0000008.@ Infection and Sirfef infection help

[RK90217]

Topic infections, not even sure what else. Not very tech savvy, so I apologize in advance if i'm a bit slow to figure things out. Will post FSS log in next post.

[RK90217]

FSS logs attached. Let me know if I need anything else, help is much appreciated.

[jeffce]

Hi,

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. 
----------

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[RK90217]

Thank you for the quick reply. I would prefer to not have to reformat my computer because I have over 900GB of programs on it, but if that is the best solution then I will do what needs done, just let me know. For now, I hope we can just clean it without a reformart. Combofix log attached.

[RK90217]

Also, if it comes to me having to reformat, how would I go about reinstalling windows without a cd? I just looked for my windows cds and i'm not able to find them, is there a way to create one or would I need to purchase a new windows 7 disc?

[jeffce]

Hi,

I think we are looking pretty good so far. 
-------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

DDS::
uStart Page = hxxp://www.gamefaqs.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;<local>

Firefox::
FF - ProfilePath - c:\users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\9q7r6kjw.default\
FF - prefs.js: keyword.URL - hxxp://lf.startnow.com/s/?src=addrbar&provider=bing&provider_name=bing&provider_code=Z051&partner_id=276&product_id=709&affiliate_id=&channel=4000&toolbar_id=200&toolbar_version=2.1.0&install_country=US&install_date=20110727&user_guid=F0203CEFC2E04D67947DF704045137A8&machine_id=e52e6371d6f187a616c5360c832d60ee&browser=FF&os=win&os_version=6.1-x64-SP1&q=

RegNull::
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\KISS\«0¹0¿0à0á0¤0É03*D*]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{030C80EA-F8BC-29D4-E59D-AA88D3ABEF35}*]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\’
}*’
u*’
0 ’
 ’
I*’
9 ’
^*’
l*’
C*’
e*’
B*’
 \Installation]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\’
}*’
u*’
0 ’
 ’
I*’
9 ’
^*’
l*’
C*’
e*’
B*’
 \rUGPBasic]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\’
}*’
u*’
0 ’
 ’
I*’
9 ’
^*’
l*’
C*’
e*’
B*’
 \rvmmBoxSettings]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\’
}*’
u*’
0 ’
 ’
I*’
9 ’
^*’
l*’
C*’
e*’
B*’
 \rvmmInstallation]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\’
}*’
u*’
0 ’
 ’
I*’
9 ’
^*’
l*’
C*’
e*’
B*’
 \rvmmPeculiarToTheApp]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\’
}*’
u*’
0 ’
 ’
I*’
9 ’
^*’
l*’
C*’
e*’
B*’
 \rvmmUISettings]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\Installation]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\InstallFont]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\PeculiarToTheApp]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\rUGPBasic]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\rvmmBoxSettings]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\rvmmInstallation]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\rvmmPeculiarToTheApp]
[HKEY_USERS\S-1-5-21-2358422974-4226417570-1287725948-1000\Software\relic UGP Applications\age\Þ0Ö0é0ô01*1*\rvmmUISettings]


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[RK90217]

Thank you again for the help, attached the combofix log.

[jeffce]

Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• If there are threats that are found, please press List of found threats and then in the next window that opens press Export to text file...
  
• Copy and paste or attach that log as a reply to this topic

**Note** If not threats are found there will not be a log created.
----------

[RK90217]

Malware bytes did not find any infections, but at first it would see the 0000008.@ if I did quick scan, and I did a restart after the "removal" when I first noticed the infection and the next time it would not find it during a quick scan. I did a full scan just to be sure, and it found the same 0000008.@ in the same spot, only it no longer finds it during quick scans. Once I realized it couldn't remove it, that's when I decided to come here because I wasn't sure what to do. Not sure if that information helps, but I figured I would post it just in case.

Both logs attached.

[jeffce]

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

[RK90217]

Combofix log attached.

[jeffce]

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[RK90217]

I tried booting it up and pressing F8 and it doesn't seem to bring anything up. I also do not have my windows installation disc, in an earlier post I asked if I could create one or if I needed to purchase a new one. I don't have the money currently to buy a new disc(I believe they are $100-200?), so i'm out of luck on that unfortunately.

[RK90217]

Apologies, I wasn't pressing it at the right time apparently. Running the tool now.

[RK90217]

FRST Log attached.