {4ACDA0F5-16F9-451E-A9D1-26CD832A9DAC} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 02 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 02 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF user.js: detected! => C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\user.js
FF NewTab: hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=97&crg=3.5000006.10043&st=23
FF Homepage: hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=10&crg=3.5000006.10043&st=23
FF Keyword.URL: hxxp://start.sweetpacks.com?src=6&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&crg=3.5000006.10043&st=23&q=
FF Extension: No Name - C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
CHR HomePage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
CHR RestoreOnStartup: "hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=10&crg=3.5000006.10043&st=23", "hxxp://www.google.com/"
CHR DefaultSearchURL: (Bing) - http://start.sweetpacks.com?src=6&q={searchTerms}&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&crg=3.5000006.10043&st=23
CHR Extension: (SweetPacks Chrome Extension) - C:\Users\Jeff O\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj\1.4.0.0_0
R2 Updater By SweetPacks; C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe [188760 2013-05-16] ()
C:\Windows\system32\dmwu.exe
C:\Program Files\Updater By SweetPacks
C:\Program Files (x86)\SweetIM
C:\Program Files (x86)\Zeit_Tunes_Media
C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
C:\Program Files\Updater By SweetPacks
C:\Program Files (x86)\XingHaoLyrics
Folder: C:\29bc31e917c7b3afe1a6
Folder: C:\dfb067bdd29760f428e5c7399daa949b
C:\Windows\SysWOW64\jmdp\stij.exe
C:\$Recycle.Bin\S-1-5-21-3960442023-2759247791-3210914792-1000\$7185adb03536b16566407e766640976e
C:\$Recycle.Bin\S-1-5-18\$7185adb03536b16566407e766640976e
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End


  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

THEN

Re-run FRST, press Scan button and attach here fresh FRST.txt logreport.

THEN

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[
]Please copy and paste the log to your reply.

fixlog attached

FRST attached

FSS attached

Thanks! Using chrome after firefox uninstall. It is screwy the same way firefox was. But I’m sure you know that.

Yup. And logs looks much better too.

Download the ESET services repair tool, extract the file to your desktop.

[*]Double-click ServicesRepair.exe.
[*]If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
[*]Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
[*]A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.

  • THEN
  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
FF Extension: XUL Cache - C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\Extensions\{a335954b-a0f3-48e4-8124-c4101e1a4620}
FF HKLM\...\Firefox\Extensions: [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}] C:\Program Files\Updater By SweetPacks\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{7D4F1959-3F72-49d5-8E59-F02F8AA6815D}] C:\Program Files\Updater By SweetPacks\Firefox
FF HKCU\...\Firefox\Extensions: [lrcspal@xinghao.net] C:\Program Files (x86)\XingHaoLyrics\FF\
CHR HomePage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}
CHR RestoreOnStartup: "hxxp://start.sweetpacks.com/?barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&src=10&crg=3.5000006.10043&st=23", "hxxp://www.google.com/"
CHR DefaultSearchURL: (Bing) - http://start.sweetpacks.com?src=6&q={searchTerms}&barid={BD7A7CB7-DDFB-11E2-BC3A-00269E4F2605}&crg=3.5000006.10043&st=23
CMD: netsh winsock reset
CMD: ipconfig /flush dns
File: C:\Users\Jeff O\Downloads\setup.exe
Folder: C:\Windows\SysWOW64\jmdp
C:\Users\Jeff O\AppData\Roaming\Mozilla\Firefox\Profiles\ktwk1gpn.default\Extensions\{a335954b-a0f3-48e4-8124-c4101e1a4620}
C:\Program Files\Updater By SweetPacks
C:\Program Files (x86)\XingHaoLyrics
End

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

  • THEN

Re-run FRST;

[*]Type Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt
[*]Exit FRST and attach here Search.txt logreport please.

  • THEN
  1. System re-check:

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



filesrcm;
startupall;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

  1. AntiRootkit tool:

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

CCS Log

Fixlog

search log

zoek-results log

and lastly TDSS log, many thanks!

Hi samwisemueller,
This looks good, we have removed malware, and repaired damage that he inflicted. The rest is to remove some leftovers …

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



emptyclsid;
C:\Users\Jeff O\Downloads\setup.exe;fp
FFdefaults;
chrdefaults;
C:\Users\JEFFO~1\AppData\Local\Temp\WSSetup.exe;f
C:\Users\JEFFO~1\AppData\Local\Temp\DefaultTabSetup.exe;f
C:\Users\JEFFO~1\AppData\Local\Temp\hsbing_717_active.exe;f
C:\Users\JEFFO~1\AppData\Local\Temp\mgsqlite3.dll;f
C:\Users\JEFFO~1\AppData\Local\Temp\LyricsPal_1060-8101_v114.exe;f
C:\Users\JEFFO~1\AppData\Local\Temp\bundlesweetimsetup.exe;f
resetIEproxy;
resethosts;
C:\Windows\Sysnative\Tasks\LyricsPal Update;f
C:\Program Files (x86)\XingHaoLyrics;fs
C:\Windows\Tasks\LyricsPal Update.job;f
ipconfig /flushdns >> %temp%\log.txt;b
C:\Users\Jeff O\AppData\Local\Temp\utt6144.tmp.bat;f
mmiopbgcekanlhpjkonogoljpfmhpkhf;chr
emptyalltemp;
autoclean;



[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

  • Also, please note, after the execution of Zoek.exe scripts on your Desktop it should appear zip-ed file sample with random numbers name.

C:\Users\Public\Desktop\sample_.zip file.

Please upload that file here and paste here URL download link.
http://www.wikisend.com


How’s your computer running now?

Computer is running very well, no issues at the moment that I can see. Zoek attached.

Filename is:
C:\Users\Public\Desktop[b]sample_20130630_1110.zip[/b]

sample_20130630_1110.zip

here it is

Removing used tools;

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to keep Malwarebytes and to use MCShield if you will.

You may download Malwarebytes from here:
http://www.malwarebytes.org/

You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.