Trying to cure a Sirefef-PL infected machine

I am working on a Windows 7 machine that has C:\Windows\System32\services.exe Win32:Patched-AKC and C:\Windows\assembly\GAC_32\Desktop.ini and \GAC_64\desktop.ini with WIN32:Sirefef-PL. I have a aswMBR log but I will get a log from OTL from what ive been reading on and post that.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-26 19:55:07

19:55:07.822 OS Version: Windows x64 6.1.7600
19:55:07.822 Number of processors: 2 586 0x170A
19:55:07.822 ComputerName: ELITE UserName:
19:55:09.117 Initialize success
19:55:09.319 AVAST engine defs: 12082400
19:55:15.654 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
19:55:15.654 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
19:55:15.670 Disk 0 MBR read successfully
19:55:15.685 Disk 0 MBR scan
19:55:15.685 Disk 0 Windows 7 default MBR code
19:55:15.685 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
19:55:15.701 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
19:55:15.716 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290143 MB offset 30926848
19:55:15.748 Disk 0 scanning C:\Windows\system32\drivers
19:55:26.324 Service scanning
19:56:12.691 Modules scanning
19:56:12.691 Disk 0 trace - called modules:
19:56:12.722 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
19:56:12.722 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800301f5d0]
19:56:12.737 3 CLASSPNP.SYS[fffff880011cf43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8002e2f050]
19:56:13.377 AVAST engine scan C:\Windows
19:56:15.671 AVAST engine scan C:\Windows\system32
19:57:28.857 File: C:\Windows\system32\services.exe INFECTED Win32:Patched-AKC [Trj]
19:57:57.426 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
19:57:59.812 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
19:58:59.662 AVAST engine scan C:\Windows\system32\drivers
19:59:12.329 AVAST engine scan C:\Users\Kristian
20:06:06.617 Disk 0 MBR has been saved successfully to “C:\Users\Kristian\Desktop\MBR.dat”
20:06:06.617 The log file has been saved successfully to “C:\Users\Kristian\Desktop\aswMBR.txt”

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-26 19:55:07

19:55:07.822 OS Version: Windows x64 6.1.7600
19:55:07.822 Number of processors: 2 586 0x170A
19:55:07.822 ComputerName: ELITE UserName:
19:55:09.117 Initialize success
19:55:09.319 AVAST engine defs: 12082400
19:55:15.654 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
19:55:15.654 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
19:55:15.670 Disk 0 MBR read successfully
19:55:15.685 Disk 0 MBR scan
19:55:15.685 Disk 0 Windows 7 default MBR code
19:55:15.685 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
19:55:15.701 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
19:55:15.716 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290143 MB offset 30926848
19:55:15.748 Disk 0 scanning C:\Windows\system32\drivers
19:55:26.324 Service scanning
19:56:12.691 Modules scanning
19:56:12.691 Disk 0 trace - called modules:
19:56:12.722 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
19:56:12.722 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800301f5d0]
19:56:12.737 3 CLASSPNP.SYS[fffff880011cf43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8002e2f050]
19:56:13.377 AVAST engine scan C:\Windows
19:56:15.671 AVAST engine scan C:\Windows\system32
19:57:28.857 File: C:\Windows\system32\services.exe INFECTED Win32:Patched-AKC [Trj]
19:57:57.426 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
19:57:59.812 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
19:58:59.662 AVAST engine scan C:\Windows\system32\drivers
19:59:12.329 AVAST engine scan C:\Users\Kristian
20:06:06.617 Disk 0 MBR has been saved successfully to “C:\Users\Kristian\Desktop\MBR.dat”
20:06:06.617 The log file has been saved successfully to “C:\Users\Kristian\Desktop\aswMBR.txt”
20:10:07.655 AVAST engine scan C:\ProgramData
20:12:59.800 Scan finished successfully
20:15:25.233 Disk 0 MBR has been saved successfully to “C:\Users\Kristian\Desktop\MBR.dat”
20:15:25.248 The log file has been saved successfully to “C:\Users\Kristian\Desktop\aswMBR.txt”

do you also have Malwarebytes log ? http://forum.avast.com/index.php?topic=53253.0

malware removers are notified. It may take hours before one arrive so be patient

Thank you very much. I will include the MBAM and RogueKiller logs.

Hi,

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

per your request.

Open notepad and copy/paste the text present inside the code box below:

Folder::
c:\program files (x86)\Ask.com

File::
c:\progra~2\SEARCH~1\Datamngr\datamngr.dll
c:\progra~2\SEARCH~1\Datamngr\IEBHO.dll
c:\progra~2\SEARCH~1\Datamngr\x64\datamngr.dll
c:\progra~2\SEARCH~1\Datamngr\x64\IEBHO.dll

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

After I ran combofix it knocked the wireless and ethernet offline. Not sure if I should run the script until network issue is resolved.

Run script no matter internet.

Reboot computer

Keeps telling me avast is up even though I disabled all 8 scanner and the defense module in settings.

Ignore the warning.

You have remnants of McAfee, later we will remove them.

Ok I did.

Open notepad and copy/paste the text present inside the code box below:

RegLockDel::
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

SecCenter:: 
{86355677-4064-3EA7-ABB3-1B136EB04637}
{BE0ED752-0A0B-3FFF-80EC-B2269063014C}
{3D54B793-665E-3129-9103-206115370C8A}

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Report for the last script.

OK, how’s your computer behaving now?

It seems to be booting quicker and programs seem to be responding quicker then usual. My internet wireless or ethernet still wont connect though. Before first run of combofix it was working fine. I am currently online using the same router.

Try to complete repair of the Internet. Double-click CIntRep,
Just select all the items listed and click Go

http://www.datum-forensics.com/down/comintrep.exe

Ran the program and check marked through everything. It said it couldnt find wcualt though. Message I get when I troubleshoot connection using Windows 7 Troubleshooter. There are no proxy settings in internet option. Would a FSS log show anything useful?

Copy and paste these lines in Notepad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator.

Your computer will reboot itself.

Did as told. Still getting exclamation on wireless icon in system tray.

Download MiniToolBox to desktop
http://download.bleepingcomputer.com/farbar/MiniToolBox.exe

double-clicki on the program select all the items listed and click Go
Attach the contents of the log in your next reply