Struggling with Win32:Sirefef-PL

[kykiske]

Evening,

I've picked up some sort of 'Win32:Sirefef-PL [Rtk]' infection. Between Malawarebytes, Tdsskiller, and Avast! I can usually rid myself of anything that comes up, but this one seems nasty. So I would appreciate some help.

Questions answered in order from the sticky.

1) Blocked first as Infection: Win32:Downloader-PKU [Trj]. Win32:Sirefef-PL [Rtk] detected in scanning. Can be deleted but returns as Trojan Horse Block repeatedly.
2) Unsure. Using Chrome. Browsing Tour de France streams.
3) Possibly fake flash install.
5) Infection: Win32:Downloader-PKU [Trj]. Object: c:\Windows\Installer\...\80000032.@. Action: Moved to chest. Process: C:\Windows\System32\services.exe

Thanks in advance for your help.

James

[Pondus]

follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done a malware remover will be notified: It may take sveral hours before one arrive so be patient

[jeffce]

Hi,

I will look these over when they arrive. 

[kykiske]

Thanks for your speedy replies.
Logs attached.
Just so you know, I won't be back with my machine for another 12-14 hours today.

[kykiske]

OTL / aswMBR logs are coming...

[kykiske]

OTL logs

[kykiske]

MBR logs attached.

[jeffce]

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[kykiske]

Thanks for your continued assistance.

Combofix downloaded direct to desktop.

[kykiske]

(should have added I'll post reports later - after 5pm BST)

[jeffce]

Not a problem.  No hurry. 

[kykiske]

One quick question, am I advised to turn wifi (and hence internet) off before disabling antivirus/antispyware software and launching ComboFix? My instinct would be to turn off wifi to stop anything else getting in whilst antivirus/antispyware software is disabled. But I'm, of course, happy to follow you lead on this.

[jeffce]

You should just disable your antivirus program and firewall while running ComboFix.  Don't worry about the internet. 

[kykiske]

Okay. Thanks.

[jeffce]

No problem.