Please help: Win32:Malware-gen & Win32:Sirefef-PL [Rtk]

[Broom]

Hi all,

It seems that I am infected with these 2. Please could someone help me remove them, they are tough ones! Logs attached.

Thanks in advance,

Broom

[jeffce]

Hi,

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. 
----------

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[Broom]

Ouch.

Thanks for taking time to have a look Jeff, much appreciated. I'm gonna give the cleaning a go first.

I've attached the combofix log.

Cheers

[jeffce]

Hi,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

File::
c:\program files\TTG\Offers\Offers.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Offers"=-

Driver::
LiveGpdKBFilter
LiveIO
Livekbc
Livemouclass


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[Broom]

Hi Jeff,
Thanks for that. I followed your instrutions, but when Combofix did its reboot, my laptop now only gets to the windows log in screen with no keyboard or mouse function. I have tried powering down and up again to no avail. I'm using Windows 7 Home Premium. Thanks

[jeffce]

Hi,

Try to boot to Safe Mode and see if you have the same problem. 

[Broom]

Yes the same thing happens in safe mode.

[jeffce]

Hi,

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[Broom]

Hi Jeff, I've attached the txt file as it is too big to copy and paste. Thanks for your continued help. I'm into the realms of the unknown here.

==================

[jeffce]

Hi,

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code: [Select]

Last Boot: 2012-07-18 12:38

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Try to boot to your system and let me know if it is back. 

[Broom]

My system is back up and running, thanks! Fixlog is attached.

[Broom]

Hi Jeff,

Something doesn't seem right here now. I can turn avast virus protection or shields back on, nor my firewall. I get this message from firewall: "Windows Firewall can't change some of your settings. Error code 0x80070424"
Thanks

[jeffce]

Hi,

Ok for the time being only visit this site and download the tools we need from the sites that I provide.  We look over your Windows firewall later.  The infection on your system has created some damage we will need to fix. 

Run FRST again and just run a scan.  Please attach the log to your next reply. 

[Broom]

Hi, I've done that. FRST log file attached. Thanks

[Broom]

Also I should mention there is a dodgy icon in the system tray telling me an update is ready to install, that I do not recognise, it kinda looks like the Adobe Reader icon but it's a poor copy. I guess that is part of a virus too.