Hello,

I have a nasty sirefef infection on my pc. I have sirefef.a in services.exe , so everytime MSE tries to clean it up, windows gets a critical error and neets to reboot, after which services.exe magically respawned. So I disabled MSE’s real time protection.
I also have sirefef.AB , .AN , .W and .P (as far as MSE knows) . I had a sirefef infection before, and I managed to remove it, but now it suddenly came back, I guess it wasn’t completely gone last time.

Here are my logs, any help to get rid of this pest would be hugely appreciated. Also, aswMBR BSOD’d whilst scanning. I’ll try and run it again.

Hi,

Could you also attach the log created by aswMBR?

**Sorry…I missed that last bit about aswMBR not running. If you have not tried please boot to Safe Mode and attempt to run it.

I’ll try running it again, if it BSOD’s again i’ll do it in safe mode.

Sounds good. Are you aware your system is set up with proxy server settings?

It’s not supposed to, but it randomly enabled those proxies. I think it is one of the sirefef’s changing my proxy settings, so it can redirect me to add-filled websites. Although that hasn’t happened for a couple of months, I managed to fix it.
It probably changed it again, now that sirefef suddenly came back from the dead. Also, if I try to change it, a couple of minutes later it’s back on using that proxy.

Ok thats fine. We can fix that up. While you are trying to get aswMBR (if you can’t that is fine just let me know) to run I need to give you this warning…

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.

If you get aswMBR to run attach that log. If not, let me know and we can continue.

I’d like to try and clean everything up first. I don’t feel like losing all the data on my HDD. Luckily I haven’t really entered any sensitive information on this pc. aswMBR is scanning as I speak, and it got further than last time without BSOD’ing, so I guess last time was just unfortunate coincidence.

If it so happens that I need to reinstall windows, I can do that on my own .

Ok sounds good. If aswMBR finishes attach the log…if not let me know and we will move on.

It finally finished, that did take quite long for a quick scan . here is the log:

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

[*]Open the scanner and select the Protection tab
[*]Remove the tick from “Start Protection Module with Windows” as seen below

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg

Once complete continue with the instructions…

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\SearchScopes,DefaultScope = {3D1C1238-79BC-4CAE-A4A8-CBC4AA3287FA}
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\SearchScopes\{3D1C1238-79BC-4CAE-A4A8-CBC4AA3287FA}: "URL" = http://www.google.be/search?hl=nl&q={searchTerms}&sourceid=ie8&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\SearchScopes\{FF463997-E893-4F15-8D82-127585E794DE}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=MYC-ST&o=102869&src=kw&q={searchTerms}&locale=nl_EU&apn_ptnrs=5J&apn_dtid=YYYYYYYYBE&apn_uid=89d77262-645e-49ca-94c7-3866c51f30af&apn_sauid=A4A566A3-A226-427F-9806-731E5D1475EA
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:62444
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://eu.ask.com/?l=dis&o=102869&gct=hp"
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=MYC-ST&o=102869&locale=nl_EU&apn_uid=89d77262-645e-49ca-94c7-3866c51f30af&apn_ptnrs=5J&apn_sauid=A4A566A3-A226-427F-9806-731E5D1475EA&apn_dtid=YYYYYYYYBE&&q="
FF - prefs.js..network.proxy.http_port: 62444
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2012/04/21 00:35:24 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\Olivier\AppData\Roaming\Mozilla\Firefox\Profiles\0k3cb65e.default\extensions\toolbar@ask.com
[2012/04/19 23:34:53 | 000,002,405 | ---- | M] () -- C:\Users\Olivier\AppData\Roaming\Mozilla\Firefox\Profiles\0k3cb65e.default\searchplugins\askcom.xml
[2010/01/01 10:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKU\S-1-5-21-308719087-2163327473-937432218-1000..\Run: [PlayNC Launcher]  File not found
O32 - AutoRun File - [2007/01/24 02:04:01 | 000,000,043 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{51e64ba0-99c0-11e0-a16e-7c4fb513fdca}\Shell - "" = AutoRun
O33 - MountPoints2\{51e64ba0-99c0-11e0-a16e-7c4fb513fdca}\Shell\AutoRun\command - "" = G:\autorun.exe
O33 - MountPoints2\{6402c096-999d-11e0-82fb-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{6402c096-999d-11e0-82fb-806e6f6e6963}\Shell\AutoRun\command - "" = E:\launch.exe -- [2004/10/22 00:38:02 | 000,126,976 | R--- | M] (Macrovision Corporation)
[2012/06/14 22:22:44 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2012/06/14 22:22:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
@Alternate Data Stream - 1048 bytes -> C:\Users\Olivier\AppData\Local\Temp\:5OxrP2YGz6jh6Q9dfQMfQ
@Alternate Data Stream - 1048 bytes -> C:\Users\Olivier\AppData\Local\Temp:5OxrP2YGz6jh6Q9dfQMfQ

:Files
C:\Windows\Installer\{8d7f222a-0caa-9ae2-1650-9dab4fd0a4b4}\
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

I see that you had downloaded ComboFix before?

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.

In your next reply please attach the logs made by OTL and ComboFix.

Okay. So here are the logs.
Also, combofix seems to have removed and fixed all the files MSE said where infected, plus some more files. And MSE is giving me the green light again .

Looking much better.

Run a new scan with ComboFix and attach that log please.

Do you mean with OTL?

No with ComboFix.

All done. This time it didn’t find any infected files.

One thing though, on my desktop there was a hidden desktop.ini , with this written in it:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

There also were 2 infected desktop.ini’s in my windows folder. When I removed the file, and restarted my pc, the file came back.

EDIT: nevermind, I restarted again, and the file didn’t reappear. Guess it was just something combofix or OTL made.

Hi,

Alrighty…we still have some entries that don’t belong but I need to check them out more thoroughly.

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries.

It didn’t find anything, so the log is completely empty. But here it is anyway .
Also, almost all the options were grayed out by default, except for services, registry, files ADS and the option to select the drives.

Ok thanks!

This scan should be quick…

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Yet again, nothing found. This is good right? Or does it mean those strange entries are even deeper than normal?

Hi,

Or does it mean those strange entries are even deeper than normal?

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:

ClearJavaCache::

Folder::
2012-06-24 20:02 . 2012-06-24 20:02	328704	----a-w-	c:\windows\system32\services.exe.B122559294D6D8E5
2012-06-23 20:59 . 2012-06-23 20:59	50392	----a-w-	c:\windows\system32\drivers\wkpfggwy.sys
2012-06-23 20:59 . 2012-06-23 20:59	328704	----a-w-	c:\windows\system32\services.exe.E4D43E6BA75AE666
2012-06-23 20:52 . 2012-06-23 20:52	328704	----a-w-	c:\windows\system32\services.exe.0053430F2092E97E
2012-06-23 20:48 . 2012-06-23 20:48	328704	----a-w-	c:\windows\system32\services.exe.680DB956975AB82E
2012-06-23 20:44 . 2012-06-23 20:44	50392	----a-w-	c:\windows\system32\drivers\uqufzola.sys
2012-06-23 20:44 . 2012-06-23 20:44	328704	----a-w-	c:\windows\system32\services.exe.9ADD9B17BA9028B4
2012-06-23 20:41 . 2012-06-23 20:41	328704	----a-w-	c:\windows\system32\services.exe.6D8AEF54B4F5A126
2012-06-23 20:37 . 2012-06-23 20:37	328704	----a-w-	c:\windows\system32\services.exe.208C90E9F0015315

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.