My friend’s computer was not properly protected for an extended period- expired Norton. I cleaned a lot of malware- trojans, etc with Malwarebytes and Avast. Sirefef-AIO rears its ugly head whenever we try to access the internet. Avast keeps sending it to the chest, unsuccessful at fully eliminating it. Malwarebytes quick scan shows no infection now. I am attaching OTL logs and posts aswMBR. Your help will be much appreciated. I tried posting earlier, but apparently messed up with my logs.-Momof5cats
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.30.06
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Bob :: WINSTON [administrator]
8/30/2012 6:43:26 PM
mbam-log-2012-08-30 (18-43-26).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229923
Time elapsed: 11 minute(s), 22 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) → Quarantined and deleted successfully.
Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) → Data: C:\Users\Bob.winston\AppData\Local{41eb14cc-e518-0405-7a6b-b2c96fb04f0e}\n. → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{0BEC2BD7-23BB-03D7-164A-004C7B38A62D} (Trojan.ZbotR.Gen) → Data: C:\Users\Bob.winston\AppData\Roaming\Ahy\inykhy.exe → Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Users\Bob.winston\AppData\Local\Temp\5772.sys (Rootkit.RLoader.Gen) → Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\AV7\Antivirus7.lnk (Rogue.Antivirus7) → Quarantined and deleted successfully.
(end)
Latest Malwarebytes scan was clean.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-02 12:47:17
12:47:17.317 OS Version: Windows 6.1.7601 Service Pack 1
12:47:17.317 Number of processors: 2 586 0x1C02
12:47:17.332 ComputerName: WINSTON UserName: Bob
12:48:02.612 Initialize success
12:48:03.579 AVAST engine defs: 12083001
12:48:13.734 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
12:48:13.750 Disk 0 Vendor: WDC_WD16 13.0 Size: 152627MB BusType: 3
12:48:13.766 Disk 0 MBR read successfully
12:48:13.766 Disk 0 MBR scan
12:48:13.797 Disk 0 unknown MBR code
12:48:13.828 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 140769 MB offset 2048
12:48:13.890 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11654 MB offset 288296960
12:48:13.922 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 201 MB offset 312164352
12:48:13.953 Disk 0 scanning sectors +312576000
12:48:14.015 Disk 0 scanning C:\Windows\system32\drivers
12:48:34.801 Service scanning
12:48:57.516 Service Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys LOCKED 32
12:48:59.795 Modules scanning
12:49:06.657 Disk 0 trace - called modules:
12:49:06.704 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x8518b0b1]<<
12:49:06.720 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84e523e0]
12:49:06.735 3 CLASSPNP.SYS[86a4c59e] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x84414028]
12:49:07.593 AVAST engine scan C:\Windows
12:49:10.807 AVAST engine scan C:\Windows\system32
12:51:09.651 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-AIO [Rtk]
12:52:36.602 AVAST engine scan C:\Windows\system32\drivers
12:52:55.230 AVAST engine scan C:\Users\Bob.winston
13:57:15.738 AVAST engine scan C:\ProgramData
14:01:57.086 Scan finished successfully
14:29:59.074 Disk 0 MBR has been saved successfully to “E:\Kathy\avast tools\MBR.dat”
14:30:00.120 The log file has been saved successfully to “E:\Kathy\avast tools\aswMBR log1.txt”