Win32:Sirefef and Win64:ZAccess won't leave...

Hello, I have tried to follow some of the guidelines suggested in the posts here and in other places, but it seems I cannot get rid of these two trojans, Win32:Sirefef and Win64:ZAccess.
I understand that I cannot run combofix without some guidance, since it has found and removed some things, but to no definite solution.
So, I ask some help from you!
I have then

  • uninstalled all AV programs (avast, malwarebytes)
  • restarted
  • installed and run Malwarebytes
  • restarted
  • run OTL (it’s written only one file)
  • run aswMBR

The logs are attached, thank you for your help.

Certified malware remover is notified :wink:

Hi delete your current copy of combofix and download a fresh one to your desktop

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\SysNative\Appn.dll
C:\Windows\SysNative\dds_trash_log.cmd

NetSvc::
asmagent

Driver::
asmagent

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hello Essexboy, today while I was just executing the combofix script, the PC rebooted and installed 53 updates. Do you need a new malwarebytes and OTL scan? Since this is my work PC, I can do that only next Monday.

it does not hurt if you attach new logs…

No monday will do as I will need to see the state of the system after all updates/removals

OK, I did again the scans, the logas are attached. There is still the updates shield icon in the reboot button, I don’t know whether it was unsuccessful during previous install or if they are new ones. I will try to avoid them to be installed again.

Could you run the Combofix script again… But I would recommend that you let the updates install first as they disrupted the last run

So install the updates
Reboot
Run the Combofix script

Combofix run log attached. The ping process has not been spawned since reboot.

Well that then revealed some more bad boys - so time to kill

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\system32\drivers\hmvxhcba.sys c:\windows\system32\drivers\ilkamzpe.sys c:\windows\system32\drivers\ilybubzk.sys c:\windows\system32\drivers\meoudyye.sys c:\windows\system32\drivers\noyjyeup.sys c:\windows\system32\drivers\odnjuuaz.sys c:\windows\system32\drivers\qfiwifdx.sys c:\windows\system32\drivers\qvcfbuvn.sys c:\windows\system32\drivers\rajmibcb.sys c:\windows\system32\drivers\rvvokblh.sys c:\windows\system32\drivers\sbkswweo.sys c:\windows\system32\drivers\sdxvxfbb.sys c:\windows\System32\Drivers\sepdrv3_1.sys c:\windows\system32\drivers\ukhquazr.sys c:\windows\system32\drivers\vhaumwfm.sys c:\windows\system32\drivers\wdwhsigh.sys c:\windows\system32\drivers\xzppwyym.sys c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\duefy.exe

Driver::
hmvxhcba
ilkamzpe
ilybubzk
meoudyye
noyjyeup
odnjuuaz
qfiwifdx
qvcfbuvn
rajmibcb
rvvokblh
sbkswweo
sdxvxfbb
sepdrv3_1
ukhquazr
vhaumwfm
wdwhsigh
xzppwyym

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hello, here the result of the second scan with ComboFix. The PC looks good, no more ping spawned, and the windows firewall is back.
However, did also a couple of aswMBR scans, before and after rebooting, and still something is found.

Please wait for essexboy :slight_smile:

OK lets kill that one now and see what remains

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c C:\Windows\assembly\temp\U

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Did the OTL fix, then rebooted, then did the OTL scan, then did also a aswMBR scan. The logs are attached.
Now I have no ping process and no page redirects, however to be on the safe side I am not yet permamently attached to the network.

Could you now check it out online please - to confirm that the redirects and alerts have ceased. Once you are happy I will remove my tools

Hello, I’ve been all day online and thought that no more problems were present. But a late evening scan with avast internet security showed a appn.dll and another thing, all in system32. However, there was no avast popup, so no consrv.dll re-creation, and no pings. Then I left for home, next Monday I can rescan and send a log.

Aye could you run a fresh OTL scan please - Using the following script :

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
Drives
CREATERESTOREPOINT

This morning redid another scan with avast internet security, after rebooting a couple of times, and nothing was found.
I have uninstalled it, and did the OTL scan.
I am going to reinstall avast and keeping fingers crossed.
Thank you essexboy!

That looked good, if all is well tomorrow let me know and I will remove my tools and tidy up

Hello essexboy, no signs of infection in nearly two whole days of work. I believe it’s clean now!