win32:Access-PB and Win32:Sirefef-ZT AVAST can't kill them

Viruses and worms
1

Hi …thanks for answer me in the other topic about Win32:Sirefef-ZT … i have done what you’ve told me … here’s the logs … i hope i did the operations in the right way … waiting for your answer … i thank you a lot anyway !!! ( avast still find Win32:malware-gen Win32:ZAccess-Pb and the infamous Siref-ZT … )

2

OK lets now stop the alerts ;D

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-658861872-1817046502-3745608819-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>;*.local
O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll (facemoods.com)
O4 - HKLM..\Run: [facemoods] C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe (facemoods.com)
[2013/04/11 18:17:27 | 000,004,608 | -HS- | M] () -- C:\Windows\assembly\GAC_32\Desktop.ini
[2013/04/11 18:17:27 | 000,006,144 | -HS- | M] () -- C:\Windows\assembly\GAC_64\Desktop.ini
@Alternate Data Stream - 1091 bytes -> C:\ProgramData\Microsoft:lGwjHGuGP5sIVHeC3To
@Alternate Data Stream - 1031 bytes -> C:\Program Files\Common Files\Microsoft Shared:tNAo70ABJfdirm2caOmg9aF4
@Alternate Data Stream - 1013 bytes -> C:\ProgramData\Microsoft:aYtF6Tz488h6LylB73eI

:Files
C:\Windows\Installer\{6788e4de-f9d8-4b5e-e55d-69d948d75a62}

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

3

i don’t know if the FSS log could be useful too …

4

sorry for the very stupid question …could i do the first step now and the second tomorrow morning …or it’s better to do all in the same time ?

5

Best to do both together (well one after the other that is)

6

hi …yesterday i did nothing…this morning i was going to do all the things you wrote to me…but…there is a problem… the machine starts windows and all …but it could not start it totally … i mean …all seems right…desktop…and stuff like this…but…i can’t do nothing…i mean… it seems there is something takes long long long time to do what it have to do …sorry for my really specific language :)… i say …if i try to open something or start an application …the machine does nothing…i mean…it seems the processes could not start properly …it continues to charge something it seems need a lot of time to be done …or maybe it’s just blocked …i don’t know …now i’m just waiting … i’m touching nothing …just waiting…now i’m on my laptop …thanks a lot for your time … it could be about avast scan i programed at windows start ? …

7

i’m sorry if i’m being a little anxious about this problem …i don’t want to bother you …but i work as 3d model and animation artisan … and as illustrator …i have , as i think all the people in this forum …i know , a lot of work to do …with really close deadline …could you tell me if it could be dangerous for my data ? … sorry again for my stupid questions … in all those years i have worked with pc …i work with really hard to understand software…like autodesk maya…but…pc…it still seems to me something like a vengeful god i have to fear and respect … :slight_smile: …another way to tell you i really can’t understand how it works …

8

ok…i waited…now the machine works …always the same old precious advice from avast about those trojans…now i’m going to start all the operations you corteously wrote me … I made a little sacrificial altar on the desk … my cats are starting to get nervous :slight_smile:

9

ok …i paste the script on OTL but when i run fix … the screen became blue and it says that an error occurred …now finally from avast help they answer me to do something that lets avast itself to kill the viruses … they say something like restore system configuration …and then run avast scan again … could i now do this kind of try or it can be useless or dangerous ?

10

now all seem quiet on the desktop front… windows start …a lot of time needs …but it start … now two new files …desktop.ini appears on the desktop …cats are still nervous … i take the holy knife … :slight_smile:

11

ok…i 'm going ahead with combo fix … now it’s working … after otm fix with script and that sudden blue video error from windows …windows took a lot of time to restart …but at the 3rd time it went ok … i delete the very first application …that malware anti malware or stuff like that …it was still running … and now…as i wrote … combo fix is working … i hope it 'll be ok … ah …now it seems there’s no internet connection …i have a lan connection … so it’s not a modem problem … i think…

12

Combofix will stop the internet whilst it is cleaning so that the malware cannot call for reinforcements

13

ok but it didn’t work before combo fix was running … another question …combo fix start work about 2 hours ago …or more …and it seems stalled … i did touch nothing at all…

14

Is the stage counter progressing ?

15

no …

16

it is stalled exactly at the point i can see in the image you posted me …after the two line with destination folder etc.

17

output folder …i mean …mine is in italian …sorry

18

OK … Stop combofix and then lets try this other programme … Just as effective

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

19

please tell me only this : it could be dangerous for my data ? and why now windows take a lot to start ?

20

now tell me windows is not authentic …but it’s not true !!! … why ?