Win32:Sirefef-AIO [Rtk] rearing its ugly head

My friend’s computer was not properly protected for an extended period- expired Norton. I cleaned a lot of malware- trojans, etc with Malwarebytes and Avast. Sirefef-AIO rears its ugly head whenever we try to access the internet. Avast keeps sending it to the chest, unsuccessful at fully eliminating it. Malwarebytes quick scan shows no infection now. I am attaching OTL logs and posts aswMBR. Your help will be much appreciated. I tried posting earlier, but apparently messed up with my logs.-Momof5cats

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.30.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Bob :: WINSTON [administrator]

8/30/2012 6:43:26 PM
mbam-log-2012-08-30 (18-43-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229923
Time elapsed: 11 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) → Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\CLASSES\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) → Data: C:\Users\Bob.winston\AppData\Local{41eb14cc-e518-0405-7a6b-b2c96fb04f0e}\n. → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{0BEC2BD7-23BB-03D7-164A-004C7B38A62D} (Trojan.ZbotR.Gen) → Data: C:\Users\Bob.winston\AppData\Roaming\Ahy\inykhy.exe → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Bob.winston\AppData\Local\Temp\5772.sys (Rootkit.RLoader.Gen) → Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\AV7\Antivirus7.lnk (Rogue.Antivirus7) → Quarantined and deleted successfully.

(end)

Latest Malwarebytes scan was clean.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-02 12:47:17

12:47:17.317 OS Version: Windows 6.1.7601 Service Pack 1
12:47:17.317 Number of processors: 2 586 0x1C02
12:47:17.332 ComputerName: WINSTON UserName: Bob
12:48:02.612 Initialize success
12:48:03.579 AVAST engine defs: 12083001
12:48:13.734 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
12:48:13.750 Disk 0 Vendor: WDC_WD16 13.0 Size: 152627MB BusType: 3
12:48:13.766 Disk 0 MBR read successfully
12:48:13.766 Disk 0 MBR scan
12:48:13.797 Disk 0 unknown MBR code
12:48:13.828 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 140769 MB offset 2048
12:48:13.890 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11654 MB offset 288296960
12:48:13.922 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 201 MB offset 312164352
12:48:13.953 Disk 0 scanning sectors +312576000
12:48:14.015 Disk 0 scanning C:\Windows\system32\drivers
12:48:34.801 Service scanning
12:48:57.516 Service Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys LOCKED 32
12:48:59.795 Modules scanning
12:49:06.657 Disk 0 trace - called modules:
12:49:06.704 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys >>UNKNOWN [0x8518b0b1]<<
12:49:06.720 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84e523e0]
12:49:06.735 3 CLASSPNP.SYS[86a4c59e] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x84414028]
12:49:07.593 AVAST engine scan C:\Windows
12:49:10.807 AVAST engine scan C:\Windows\system32
12:51:09.651 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-AIO [Rtk]
12:52:36.602 AVAST engine scan C:\Windows\system32\drivers
12:52:55.230 AVAST engine scan C:\Users\Bob.winston
13:57:15.738 AVAST engine scan C:\ProgramData
14:01:57.086 Scan finished successfully
14:29:59.074 Disk 0 MBR has been saved successfully to “E:\Kathy\avast tools\MBR.dat”
14:30:00.120 The log file has been saved successfully to “E:\Kathy\avast tools\aswMBR log1.txt”

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

Monitoring 8)

Hi,
I will be working on your Malware issues

Step#1

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Services
txwtwsy

:Files
C:\Windows\System32\drivers\nygve.sys
C:\Windows\Installer\{41eb14cc-e518-0405-7a6b-b2c96fb04f0e}
C:\Users\Bob.winston\AppData\Local\{41eb14cc-e518-0405-7a6b-b2c96fb04f0e}
sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c 
ipconfig /flushdns /c
autorun.inf /alldrives
autorun.exe /alldrives 
recycler /alldrives
$recycle.bin /alldrives

:Otl::
IE - HKLM\..\SearchScopes\{8B31050B-FBEC-48A3-A4A2-383DD49998BB}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-"
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-4289414161-2443910308-354529609-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O33 - MountPoints2\{30583ed8-03bd-11df-92a0-002655cb0d42}\Shell - "" = AutoRun
O33 - MountPoints2\{30583ed8-03bd-11df-92a0-002655cb0d42}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a

:commands
[purity]
[CREATERESTOREPOINT]
[emptytemp]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Many thanks for taking on this case. Combofix has been running for over an hour. It may be locked up trying to move C:\Users\Bob.winston\AppData\Local{41eb14cc-e518-0405-7a6b-b2c96fb04f0e

What do you recommend. -MC

Ok, bee free to stop Combofix. Reboot your computer.

Download fresh COmbofix and run it in safe mode.

Hi Magna86, I mistyped before. It was OTL that was hungup. It apparently hadn’t load the cmd to stop all processes. It ran successfully, although it didn’t finish after clearing temps. I did get a report on restart. I am attaching the otl log. -MC

Here is the combofix log. I couldn’t post them in one message. MC

No problem. :smiley:

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Open notepad and copy/paste the text present inside the code box below:



FileLook::
C:\Qoobox\Quarantine\c\program files\HP\HPBTWD.exe.vir

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


How is your computer running now? 8)

Hi Magna86, the computer is running much better. I am able to get online without AVAST having to block Sirefef. I am attaching the two logs. -MC

Open notepad and copy/paste the text present inside the code box below:



DeQuarantine::
C:\Qoobox\Quarantine\c\program files\HP
Quit::


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

hi magna86, i dragged the file into combofix, as directed. I came back a short time later to find the Dequarantine file which I am posting. I then ran combofix again, to make sure scanning got done.

C:\Qoobox\Quarantine\c\program files\HP\HPBTWD.exe → C:\program files\HP\HPBTWD.exe
1 File(s) copied

I then ran combofix again, to make sure scanning got done.

You’re wrong that you did. Again create and repeat CFScript. Do not run multiple times Combofix.

I am attaching the dequarantine file that was produced by Combo-fix. It’s the same as last timre.

Nice.
It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

How’s your computer running now?

Magna86, I have removed combofix as directed. Computer is running much better. One problem remains and is not a virus problem.

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) is repeatedly trying to install and fails.

Error details: Code 8007066F

I am trying a Microsoft Fixit to see if that will resolve it. -MC

Good. If that dont solve your problem then download Farbar Service Scanner (FSS) and run it on the computer with the issue.

[*] Make sure that all options are checked.
[*] Press “Scan”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[
] Please attach FSS.txt log to your reply.

Well, no big surprise. Fix It didn’t fix it. Here’s my FSS log.

This is not malware related issues. On bottom of my message is guide how to uninstall OTL and remove other tools: :wink:

For your security update, try Windows Repair:
Here is download link for that tool and guide:
http://forum.avast.com/index.php?topic=104556.msg837200#msg837200

In run check only

Repair Windows Update:
and
Repair MSI ( Windows Installer )

See if fixed.

Anyway, that update…

Security Update for Microsoft Office PowerPoint

… is not system update related and by itself is a update that is not so important.


Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

OTL did a great job of uninstalling the tools.

I’m still having trouble that the powerpoint high security update fails to install. The error code 8007066F indicates that for some reason windows update can not locate the downloaded update. Their suggestions are here: http://support.microsoft.com/kb/958055