Win32:Sirefef-AO[RTL] & Win64:Sirefef-A[TrJ]

Hello i’m new here, and i need help in getting rid of the virus that are listed in the title i know one is a Rootkit, and the other one is a Trojan. i have Avast anti virus[Free year version], MalwareBytes, Comodo Firewall, and Sophos Virus Removal (i think is like MalwareBytes). now can some one tell me how can i get rid of it, had to put the Avast warning thing into gaming mode or was it silent mode. this Rootkit, and Trojan appear after Microsoft Security Essential stop working along with the Microsoft updates. Avast, Malwarebytes and Sophos is picking it up with the same name and/or Title.

follow this guide and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done, malware experts will be notified and check your logs. it may take hours before one arrive so be patient

this is AdwCleaner

P.S How do you paste MBAM log

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.20.10

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

12/20/2012 3:26:13 PM
mbam-log-2012-12-20 (15-26-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253558
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer{79b4ade0-86a3-3e75-55f8-a79105d77739}\U\trz3201.tmp (Rootkit.0Access) → Quarantined and deleted successfully.

(end)

wait never mind about what i say about MBAM

OTL documents.

OK lets get at it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-3367399483-3720647409-1122917799-1000\..\URLSearchHook: {50fafaf0-70a9-419d-a109-fa4b4ffd4e37} - No CLSID value found
FF - prefs.js..extensions.enabledAddons: yvszkhredt%40yvszkhredt.org:1.0
[2008/01/20 21:23:50 | 000,004,819 | ---- | M] () (No name found) -- C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\f1yr7yx7.default\extensions\yvszkhredt@yvszkhredt.org.xpi
O3 - HKU\S-1-5-21-3367399483-3720647409-1122917799-1000\..\Toolbar\WebBrowser: (no name) - {50FAFAF0-70A9-419D-A109-FA4B4FFD4E37} - No CLSID value found.

:Files
C:\Windows\Installer\{79b4ade0-86a3-3e75-55f8-a79105d77739}
C:\Users\Owner\AppData\Local\{79b4ade0-86a3-3e75-55f8-a79105d77739}

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

finaly here is aswmbr

Continue with OTL and Combofix

OTL part 2

After a while when I start combofix it comes to a blue notepad saying:

“Administrator autorun
Scanning for infected files . . .
This typically doesn’t take more the 10 minutes
however scan sometimes badly infected files make take double”

The a couple of minutes later a microsoft window appear and it say:

freeware implementation of XCACLS has stopped working

Also it show another box saying that I’m disconnect from the Internet but I’m not disconnect.

P.S sorry about the late half of the post I using the iPad to communicate in this forum.

Ok now a new message appear and it say:
You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack this is particularly difficult infection. The rest of the message says that if I can’t access the Internet after combofix is done then I should restart the computer.

Ok so whats next, realy would like to turn back on Avast and comodo firewall.

Fist of all I decided to turn on avast & comodo firewall.
The good part: the random links when I used google or bing has stop appearing so I’m getting straight to the links that I’m clicking on, second the mouse seems to have stop jump or leapning around. Avast is showing up that the computer is clean with the popup messega.

Weird part: another shortcut of Internet explorer has appear (I don’t trust it).

Bad part: windows update is started to show up saying that there’s updates, but when I update it fails. I think that’s from when Microsoft security essentials stop working. MSE is still with the same error code 0x80070424, I know how to fix it but don’t have a USB to use to restore the back broad or something like that.

Essexboy want me to do another scan with malware bytes and avast?

nfected copy of c:\windows\system32\Services.exe was found and disinfected
This was the bad boy .. Fixt
Weird part: another shortcut of Internet explorer has appear (I don't trust it).
Combofix put it there, you can delete it

Reinstall MSE and see if that cures it

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

here’s FSS text

Did MSE re-install properly ?

Could you run the MS Fixit on this page http://support.microsoft.com/kb/971058

Still getting the same error code for Microsoft security essentials (0x80070424) while the windows update gets error code 80096001. Fixit say that windows update has been fix but nothing has been fix, not going to bother with this problem.

Use this … I have a fairly good success rate with it

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

it seems that work, but only one update keep failing which is call:

Definition Update for Windows Defender - KB915597 (Definition 1.141.2350.0)

along with this message:

Error found:
Code 80240016 Windows Update is currently installing other updates. Please try again in a few minutes.

the link that it has for help is useless.

never mind, re-install microsoft security essentail and well that seems to fix it by doing manually through MSE ??? now lets hope that tomorrow avast well work perfectly and not pick up those 3 threat that are located in the temporary internet file, hope that program form that other user work.