Help Me Cant get rid of sirefef,

[Ihatesirefef]

New to the forms, I did post very detailed thread before but i dont think it went through....

I Had sirefef, I think avast got rid of most but I still keep getting alerts for:

Win:64 Sirefef A(Trj)
Win:32 Sirefef AO(Rtk)
(And just a couple times I got malicouis URL for something like:
Windows system 32 Svchhost

Both pop up at the same time, I have tried many different programs(tdsskiller,spyhunter,Malwarebytes), nothing has really worked,

Malwarebytes did dectected pup my search once, after that nothing and now each time I run a scan, It gives me the same 2 threats(Same/similar to Avasts)

Need lots of help ASAP, Not an expert at the computer, but i am ok... 


Ill attach the Malwarebytes logs, one with the pup search, and one new one with the two threats...

Thanks,

[DavidR]

- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs other logs here, not in the LOGS topic.

[Ihatesirefef]

Ok I will try to the steps there, and post the logs here, thanks...

[DavidR]

You're welcome.

When you have done so there might be a bit of a delay with different time zones and getting a qualified malware removal specialist to analyse the logs, so please bear with us.

[Ihatesirefef]

Ok Here are the new attachments from Malwarebytes and Otl...
(Its not giving to much personal info is it?)

(Usually Malwarebytes detects 2 things this time it was one)

Edit:
aswMBR,
Froze once and then blue screened after,

This time it worked,

aswMBR had no option for the anssi encoding

[SafeSurf]

How is your machine behaving now after doing performing the logs and the tools doing what they did?

I am going to refer you to our Certified Malware specialist, named Jeffce.  He will also review your logs and give you further instructions.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Jeffce or another malware specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let us know if you have any questions.  Thank you.

[jeffce]

Hi,

Let me look these over and I will return shortly. 

[jeffce]

Ok....

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. 
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

• Open the scanner and select the Protection tab
  
• Remove the tick from "Start Protection Module with Windows" as seen below

Once complete continue with the instructions...
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
C:\Windows\Installer\{e76c179b-9f20-463a-014e-3b0f8e621e9b}
C:\Users\Home\AppData\Local\{e76c179b-9f20-463a-014e-3b0f8e621e9b}

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

----------

Download Combofix from the link below, and save it to your desktop. 
Link

**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

----------

In your next reply please attach the logs made by OTL and ComboFix. 

[Ihatesirefef]

Ok, Thanks, A couple things

I will reinstall the OS if there is a way to keep some of my files... Can you make a partion (Only have one right now) now and then put your files on it? Will that work? or an External Hard Drive?(I dont have one anyways)

SafeSurf said to disable internet on this computer and not plug any usb devices in?
  Because I have done the opposite, 
Because I have plugged a couple USBs while I had the virus...
And I pretty much only use this computer, Is that ok, or does it really need to be disabled?...

I ran the Erunt once, I dont know where it put the file though...

On the OTL Do I run the deafult settings the first time?
 It says "Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )" But they arent checked the first time so should I check them?

[jeffce]

Hi,

If you were wanting to format you can save all of your files, music, pictures and such on a CD or thumb drive.  This infection isn't one that will jump.  You also can get on the internet if you want with it.
---------

Don't worry about ERUNT....I don't need to see the file.  It just backed up your registry.
---------

For OTL, copy/paste the text I provided in the Code Box into the Custom Scans/Fixes section and press Run Fix.  Once complete there will be a log created either immediately or after reboot.  After reboot, run a Quick Scan and that will be fine.  You don't need to check Purity or LOP.

Don't forget about ComboFix as well. 

[Ihatesirefef]

Ok I did those,

Side Stuff:
-(I did the the first OTL,
The second one had LOP and Purity checked I think,
So I did a 3rd one with them unchecked but they were still checked, Ill post all 3)
-I named combofix combofox
-I turned Avast back on now

[jeffce]

Hi,

Good job with all of that. 

 

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

DDS::
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

File::
c:\windows\System32\drivers\siouwto.sys

Registry::
[-HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WhiteSmoke Translator.lnk]

Driver::
kjgbb


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[Ihatesirefef]

Ok,

The first Time i tried windows blue screened, the second time it worked...

Is it almost gone?

[jeffce]

Hi,

Yes we are looking better.  Let's check to be sure nothing is left hiding in there.

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• If there are threats that are found, please press List of found threats and then in the next window that opens press Export to text file...
  
• Copy and paste/or attach that log as a reply to this topic

**Note** If not threats are found there will not be a log created.
----------

Please attach the logs made by Malwarebytes and ESET. 

[Ihatesirefef]

Ok,

Malwarebytes was clean, 
But ESET found some stuff,