Avast WEBforum
Other => Viruses and worms => Topic started by: dee455 on May 04, 2013, 10:24:11 AM
-
I cant get this removed. : C:\Windows\system32\services.exe **INFECTED** Win32:Sirefef-ZT [Trj]
00:54:31.133 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
00:54:32.319 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
avast said it cleaned the last two but I ran all programs listed on the help page. I guess there are still there. I don't know how long there have been there or what they do.
Thank you in advance for all your help
p.s. I hope I did this all right.
-
Monitoring
-
thank you :)
-
;)
Step#1
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
C:\Windows\assembly\GAC_32\Desktop.ini;f
C:\Windows\assembly\GAC_64\Desktop.ini;f
iedefaults;
emptyclsid;
[-HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{336D0C35-8A85-403a-B9D2-65C292C39087}];r64
[-HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}];r64
C:\PROGRAM FILES\IB UPDATER;fs
C:\PROGRAM FILES\UPDATER BY SWEETPACKS;fs
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\L;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\L\00000004.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\00000004.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\00000008.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\80000000.@;f
C:\install.exe;f
Conduit;z
Conduit;a
DataMngr;z
DataMngr;a
emptyalltemp;
autoclean;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
*******************************
Step#2
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
-
zoek results, doing next step
-
I disabled avast but when I go to run the last step it still says its running. It also says that spybot is running and I don't show that it is. Help
-
if you have disabled then just ignore the Messages and run....
-
ok thanks
-
and magna86 will be back later, he is in and out of the forum all day ;)
-
ugh here are the files
-
(http://www.mycity.rs/images/smiles/Emoticon%208.png)
Re-run ComboFix and attach here fresh Combofix.txt logreport.
-----------------------------------------
Re-run Zoek as you did before with this script:
[-HKEY_USERS\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3678120768-2371748754-349669163-1000\Software\IB Updater];r
[-HKEY_USERS\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Updater By SweetPacks];r
kiplfnciaokpcennlkldkdaeaaomamof;chr
C:\Users\me\AppData\Local\Torch;fs
C:\Program Files (x86)\TornTV.com;fs
nbmafkdmkkckhggblphicnnhlgljnoje;chr
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
c:\programdata\iolo;vs
c:\users\me\AppData\Local\Savings Addon;f
c:\program files (x86)\GUTF603.tmp;f
c:\program files (x86)\GUTBEFC.tmp;f
tixati.exe;z
resetIEproxy;
emptyclsid;
emptyalltemp;
autoclean;
Click on RunScript button and attach here fresh zoek log.
-
first scan today
-
last one
Thank you again so much. Can you tell mehow long I have had this? What kind of damage does it do?
-
I don't mean to be a pain and I know we are different time zones but I was wondering if my computer is ok now. I posted my last information so I just have been waiting for a answer.
Thank you
-
You had an userland rootkit so-called Zerro Access or 0access. Also you had an varius crapware bad files&extensions that we had to remove.
---------
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
---------
Re-run Zoek with this script:
kiplfnciaokpcennlkldkdaeaaomamof;chr
C:\Users\me\AppData\Local\Torch;fs
mocblcnaofikinigmceddfghppkkjbog;chr
C:\Users\me\AppData\Roaming\PlusWinks;fs
c:\programdata\iolo;f
emptyalltemp;
emptyclsid;
------
How is your computer running now?
-
Thank you for your response. ;) Due to the time zone difference I am already in bed when I saw your answer. Iil o it when I get up. It already seems better. :) . Your kick ass!!!! I KNOW i had alot a crap that I had tried to get rid of before but ;) it wouldnt go away. Thank you for that too!! Are there any programs that you might recomend? You still want me to attatch my last file right? The issue I did have it wasnt the kind that was stealing information or anything like that was it or causing damage? Once again you are KICKASS!!!!! :) Thank you so much. I would say I would return the favor but I dont have the knowledge to help you. Lol. I guess I owe you a couple (?????) Have a great day talk to yo :)u later. Keepkicking ass!! ;)
-
ok I uninstalled combo/fix and ran zoek. Am a good now. File attached
oops am I good now?
-
oops I meant am I good now?
-
oops I meant am I good now?
You tell me? :D
We have removed from your computer ZA rootkit and crapware ... logs looks clean. :)
-
Thank you soooo much for your help.
-
I'm sorry, I could not answer earlier...
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
*************
I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
oh I just saw your reply. It didn't hurt anything by not removing it did it? I noticed that loading pages from the internet has slowed down.
-
I already have Malwarebytes strange but it did find anything and the one you had me download did. I will download the the other one.
Thank you
p.s.
Good pun in earlier responce
-
I removed everything. Can I download adware again. I liked that and seemed to work good.
-
pages still don't seem like they want to load
-
Ok, we can check system with very deep system scan but this problem may not be malware related.
First, run ESET Services repair;
http://kb.eset.com/esetkb/index?page=content&id=SOLN2895&locale=en_US
Follow guide for running ESET SirefefCleaner tool and ESET Services Repair tool.
----------------
Then,
Download GMER , AntiRootkit tool from the link below and save it to your Desktop :
Download GMER (http://www2.gmer.net/download.php)
Double-clicking to run GMER .
- Wait for initial scan to finish - if there is any query, click No ;
- Click Scan and wait until the full scan is complete;
- Click Save ... - save the report to the Desktop (called Gmer1 );
// note: the scan for Gmer1 log may take some time
- Right-click in the window GMER and select Options> Only non MS files - click Scan ;
- after a fasts scan, click Save ... - save the report to the Desktop (called Gmer2 );
- Click the >>> and select Autostart card;
- after a fast scan, click copy ;
- open notepad and it copy-paste text - save the report to the Desktop (called Gmer3 )
> Attach here Gmer1; Gmer2 and Gmer3 logreports.
--------------------------
Also you can run Windows Repair tool:
Download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/windows_repair_all_in_one.html
- Install the program then run.
- Go to Step 2 and allow it to run Disk check
- Once that is done then go to Step 3 and allow it to run SFC
- Go to Step4 and create registry backup and system restore point.
- On the Start Repairs tab => Click the Start
- Click on the Select all button and then click on Start
- Don't use the computer while each scan is in progress!!!
- Restart may be needed to finish the repair procedure.
-
ok will do. I keep getting notices from avast about blocking a virus
-
I cant download the file I keep getting "VIRUS FILE DELETED" I even disabled avast and it still does it
-
Oh and there is no system restore files
-
I hope you are there today. I would to get this fixed without reformatting the whole thing.
-
Hmn ... I don't understand. How is posible to malware just come back like that. :-\
Let's go over again ...
Step#1;
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
- Unzip/unrar MBAR in a folder to your Desktop
- Open the folder where the contents were unzipped to run mbar.exe
- Click on Next > then on Update button to download fresh definitions.
- When database updates click Next
- In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
- If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
- The Clean up procedure will be Scheduled for process.
- When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
... ... ... ... ... ... ... ... ... ... ... ...
Step#2;
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
... ... ... ... ... ... ... ... ... ... ... ...
Step#3;
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
installedprogs;
systemscpecs;
filesrcm;
startupall;
firefoxlook;
chromelook;
silentrunners;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
here are the first logs. I had to use chrome to download the files IE wouldn't let me download. It kept saying virus file deleted
-
combofix still couldn't download thru IE. will try again on next one
-
Zoek. Still couldn't download with IE. Did want to try anything after this post. I will wait for your response.
Thank You for your help.
I hoped it worked this time.
-
I just noticed that my hard drive is almost full too. It wasnt like that before :(
-
Download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
- Press Start Scan
- If Suspicious object is detected, the default action will be Skip, click on Continue.
- If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
============ Next ============
Open notepad and copy/paste the text present inside the code box below:
Folder::
c:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}
FileLook::
c:\Windows\System32\services.exe
ClearJavaCache::
DDS::
Trusted Zone: $talisma_url$
Trusted Zone: att.com\www
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
============ Next ============
Re-run Zoek.exe as you did before but use this script:
CD \;b
DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt;b
Click on RunScript button. When zoek finish his scan, on Desktop you will see JunctionPoints.txt report. Please attach it here.
-
I just woke up to check for a response. I will do it when I wake up. It looks like I have the same suff but more now. I have turned off the computer until I got a response from you. I hope that ok. When IE comes up after boot the windos firewall comes.upand says some files cant be viewled do I want to give it permission to let it the othe option is cancel. I didnt know what to do so I just use "X" ?to close it. I have never seen it do this before. So I hope I am doing the right thing. I may have some important files to send out today. I doubt we will be online at the same time. So if there are other thing you want me to do or can do before you get a chance to read tje logs just let me know. I will try and download thri IE again and let you know. Sorry for all the questions but I may need to use my computer later.
Thank you for your help again. Maybe we will be on at the sometime. I will cross my fingers,
once again THANK YOU again
-
just saw the answer
When IE comes up after boot the windos firewall comes.upand says some files cant be viewled do I want to give it permission to let it the othe option is cancel.
This sounds familiar. I know what the problem is, as I suspected before. Also This new malware block all malwareremoval tools from downloading and using ... this is still new for all of us.
Try to run TDSSKiller, ComboFix via CFScript and most importantly run latest zoek script. I need to see all logs. Run them from normal or safe mode but i need to see logs.
In any case, if you fail to run one tool, skip it and run other. Zoek and his JunctionPoints.txt log is temporaly very importantly to me to solve the problem.
-
first log
-
next log
I am going to run combofix one more time, it said it had an update but I didnt update it the first time
-
Hi,
You have attached wrong ComboFix logs. Read again CF instructions.
I'm waiting JunctionPoints.txt log too.
-
And yes, update CF.
-
Hi and good morning
update combofix.
-
last one
-
I still have been using chrome to download
-
Good morning to you. ;D
Attach JunctionPoints.txt log. It should be on your desktop somewhere ...
-
:)
-
1.
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it in some folder on your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.2.
Open notepad.
- Click Start
- Type notepad.exe in the search programs and files box and click Enter.
- A blank Notepad page should open.
Copy - paste the content below[/list][/list]
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306
- Save fixlist.txt in the same folder where you saved FRST.exe
fixlist.txt must be in the same location where FRST.exe tool is!
Run FRST.exe
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Please note: The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.
> Attach here fixlog.txt logreport.
=========== Next ==============
1.
Delete old zoek.exe and download new, fresh copy from here:
zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/)
2.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
process;
srinfo;
systemscpecs;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
=========== Next ==============
Attach here:
1. fixlog.txt from FRST tool
2. zoek-results.log from Zoek tool
-
next logs. Hopefully we will get this fixed today. :)
-
the last ones. I hope.
-
Re-run zoek.exe as you did before but use this script:
{0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
{0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
emptyclsid;
fsutil reparsepoint delete "C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea";b
fsutil reparsepoint delete "C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll";b
FFdefaults;
chrdefaults;
shortcutfix;
resetIEproxy;
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;
---------------------------------------
How is your computer running now?
-
I don't know yet. I will test it out. I think I am going to run those other tests that I couldn't before and do the window fix. What do you think. I also noticed I don't have a backup or system restore point
Thanks
-
Hi,
Please go to this filesharing website and upload sample which was created by zoek.exe program.
C:\Users\Public\Desktop\sample_20130523_0224.zip
http://www.wikisend.com/
Paste here download link.
PS: brake download link by changing "http://" into "hxxp://"
I think I am going to run those other tests that I couldn't before and do the window fix.
What other tool? Don't run blotware or varius junkware tool for so colled test-windows. Test it by hand. Run browsers, run/start AntiVirus ...etc.
If all works well, that's it.
-
I cant get this removed. : C:\Windows\system32\services.exe **INFECTED** Win32:Sirefef-ZT [Trj]
00:54:31.133 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
00:54:32.319 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
avast said it cleaned the last two but I ran all programs listed on the help page. I guess there are still there. I don't know how long there have been there or what they do.
Thank you in advance for all your help
p.s. I hope I did this all right.
I ALSO ENCOUNTERED THIS VIRUS AND I WAS ABLE TO FIX IT...
In Windows 7 and Vista
Go to Start Menu and Inside the Search box type CMD.
Now at the Top side if the Start menu you can see one file Called CMD.
Right Click on that one and Select the Option RUN AS ADMINISTRATOR
In Windows XP
Go to Run and type "cmd" to open the command prompt
Now you will get a black Window. Inside that black window type the commands.
Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe"and press enter
Restart your computer
Then Scan It Again Using AVAST.. You would be able to detect it again but now in temp files and it will be deleted at this time...
-
I ALSO ENCOUNTERED THIS VIRUS AND I WAS ABLE TO FIX IT...
In Windows 7 and Vista
Go to Start Menu and Inside the Search box type CMD.
Now at the Top side if the Start menu you can see one file Called CMD.
Right Click on that one and Select the Option RUN AS ADMINISTRATOR
In Windows XP
Go to Run and type "cmd" to open the command prompt
Now you will get a black Window. Inside that black window type the commands.
Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe"and press enter
Restart your computer
Then Scan It Again Using AVAST.. You would be able to detect it again but now in temp files and it will be deleted at this time...
@ jomeryeoboy
This is the topic of this user. You need to open a new topic and set the logs to review:
Follow guide from here: http://forum.avast.com/index.php?topic=53253.0
AdwCleaner <-- cleening adware & junkware
Malwarebytes <-- preventive for malware rmeoval
OTL and aswMBR <-- primary diagnostic system and antirootkit tool
-
I am sorry but I am lost. Are saying that I have a file from zoek that states sample or do you want me to make one? Let me know what you would like me to do. Do I have to remove all this stuff again?
-
I am sorry but I am lost. Are saying that I have a file from zoek that states sample or do you want me to make one? Let me know what you would like me to do.
Since you don't know for existence of this filesample, you probably deleted it by mistake. Doesn't matte. Skip that. ;)
Do I have to remove all this stuff again?
Yap, remove it by downloading & running DelFix tool.
Download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
-
I found the log but it is zipped and and has a password so I can't do anything with it. Sorry. Thank you for your help. Do you know why the virus came right back?
-
I found the log but it is zipped and it wont unzip. Sorry. Thank you for your help. Do you know why the virus came right back?
Yes. You got a new variant of ZeroAccess rootkit and our tools were not been updated to target/shows all parts of this malware. Now everything is removed.