Hey everyone, I’m new here and although I’m not computer illiterate I am a novice. I have multiple Trojan/rootkit viruses that are win:32malware-gen and win32:sirefef-pl rtk. I’ve tried everything in my limited knowledge and what I’m capable of doing with the antivirus tools I have and can’t get rid of them. I’m running a free updated version of Avast (8.0.1497) with virus definition 131011-0. I also have Malwearbytes and spybot (sd). My Avast finds the viruses, says they are put in chest but but problem is still here. I’ve ran boot scans, full reg scans and quick scans. I’ve even ran scans just in the files that seem to be infected. When windows is running normal and in safe mode Avast says there are no infected files but if I run a boot scan it has found at least 2 of the above mentioned everytime. Malwearbytes found 6 problems on initial run, fixed them and doesn’t find them anymore. I’ve tried to download TDSSKiller but virus isn’t allowing it stating I’m trying to download a file containing a virus. Any advice for a fix or help would be greatly appreciated because I will admit this is over my head and everything I’ve read says left unchecked it can cause a lot of harm. As of now I’m still operational for the most part but other than my I-phone 5 this is my only option for correspondence. Thanks
Hi,
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Thanks for the quick reply, as I was waiting another posted an almost identical problem but I can’t get anything to work on my firewalls and when I tried to download the program you just posted I get the same issue as when I tried to download TDSS Killer. Its saying file I’m trying to download is a virus and it deletes it half way through download
Do not use Internet Explorer for download. Use some other browser as Firefox or Chrome. FRST is legit and very powerfull tool that will kill this ZeroAccess (alias Sirefef) bastard. ;D
Ok, thanks, I’ll relog through chrome be back in sec
Here you go, sorry for the delay…
Before we continue, do you know who has been used windows policy for disabling features (eg. task manager and registry ) etc…?
HKU\Kiosk.…\Policies\system: [NoDispSettingsPage] 1
HKU\Kiosk.…\Policies\system: [DisableRegistryTools] 1
HKU\Kiosk.…\Policies\system: [NoDispScrSavPage] 1
HKU\Kiosk.…\Policies\system: [NoDispCPL] 1
HKU\Kiosk.…\Policies\system: [NoDispBackgroundPage] 1
HKU\Kiosk.…\Policies\system: [NoDispAppearancePage] 1
HKU\Kiosk.…\Policies\system: [DisableChangePassword] 1
HKU\Kiosk.…\Policies\system: [DisableLockWorkstation] 1
HKU\Kiosk.…\Policies\system: [DisableTaskMgr] 1
No one should have been on this computer but me. I live alone and only rarely have anyone use this computer. Could of I done it screwing around with things I shouldn’t have been screwing with?
No one should have been on this computer but meIf you say so. ;D
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1639554464-675732369-1436308505-1000\$ee66691e3833ad3d2d0c9efbdca20170\n. ATTENTION! ====> ZeroAccess?
HKU\Kiosk\...\Policies\system: [NoDispSettingsPage] 1
HKU\Kiosk\...\Policies\system: [DisableRegistryTools] 1
HKU\Kiosk\...\Policies\system: [NoDispScrSavPage] 1
HKU\Kiosk\...\Policies\system: [NoDispCPL] 1
HKU\Kiosk\...\Policies\system: [NoDispBackgroundPage] 1
HKU\Kiosk\...\Policies\system: [NoDispAppearancePage] 1
HKU\Kiosk\...\Policies\system: [DisableChangePassword] 1
HKU\Kiosk\...\Policies\system: [DisableLockWorkstation] 1
HKU\Kiosk\...\Policies\system: [DisableTaskMgr] 1
BHO-x32: No Name - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
Toolbar: HKLM-x32 - No Name - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 07 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CHR Extension: (Chrome In-App Payments service) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{ee66691e-3833-ad3d-2d0c-9efbdca20170}\ \...\???\{ee66691e-3833-ad3d-2d0c-9efbdca20170}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
2013-10-12 04:30 - 2013-10-12 04:31 - 00027256 _____ (Symantec Corporation) C:\Windows\system32\Drivers\FixZeroAccess.sys
2013-10-12 04:29 - 2013-10-12 04:29 - 01805736 _____ (Symantec Corporation) C:\Users\owner\Downloads\FixZeroAccess.exe
2013-10-12 04:29 - 2013-10-12 04:29 - 01805736 _____ (Symantec Corporation) C:\Users\owner\Downloads\FixZeroAccess (1).exe
C:\$Recycle.Bin\S-1-5-21-1639554464-675732369-1436308505-1000
C:\Users\owner\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
CMD: netsh winsock reset
CMD: ipconfig /flushdns
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
-------- next --------
Please download ESET Services Repair tool, available here, and save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
Post here fresh created logreports.
-------- next --------
Re-run FRST, just press Scan button and post me fresh created FRST.txt log
Very sorry, I’m slightly confused. I have your text copy and pasted into a blank notepad and I saved it on the desktop as fixlist.txt . How do I get FRST and in in the same place? Copy and paste FRST into the same notebook with fixlist? Then how do I run the FRST/FRST64. I really appologize for my lack of knowledge
Or relaunch the Farbar program you had me initially download?
Ok, got it figured out, here is the fixlog and i’ll post the rest of what you wanted. I’m getting it now
You got it, that’s good.
Now run Services Repair tool, allow reboot and then post me fresh FRST.txt logreport.
Ran service repair tool, system rebooted and I’m back up, and as long as that program automatically saved it there, this should be it with the following attachment?
I see, I have to run a scan and give you new log, hang on, sorry!
This should be the correct and fresh scan! I guess I shoulda gone back and rered your original instructions. Let me know if this isn’t what you wanted
Hi,
Just to let you know that we shall continue tomorrow. Rootkit has been neutralized and removed so there is no reason to worry abaut.
PS: If I do not give you my reply tomorrow, please bump this topic.
Cheers
Thank you very much for your patience and time!!! Have a good evening and I’ll chat with you tomorrow!
Hi 
Posted log looks clean. There is no malware traces in logs. We shall run FSS tool to check is services repair tool did his job.
Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:
[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender
[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please copy and paste the log to your reply.
Hello, Here is the FSS scan log you requested. Thanks for getting back to me.