Sirefef.FB infection, help please.

[nullname721]

I've been attempting to fix my family's computer which has been infected by several viruses, all of which I've successfully removed except for what appears to be the real problem one sirefef.FB If I could get some help with it I'd be very grateful. I've attached the OTL and aswMBR logs after running them.

[magna86]

Monitoring 

[magna86]

Step1


Run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:otl
IE - HKLM\..\SearchScopes\{104390CA-E40C-43BF-A771-26DE9E4121CC}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKU\S-1-5-21-2057652613-4272033290-2308107269-1000\..\SearchScopes\{104390CA-E40C-43BF-A771-26DE9E4121CC}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKU\S-1-5-21-2057652613-4272033290-2308107269-1000\..\SearchScopes\{35065594-9169-4a34-B167-FC4865038E53}: "URL" = http://search.easygifanimator-toolbar.com/search?p=Q&ts=ne&w={searchTerms}&csrc=search-field
FF - prefs.js..extensions.enabledItems: askopensearch-VTS@ask.com:1.0.0.0

:files
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\User\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
ipconfig /flushdns /c

:Commands
[emptytemp]
[DRIVES]
[Reboot]

• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Paste the log here.

Step2


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Post log reports ( ComboFix.txt) back to topic.





Step3


> Check USB storage devices / removable drives


Download MCShield.
Official site

• Double click MCShield-Setup to install the application.
  
• Wait a few seconds to MCShield finish initial scan.

Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.

• Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[nullname721]

I'm posting from my computer as ComboFix is currently running on the one I am fixing. For the last 20 mins it has said been stuck on "System File is Infected!! Attempting to Restore C:\Windows\System32\services.exe" Should I leave it like that, and if so for how long?

[magna86]

Do not touch the computer while Combofix is running.
Please let it run uninterrupted and unhindered. It will carry out necessary steps. The final step is Step: 50, so please let it carry all those steps out.
When the scan finished, it will delete the malware found and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.
Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered.

[nullname721]

Actually just finished, it just hung for a long time. I've attached the combofix and OTL logs below.

[nullname721]

And here is the MCShield log.

[magna86]

USB devices have been infected. Now they are clean. Leave MCShield active during the cleaning to prevent possible reinfictions.



> Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

FCopy::
c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe|c:\windows\System32\services.exe

FileLook::
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

KillAll::

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[nullname721]

Here's the new log from ComboFix.

[magna86]

Ok, delete current Combofix and download fresh one.
Re-run Combofix and attach here fresh Combofix.txt log. 

[nullname721]

Here is the log from the fresh combofix scan.

[magna86]

Logs look good. How is your computer running now?

[nullname721]

Seems fine. Thanks for all you help.

[magna86]

Seems fine. Thanks for all you help.

Nice to hear that. 


It is necessary to uninstall Combofix; OTL, other tools and remove backup files.


> Start >> Run ( or you may use Start Search )

type:

Code: [Select]

Combofix /Uninstall
Enter


> Re-Run OTL and hit ClearUp! button.