Win32:sirefef-AO [Rtk]

Avast has picked up a threat from Win32:sirefef-AO and has moved it to the chest. It says that no further action is required but it keeps recurring every 5 or 10 minutes. I have run a full system scan. Am I needing to do something else? Thanks in advance for any help.
Alan

follow this guide http://forum.avast.com/index.php?topic=53253.0
attach (not copy and paste) Malwarebytes / OTL / aswMBR logs

Hi alanreid,

Note that the web address is not included. You may wish to remove that so as to not get spam in the future. Just saying. At the moment there are 75 webspiders (1 hidden) on this site alone, so…

Attached is the log from Malwarebytes.

And thanks for the advice mchain :wink:

You’re welcome.

You should know that until the logs from OTL and aswMBR.exe are attached, there is not much a malware expert can do for you. The reason for asking for the logs is so that we can see what the malware is, where it is, and how best to proceed with a strategy to remove without causing further damage to your system. Anytime an infection such as this happens, there will be some damage, but the expert you will be working with can almost always help you get any remaining issues fixed.

This is a case where a solution will be proposed, and you will run the proposed solution using the programs suggested, and proceed until given the all clear by the expert assisting you. As you say, you have a rootkit present on your system, but this removal process requires expert guidance to cleanly and completely remove. :slight_smile:

Here are the requested logs. (Attached)

Monitoring

I see that you have running Combofix. Attach here Combofix.txt from C:\

Also, please read this:
http://www.bleepingcomputer.com/forums/topic273628.html

Combofix.txt attached

Ok,delete current Combofix ( aka 43434.exe ).

Download fresh ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

ComboFix log attached

Open notepad and copy/paste the text present inside the code box below:



DirLook::
c:\windows\system32\Extensions
c:\windows\system32\searchplugins

FileLook::
c:\windows\system32\services.exe

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

File::
c:\progra~2\browse~1\22565~1.25\{16cdf~1\browse~1.dll 
c:\progra~2\browse~1\22565~1.25\{16cdf~1\browsemngr.dll

Folder::
c:\windows\Installer\{18c8ecd3-b50d-209a-a339-1c3503a4b644}
c:\program files\BabylonToolbar
c:\users\New User\AppData\Roaming\Babylon
c:\programdata\Babylon
c:\users\New User\AppData\Roaming\Ybeh
c:\users\New User\AppData\Roaming\Maiha
c:\users\New User\AppData\Roaming\Veuseq

ClearJavaCache:: 

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000




Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

New Combofix log attached

Be free to delete this folders:

c:\users\New User\AppData\Roaming\BabylonToolbar
c:\windows\system32\Extensions
c:\windows\system32\searchplugins

How is your computer running now?

It seems to be OK now. I have enabled Avast again and it has not come up with a threat alert in the last fifteen minutes or so.
I am very grateful indeed to you for your time and helpfulness. Very much appreciated. ;D
I will delete Combofix. It was not me who downloaded it - it may have been my teenage son but I will be having words with him about internet security. I’m so glad this has been fixed without any lasting damage. All credit to Avast for quarantining it and to you for helping me to get shot of it.
Many, many thanks.

You need to uninstall COmbofix, not just delete his icons.
Again temporaly disable avast,

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

-Enable avast.

Re-run OTL and click on CleanUp! button.

Glad you have reached a successful outcome.

May I suggest you run the system for a day or so and let magna86 know how things are? If any trivial issues remain, please let him know that. If the all clear is given, but you notice something new, come back here for help.

Combofix uninstalled. OTL Cleanup done. Rebooted and everything seems OK.
I’ll keep an eye on it and let you know if there are any issues.
Once again, many thanks for your help.