Sirefef.A in services, and the other lot of sirefef's everywhere

[citiral]

Hello,

I have a nasty sirefef infection on my pc. I have sirefef.a in services.exe , so everytime MSE tries to clean it up, windows gets a critical error and neets to reboot, after which services.exe magically respawned. So I disabled MSE's real time protection.
I also have sirefef.AB , .AN , .W and .P (as far as MSE knows) .  I had a sirefef infection before, and I managed to remove it, but now it suddenly came back, I guess it wasn't completely gone last time.

Here are my logs, any help to get rid of this pest would be hugely appreciated. Also, aswMBR BSOD'd whilst scanning. I'll try and run it again.

[jeffce]

Hi,

Could you also attach the log created by aswMBR? 
--------------------


**Sorry...I missed that last bit about aswMBR not running.  If you have not tried please boot to Safe Mode and attempt to run it. 

[citiral]

I'll try running it again, if it BSOD's again i'll do it in safe mode.

[jeffce]

Sounds good.  Are you aware your system is set up with proxy server settings? 

[citiral]

It's not supposed to, but it randomly enabled those proxies. I think it is one of the sirefef's changing my proxy settings, so it can redirect me to add-filled websites. Although that hasn't happened for a couple of months, I managed to fix it.
It probably changed it again, now that sirefef suddenly came back from the dead. Also, if I try to change it, a couple of minutes later it's back on using that proxy.

[jeffce]

Ok thats fine.  We can fix that up.  While you are trying to get aswMBR (if you can't that is fine just let me know) to run I need to give you this warning...

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. 
----------

If you get aswMBR to run attach that log.  If not, let me know and we can continue. 

[citiral]

I'd like to try and clean everything up first. I don't feel like losing all the data on my HDD. Luckily I haven't really entered any sensitive information on this pc. aswMBR is scanning as I speak, and it got further than last time without BSOD'ing, so I guess last time was just unfortunate coincidence.

If it so happens that I need to reinstall windows, I can do that on my own .

[jeffce]

Ok sounds good.  If aswMBR finishes attach the log....if not let me know and we will move on. 

[citiral]

It finally finished, that did take quite long for a quick scan :p . here is the log:

[jeffce]

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

• Open the scanner and select the Protection tab
  
• Remove the tick from "Start Protection Module with Windows" as seen below

Once complete continue with the instructions...
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\SearchScopes,DefaultScope = {3D1C1238-79BC-4CAE-A4A8-CBC4AA3287FA}
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\SearchScopes\{3D1C1238-79BC-4CAE-A4A8-CBC4AA3287FA}: "URL" = http://www.google.be/search?hl=nl&q={searchTerms}&sourceid=ie8&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\SearchScopes\{FF463997-E893-4F15-8D82-127585E794DE}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=MYC-ST&o=102869&src=kw&q={searchTerms}&locale=nl_EU&apn_ptnrs=5J&apn_dtid=YYYYYYYYBE&apn_uid=89d77262-645e-49ca-94c7-3866c51f30af&apn_sauid=A4A566A3-A226-427F-9806-731E5D1475EA
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-308719087-2163327473-937432218-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:62444
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://eu.ask.com/?l=dis&o=102869&gct=hp"
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=MYC-ST&o=102869&locale=nl_EU&apn_uid=89d77262-645e-49ca-94c7-3866c51f30af&apn_ptnrs=5J&apn_sauid=A4A566A3-A226-427F-9806-731E5D1475EA&apn_dtid=YYYYYYYYBE&&q="
FF - prefs.js..network.proxy.http_port: 62444
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2012/04/21 00:35:24 | 000,000,000 | ---D | M] (Ask Toolbar) -- C:\Users\Olivier\AppData\Roaming\Mozilla\Firefox\Profiles\0k3cb65e.default\extensions\toolbar@ask.com
[2012/04/19 23:34:53 | 000,002,405 | ---- | M] () -- C:\Users\Olivier\AppData\Roaming\Mozilla\Firefox\Profiles\0k3cb65e.default\searchplugins\askcom.xml
[2010/01/01 10:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-308719087-2163327473-937432218-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKU\S-1-5-21-308719087-2163327473-937432218-1000..\Run: [PlayNC Launcher]  File not found
O32 - AutoRun File - [2007/01/24 02:04:01 | 000,000,043 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{51e64ba0-99c0-11e0-a16e-7c4fb513fdca}\Shell - "" = AutoRun
O33 - MountPoints2\{51e64ba0-99c0-11e0-a16e-7c4fb513fdca}\Shell\AutoRun\command - "" = G:\autorun.exe
O33 - MountPoints2\{6402c096-999d-11e0-82fb-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{6402c096-999d-11e0-82fb-806e6f6e6963}\Shell\AutoRun\command - "" = E:\launch.exe -- [2004/10/22 00:38:02 | 000,126,976 | R--- | M] (Macrovision Corporation)
[2012/06/14 22:22:44 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2012/06/14 22:22:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
@Alternate Data Stream - 1048 bytes -> C:\Users\Olivier\AppData\Local\Temp\:5OxrP2YGz6jh6Q9dfQMfQ
@Alternate Data Stream - 1048 bytes -> C:\Users\Olivier\AppData\Local\Temp:5OxrP2YGz6jh6Q9dfQMfQ

:Files
C:\Windows\Installer\{8d7f222a-0caa-9ae2-1650-9dab4fd0a4b4}\
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

I see that you had downloaded ComboFix before? 

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

In your next reply please attach the logs made by OTL and ComboFix. 

[citiral]

Okay. So here are the logs.
Also, combofix seems to have removed and fixed all the files MSE said where infected, plus some more files. And MSE is giving me the green light again .

[jeffce]

Looking much better.

Run a new scan with ComboFix and attach that log please. 

[citiral]

Do you mean with OTL?

[jeffce]

No with ComboFix. 

[citiral]

All done. This time it didn't find any infected files.

One thing though, on my desktop there was a hidden desktop.ini , with this written in it:

Code: [Select]

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
There also were 2 infected desktop.ini's in my windows folder. When I removed the file, and restarted my pc, the file came back.

------
EDIT: nevermind, I restarted again, and the file didn't reappear. Guess it was just something combofix or OTL made.