Hi there - the name’s Jeff.
For quite a while, now, ive been getting messages every few minutes from avast! telling me a series of Trojans have been blocked from C:/Windows/Installer. They state something in regards to Win32: Sirefef-AOO and Win32:Malware-gen. The problem is the system cannont detect the files. This is a constant problem. Any help would be most appreciated!
For some reason, Im having problems attaching all the proper logs… any help would be great!
Hi,
You are infected with 0access rootkit. Attach requested logs for analysys:
::LOGS::
::LOGS:: (continued)
Hi,
Do you getting malware removal help elsewhere?
No… i posted a topic back in February and hadnt made attempts until now to correct problem. Access to internet was scarce. I followed the advice given in that topic and spent this morning running all the scans and saving the logs.
Ok. aswMBR shows heavily infected masnine. We need to use multiple powerfull tool to remove that…
Step#1
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Step#2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Step#3
Please download zoek.exe and save it to your desktop.
[*] Close any open browsers.
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:
autoclean;
services.exe;z
[*] Click on Run script button
Please wait until a logreport will open (this can be after reboot)
[*] Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
:LOGS:
bump
Hi,
Let’s run TDSSKiller’s deep check:
Re-run TDSSKiller then click on Change parameters.
[*] Put a checkmark beside loaded modules.
[*] A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
[*] Then click on Change parameters in TDSSKiller.
[*] Check all boxes then click OK.
[*] Click the Start Scan button.
[*] Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”.
[*] Please attache the contents of that file here.
Re-run zoek.exe as you did before but use this script:
c:\windows\system32\Services.exe;i
{594fb1e9-78f1-b473-8a17-05170e13ca7c};z
jfmjfhklogoienhpfnppmbcbjfjnkonk;chr
filesrcm;
startupall;
autoclean;
Click on RunScript button … attach here fresh zoek log.
:LOGS:
(Could not add TDSS Killer Log because it was over 512K. I compressed it using WinZip but that file extension is not allowed on post. Suggestions? )
Hi,
I only need to see bottom in TDSSKiller log. The upper part is not necessary, I have it in first log. Please begen copy from Scan global to the end.
See example:
11:21:52.0019 8764 ================ Scan global ===============================
// ... some entries ... \\
11:21:52.0113 8764 ================ Scan MBR ==================================
// … some entries … \
11:21:52.0612 8764 ================ Scan VBR ==================================
// … some entries … \
11:21:52.0643 8764 ============================================================
11:21:52.0643 8764 Scan finished
11:21:52.0643 8764 ============================================================
11:21:52.0643 11436 Detected object count: x
11:21:52.0643 11436 Actual detected object count: x x = some number
// ... some file entries ... \\
Re-run zoek.exe as you did before but you will use this script:
C:\Users\Wilson\AppData\Local\Temp\3882C1FA-2822-4132-AEA7-869DBF37A456.exe;f
emptyalltemp;
Click on RunScript button. Attach here fresh zoek-results.txt log
:LOGS:
How’s your computer running now?
Seems to be running quite well… no pop-ups thusfar. crosses fingers
Your help has been most appreciated, Magna! I have learned an awful lot!
If I need anything else, I will seek you out.
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.