Sirefef infection

Windows 7 64bit

==================== Registry (Whitelisted) ===================

HKLM.…\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9644576 2009-12-14] (Realtek Semiconductor)
HKLM.…\Run: [IntelWireless] “C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe” /tf Intel Wireless Tray [1928976 2010-03-04] (Intel(R) Corporation)
HKLM.…\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM.…\Run: [IntelWirelessWiMAX] “C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe” /tasktray /nosplash [1441792 2010-06-07] (Intel® Corporation)
HKLM.…\Run: [AdobeAAMUpdater-1.0] “C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe” [497648 2010-07-28] (Adobe Systems Incorporated)
HKLM.…\Run: [MSC] “C:\Program Files\Microsoft Security Client\msseces.exe” -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32.…\Run: [UpdateLBPShortCut] “C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\LabelPrint” UpdateWithCreateOnce “Software\CyberLink\LabelPrint\2.5” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [CLMLServer] “C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe” [103720 2009-12-03] (CyberLink)
HKLM-x32.…\Run: [UpdateP2GoShortCut] “C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\Power2Go” UpdateWithCreateOnce “SOFTWARE\CyberLink\Power2Go\6.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [UpdatePDRShortCut] “C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\PowerDirector” UpdateWithCreateOnce “Software\CyberLink\PowerDirector\7.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [RemoteControl8] “C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe” [91432 2009-07-16] (CyberLink Corp.)
HKLM-x32.…\Run: [PDVD8LanguageShortcut] “C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe” [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32.…\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2010-01-12] (cyberlink)
HKLM-x32.…\Run: [UpdatePPShortCut] “C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\PowerProducer” UpdateWithCreateOnce “Software\CyberLink\PowerProducer\5.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [UpdatePSTShortCut] “C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite” UpdateWithCreateOnce “Software\CyberLink\PowerStarter” [210216 2010-01-11] (CyberLink Corp.)
HKLM-x32.…\Run: [UCam_Menu] “C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\CyberLink\YouCam” UpdateWithCreateOnce “Software\CyberLink\YouCam\2.0” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [ConnectionCenter] “C:\Program Files (x86)\Citrix\ICA Client\concentr.exe” /startup [300400 2010-03-10] (Citrix Systems, Inc.)
HKLM-x32.…\Run: [BCSSync] “C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe” /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32.…\Run: [TkBellExe] “C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe” -osboot [273544 2011-05-27] (RealNetworks, Inc.)
HKLM-x32.…\Run: [Adobe ARM] “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32.…\Run: [APSDaemon] “C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe” [59240 2012-02-20] (Apple Inc.)
HKLM-x32.…\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe” [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32.…\Run: [iTunesHelper] “C:\Program Files (x86)\iTunes\iTunesHelper.exe” [421736 2012-03-27] (Apple Inc.)
HKLM-x32.…\Run: [QuickTime Task] “C:\Program Files (x86)\QuickTime\QTTask.exe” -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32.…\Run: [Clearwire Connection Manager] “C:\Program Files (x86)\Clearwire\Connection Manager\ClearwireCM.exe” -a [54608 2010-05-25] (ClearwireCM)
HKU\R of the J.…\Run: [swg] “C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [39408 2010-07-07] (Google Inc.)
HKU\R of the J.…\Run: [IMC] C:\Program Files (x86)\FriendFinder\FriendFinder Messenger 4\imc.exe
HKU\Tara.…\Run: [swg] “C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [39408 2010-07-07] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk → C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk → C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) ======

3 CACLEARWIRE; “C:\Program Files (x86)\Clearwire\Connection Manager\ConAppsSvc.exe” /n “CACLEARWIRE” [124240 2010-05-25] (SmithMicro Inc.)
3 clearwireDeviceDiagnosticsService; “C:\Program Files (x86)\Clearwire\Connection Manager\clearwireDeviceDiagnosticsService.exe” [399872 2010-04-19] ()
3 CLEARWIRERcAppSvc; “C:\Program Files (x86)\Clearwire\Connection Manager\RcAppSvc.exe” /n “CLEARWIRERcAppSvc” [120144 2010-05-25] (SmithMicro Inc.)
2 MsMpSvc; “C:\Program Files\Microsoft Security Client\MsMpEng.exe” [12600 2012-03-26] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-04] ()
3 NisSrv; “C:\Program Files\Microsoft Security Client\NisSrv.exe” [291696 2012-03-26] (Microsoft Corporation)
2 RichVideo; “C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe” [247152 2009-07-07] ()
2 SMSI Device Launch Service; “C:\Program Files (x86)\Clearwire\Connection Manager\DeviceLaunchSvc.exe” /n “SMSI Device Launch Service” [107856 2010-05-25] ()
2 UNS; “C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe” [2320920 2010-02-03] (Intel Corporation)

==================== Drivers (Whitelisted) ===================

3 bcm; C:\Windows\System32\DRIVERS\drxvi314_64.sys [359040 2010-03-26] (Beceem communications pvt ltd.)
3 bcmbusctr; C:\Windows\System32\DRIVERS\BcmBusCtr_64.sys [62976 2010-03-26] (Beceem communications pvt ltd.)
1 ctxusbm; C:\Windows\System32\Drivers\ctxusbm.sys [87600 2009-10-05] (Citrix Systems, Inc.)
3 PCTINDIS5X64; ??\C:\windows\system32\PCTINDIS5X64.SYS [43032 2010-05-25] (Smith Micro Inc.)
3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2010-10-07] (Windows (R) 2003 DDK 3790 provider)
3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [47104 2010-05-25] ()
3 SWNC5E00; C:\Windows\System32\Drivers\SWNC5E00.sys [285696 2010-05-25] (Sierra Wireless Inc.)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; ??\C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2010-01-12] (CyberLink Corp.)
3 EagleX64; ??\C:\windows\system32\drivers\EagleX64.sys
1 rrxoqcpy; ??\C:\windows\system32\drivers\rrxoqcpy.sys
3 X6va005; ??\C:\Users\ROFTHE~1\AppData\Local\Temp\005980C.tmp
3 X6va006; ??\C:\Users\ROFTHE~1\AppData\Local\Temp\0062DE6.tmp

ZeroAccess:
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}@
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\L
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\n
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\U
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\U\00000001.@
C:\Windows\Installer{187ef5a2-f767-3f49-5235-031914813291}\U\800000cb.@

ZeroAccess:
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}@
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}\L
C:\Users\R of the J\AppData\Local{187ef5a2-f767-3f49-5235-031914813291}\U

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

is there a question here ?

if you need removal help …follow this guide and attach (not copy and paste) malwarebytes / OTL / aswMBR logs
http://forum.avast.com/index.php?topic=53253.0

i tried to attach but it wouldn’t work. I’ll try again. I have a sirefef infection and need help removing it. The farbar log is attached.

Worked this time, just needed to use firefox rather than explorer.

Could you run FRST again please but in the search box type services.exe then press search… Attach the resultant log and I will do it in one sweep

log is attached

Download the attached fixlist.txt to the same USB drive as FRST
Restart the computer as before to the recovery console
Run FRST and click Fix

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif

A log will be generated on the USB drive

Reboot to normal windows

Once there then please run aswMBR and OTL and post the logs along with the FRST fix log

here’s the fix, OTL and aswMBR logs.

After this run can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
[2012/08/27 12:41:07 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\services.exe.3E98FEAA938C2F13
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
[2012/05/20 17:27:46 | 000,000,288 | ---- | C] () -- C:\Users\R of the J\AppData\Roaming\6682AB1.reg
[2011/12/22 02:31:05 | 000,010,736 | -HS- | C] () -- C:\Users\R of the J\AppData\Local\3ifj6p14qw6fwg73444ucf8ay817ah6n0hc86
[2011/12/22 02:31:05 | 000,010,736 | -HS- | C] () -- C:\ProgramData\3ifj6p14qw6fwg73444ucf8ay817ah6n0hc86

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

the first one is the quick scan and the second is what OTL showed me upon restarting after the fix. Dont seem to have any issues now. Thank you very much.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:

Ok finished and everything seems fine. The only problem I have now is that windows updater refuses to run. it keeps telling me the services are not running and i may need to restart.

nevermind. it’s working now. I’ll let you know how everything is in 24 hour.

everything is still running good. No problems to report. 8)