Win32:Sirefef-AHF in services.exe ... REMOVE/REPAIR???

Hello, since today I got the problem that my services.exe is infected by the Sirefef-AHF-Malware. I need help to clean my laptop of it. PLEASE HELP!
P.S.: Now I go o sleep but in around 9 hours I will reply.

Please attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Thanks. The logs you wanted are here.
I also did a scan with the farbar scanner, because I know of the Sirefef-infection.

Malwarebytes-LOG:



Malwarebytes Anti-Malware (Test) 1.62.0.1300
www.malwarebytes.org

Datenbank Version: v2012.08.23.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Christin :: CHRISTIN-PC [Administrator]

Schutz: Aktiviert

23.08.2012 09:12:28
mbam-log-2012-08-23 (09-12-28).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 191179
Laufzeit: 3 Minute(n), 40 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 21
HKCR\CLSID{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\TypeLib{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\Interface{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CrossriderApp0003491.BHO.1 (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CLSID{5F906952-72AE-2CD6-3D6C-4AE1678418BE} (Trojan.BHO) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{5F906952-72AE-2CD6-3D6C-4AE1678418BE} (Trojan.BHO) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{5F906952-72AE-2CD6-3D6C-4AE1678418BE} (Trojan.BHO) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CrossriderApp0003491.BHO (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CrossriderApp0003491.FBApi (PUP.CrossFire.Gen) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CrossriderApp0003491.FBApi.1 (PUP.CrossFire.Gen) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CrossriderApp0003491.Sandbox (PUP.CrossFire.Gen) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCR\CrossriderApp0003491.Sandbox.1 (PUP.CrossFire.Gen) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\Trymedia Systems (Adware.TryMedia) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\Software\Cr_Installer\3491 (Adware.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) → Erfolgreich gelöscht und in Quarantäne gestellt.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) → Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Registrierungswerte: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|3491 (PUP.CrossFire.SA) → Daten: Vid-Saver → Erfolgreich gelöscht und in Quarantäne gestellt.

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 4
C:\Program Files (x86)\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) → Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Windows\System32\accessibillitycpl.dll (Trojan.Dropper) → Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Windows\Installer{fd39dbd4-d839-1661-56f6-09c2146825c4}\U\00000008.@ (Trojan.Dropper.BCMiner) → Erfolgreich gelöscht und in Quarantäne gestellt.
C:\Windows\Installer{fd39dbd4-d839-1661-56f6-09c2146825c4}\U\trz372D.tmp (Rootkit.0Access) → Erfolgreich gelöscht und in Quarantäne gestellt.

(Ende)

Hi

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
O33 - MountPoints2\{2298df27-cf76-11e1-89d4-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2298df27-cf76-11e1-89d4-806e6f6e6963}\Shell\AutoRun\command - "" = E:\setup.exe -- [2009.07.14 13:08:11 | 000,111,880 | R--- | M] (Microsoft Corporation)
O33 - MountPoints2\{393dae4d-d1b9-11e1-826a-e06995d59433}\Shell - "" = AutoRun
O33 - MountPoints2\{393dae4d-d1b9-11e1-826a-e06995d59433}\Shell\AutoRun\command - "" = F:\Setup.exe -- [2004.08.03 06:34:56 | 000,159,744 | R--- | M] (Adobe Systems Incorporated)
O33 - MountPoints2\{eea0d92e-e23a-11e1-b703-e06995d59433}\Shell - "" = AutoRun
O33 - MountPoints2\{eea0d92e-e23a-11e1-b703-e06995d59433}\Shell\AutoRun\command - "" = I:\AutoRun.exe -- [2011.03.15 17:27:21 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{eea0d93d-e23a-11e1-b703-e06995d59433}\Shell - "" = AutoRun
O33 - MountPoints2\{eea0d93d-e23a-11e1-b703-e06995d59433}\Shell\AutoRun\command - "" = I:\AutoRun.exe -- [2011.03.15 17:27:21 | 000,148,320 | R--- | M] ()

:files
C:\Windows\Installer\{fd39dbd4-d839-1661-56f6-09c2146825c4}
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[CLEARRESTOREPOINTS]
[EMPTYFLASH]
[EMPTYJAVA]
[Reboot] 

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Thanks. I did the fixes.
Log of OTL is here.
The scan with Combofix didnt finish. At step 4 it didnt do anything anymore. So I rebooted the PC.
What to do?

[*] Please download BlitzBlank by emsisoft and save it to your desktop.

[*] Open Blitzblank.exe by double click on it.

[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).

[*] Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

DeleteFolder:
C:\Windows\Installer\{fd39dbd4-d839-1661-56f6-09c2146825c4}

CopyFile:
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\SysNative\services.exe

[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\

Wipe the ComboFix icon from the desktop and download a new ComboFix.
Re-run Combofix

Thanks! I did that. The log is here.

edit: With the newest Combofix I try now…

You can run ComboFix?

No. Its the same as before… after step 4 it doesnt do anything… :frowning:

edit: What I will do now: I will start Win in save mode and try to run Combofix then…
I will reply in half hour…

I will start Win in save mode and try to run Combofix then...

delete old Combofix icon and download fresh one

Hello back. YES! It did! Here’s the logfile…

Please download SystemLook from one of the links below and save it to your desktop.

http://jpshortstuff.247fixes.com/SystemLook.exe
http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click [b]SystemLook.exe[/b] to run it.
Copy the contents of the following codebox into the main textfield.
:filefind
*atapi.sys
Click the [b]Look [/b]button to start the scan.
[b]Note[/b]: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled [b]SystemLook.txt[/b]

Thanks. Here is the logfile…

That looks fine so we need to gather some more information.

Go to Start > Run > type Notepad.exe and click OK to open Notepad.

Copy all of the text in the below Code box into Notepad.

cd C:\
dir/s atapi* > log.txt
log.txt 

In Notepad go to File > Save as, choose to save it to your desktop and name it event.bat

Now double click the event.bat file you just created and let it finish. Log file will be on your desktop.

Copy/Paste to forum.

Hmm…, I put the event.bat on the desktop (as you said,) but a logfile is not on desktop after I doubleclick on it…

You must wait some time.

Look at C:

Until now nothing…

[*] Re-run FSS.
[*] Under Search: type:
atapi.sys

[*] Press “SearchFiles”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[
] Please attach FSS.txt log to your reply.

Thanks. Here is the log…

OK,

d:\pida\# DOWNLOADS\ComboFix.exe

ComboFix must be on your desktop

Cut/Paste ComboFix to Desktop.

Disable Avast.

Open notepad and copy/paste the text present inside the code box below:

SkipFix::

DDS::
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1269415

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )