Services.exe infected with Win32:Sirefef-ZT [Trj]

Hi,
I’ve run a quick scan and Avast detected Win32:Sirefef=ZT [Trj] in c:\windows\system32\services.exe. With it being a system file auto fix, repair, move to chest or delete won’t work. :-\

I’ve also just discovered that Windows Firewall isn’t running and I can’t get it to start (error code 0x6D9) if that’s related.

I’m using Windows 7 Home Premium SP1 (64-bit).

Can anyone help me fix this please?

EDIT: I’ve just finished scanning with Panda Cloud Cleaner and attached the log file.

EDIT: Hi magna! You got in there and replied as I was editing that in. Thank you for your quick response, will do that and update you.

Hi,

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thank you magna86, I wasn’t expecting such a quick response! :slight_smile:

Here are the logs.

Just in case it is important, when I double clicked to run it I got the error shown in the screencap I attached. It appeared to scan ok once I closed the message.

Hi ClareG, :wink:

Uh…FRST log shows the active & very well loaded malware. We shall use ComboFix for start…
PS: That error (cmd.exe) isn’t FRST related. :wink:


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

FRST Scan


Re-run FRST64

[*]Double-click to run it.
[*]Under Optional Scan ensure “Addition.txt” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]Tool shall also create another log (Addition.txt). Please attach it to your reply.

Here we are…

Ok, malware is neutralized. Now we need to address and remove the leftovers.

First we shall run ComboFix again using his CFScript. Then we shall target the everything else using FRST and his FixList.


ComboFix via CFScript


=> Open notepad and copy/paste the text present inside the code box below:

KillAll::

Folder::
c:\windows\Installer\{824a99b6-6dee-a7d1-ecb1-6f82bd9a9e0e}

ClearJavaCache::

File::
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Clare\AppData\Roaming\Camdata.ini
C:\Users\Clare\AppData\Roaming\CamLayout.ini
C:\Users\Clare\AppData\Roaming\CamShapes.ini

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


FRST via FixList


=>1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start Folder: C:\Windows\system32\FxsTmp C:\Users\Clare\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx C:\Windows\assembly\GAC_32\Desktop.ini C:\Windows\assembly\GAC_64\Desktop.ini C:\Users\Clare\AppData\Roaming\Camdata.ini C:\Users\Clare\AppData\Roaming\CamLayout.ini C:\Users\Clare\AppData\Roaming\CamShapes.ini HKLM-x32\...\Run: [] - [X] SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms} SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms} SearchScopes: HKLM-x32 - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms} SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms} SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms} SearchScopes: HKCU - {7229AC40-28A5-40F8-974F-3C93CF1E3DAE} URL = SearchScopes: HKCU - {97354B78-DDD4-4F9F-9920-DF83DB5EB3D6} URL = SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms} BHO: No Name - {9F3209E2-334B-41E9-B09C-703F398742E7} - No File BHO-x32: No Name - {9F3209E2-334B-41E9-B09C-703F398742E7} - No File Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File Winsock: Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" FF Keyword.URL: hxxp://www.searchqu.com/web?src=ffb&appid=113&systemid=406&sr=0&q= CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Clare\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-02] CMD: ipconfig /flushdns End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Done and done :slight_smile:

Hi,

We shall continue tomorow. :wink:

Hi,

Posted logs looks good. There is no malware. 8) Tell me, how is the computer running now?

Run FSS as I wanna check, is ComboFix repair all damage caused by ZeroAccess.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

[*] Make sure that all options are checked.
[*] Press “Scan”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[
] Please attach FSS.txt log to your reply.

That’s brilliant! Thank you so much for your help. :slight_smile:
Everything seems to be working ok, Windows Firewall is back up and running again. That was the only symptom I had noticed of the infection.

[s]Unfortunately that link to FSS won’t work for me. :-[/s]
Nevermind, I found it on bleepingcomputer.com. :slight_smile:

Cool. 8) FSS says that all services are good and they are running.

The following will implement some post-cleanup procedures:

=>
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

DeleteQuarantine: 

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

=>
It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=>
=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

  3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
    Temp File Cleaner aka TFC by OldTimer
    TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.


How to protect yourself?

  1. Adjust avast! to target PUP software:
    Run avast! 2014 by clicking the system tray icon in the lower right corner of the screen.
    Click on Settings, in the new window that opens, click on Active Protection, then under File System Shield click on gear wheel…
    Under Sensitivity part of option check box for Scan for potentialy unwanted programs PUP.

  2. avast! Software Updater. Run avast!, click on Tools > Software Updater.
    For security reasons, make sure you do update your browser(s), Java, Flash Player, and basically every software you use often.

  3. avast! Browser Cleanup. Run avast!, click on Tools > BrowserCleanup.
    Browser Cleanup tool is an integrated tool in avast! AV that allows you the control on browsers unwanted addons.

  4. avast! Malware Scan. Run avast!, click on Scan and preform QuickScan by clicking on Start button.
    Every once in a whilere, it’s recommended to preform virus scan with avast! 2014.

Cheers, :wink:

OK, I did all that. Had a derp though and ran Delfix before attaching the fixlog, so that’s gone, sorry. ::slight_smile:

Thank you for all your help. I’ve installed the recommended programs too. :slight_smile:

That’s Ok. FixLog has the mission just to clean up & delete his own FRST Quarantine folder. :wink:

Keep safe. Cheers :wink: