Infected with Win32:Sirefef-ZT [trj]

[oldman]

Hi rmdudley,

AutoKMS is a crack for Microsoft Office. Basically it means you have a pirated copy of Office and I wil not be able to continue helping unless the crack is removed. Whether it was the source of the infection I can't say as I don't know where the file came from.

This is a likely source, µTorrent.

µTorren, a P2P/file sharing program is installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.It's not the program itself that is the problem but what can be downloaded with it usuall from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm

I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  

Code: [Select]


:Services

:Reg

:Files
C:\Windows\tasks\AutoKMS.job
c:\windows\AutoKMS\AutoKMS.exe
c:\windows\AutoKMS
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\@
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\L\00000004.@
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U\00000004.@
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U\00000008.@
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U\80000064.@
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\L
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U

:Commands
[createrestorepoint]
[emptytemp]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the  OTL fix log.

[rmdudley]

Wow... I'm really not that shocked to be honest with you. I asked him if he could get me a program that I could use on his computer (this one) to re-do my old resume and other files. I did not think he would be this careless in using a cracked v. of MS Office.  Thanks for making me aware of how greedy and idiotic my boyfriend can be. I will have to let him know now about what I did with the uTorrent and MSO. At first, I thought it was my doing for searching for jobs online and I happened to click a website that infected us. Guess I was wrong, lol.

Anyways...

I unistalled uTorrent and proceeded with the instructions for OTL.

Here is the log:
_______________________________________________________________________________________________________


All processes killed
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\tasks\AutoKMS.job moved successfully.
c:\windows\AutoKMS\AutoKMS.exe moved successfully.
c:\windows\AutoKMS folder moved successfully.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\@ not found.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\L\00000004.@ not found.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U\00000004.@ not found.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U\00000008.@ not found.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U\80000064.@ not found.
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U folder moved successfully.
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\L folder moved successfully.
C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59} folder moved successfully.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\L not found.
File\Folder C:\Windows\Installer\{a8047732-9f60-a7bf-f924-28a8eecaaf59}\U not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: jason
->Temp folder emptied: 119832 bytes
->Temporary Internet Files folder emptied: 316301308 bytes
->Java cache emptied: 77815198 bytes
->FireFox cache emptied: 191879214 bytes
->Apple Safari cache emptied: 4603904 bytes
->Flash cache emptied: 1155 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 512000 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 482926 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 564.00 mb
 
 
OTL by OldTimer - Version 3.2.66.0 log created on 09262012_133616

Files\Folders moved on Reboot...
C:\Users\jason\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


_______________________________________________________________________________________________________

**Thanks for finally finding the target!!

[oldman]

Hi rmdudley,

Thank you for understanding.

Have you considered using something like Open Office ?

Next

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Next

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  
• Click Start
  
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is  Checked.
  
• Click Scan.
  
• Wait for the scan to finish.
• When the scan completes, click List of found threats
  
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  
• Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

• Push the back button.
  
• Push Finish
  
• Re-enable your Antivirus software.
  

Please post back with

• MBAM log
• ESET log if there was one

Any problems.

[rmdudley]

Here is the log for MBAM and ESET is attached


MBAM:

________________________________________________________________________________________________


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.27.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
jason :: JASON-PC [administrator]

9/27/2012 19:51:22
mbam-log-2012-09-27 (19-51-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 228653
Time elapsed: 2 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




Thanks

[oldman]

Hi rmdudley ,


All the ESET dections except one were files we have already quarantined. These will be removed when we remove the tools.


Please rerunFarbar Service Scanner and post the log. We'll see if ant problems remain there. if everything is ok we'll clean up after you post back.

[rmdudley]

Sorry about the delay... Partner has been on the computer playing alot during his day off, lol. Anyways...

I reran the FSS like you said and here is the log:

__________________________________________________________________________________________________________________


Farbar Service Scanner Version: 19-09-2012
Ran by jason (administrator) on 29-09-2012 at 14:20:51
Running from "C:\Users\jason\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


__________________________________________________________________________________________________________________

Wow this looks very good, the first time we ran this program on this computer it had all kinds of BS wrong with it, lol.


Lets clean up!!   

[oldman]

Hi rmdudley,

Yes it looks very good now. One little fix to do.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  

Code: [Select]


:Services

:Files
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll



Then click the Run Fix button at the top

• Let the program run unhindered

No need to post the log.


We'll cleanup the tools now.

From your desktop, please delete, if present

• any notepads/logs that we created
• TDSSKiller
• Farbar Service Scanner
• CKScanner
• aswMBR
• mbr.dat

From your flashdrive you can delete Farbar Recovery Scan Tool 64-Bit, Fixlist.txt  and fix.log
 
You can also delete all the TDSSKiller logs from C:\. They will be named TDSSKiller.[Version]_[Date]_[Time]_log.txt

Delete this folder also, C:\TDSSKiller_Quarantine

I suggest you keep MBAM.



Next

Click the Start button. Copy and paste the following line into the search box and hit enter


Combofix /uninstall



Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .

You should also use Spyware Blaster to help immunize your computer.

 - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.
 
OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  

Next press the Apply button and then the OK to exit the Internet Properties page.

- Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

 Please post back if you have any problems.

Take care.

[bloodyvalentine]

Guys i am from greece and my english suck !
Listen plz what is my problem and thx for advance  for help or no help !

I played yesterday Dota 2 a game from Steam! There was a scammer to press a link on a site i did it while i knew it was scammer...(yes i am_._) i had/have Avast pro so didnt made anyth to my pc! file infectes services.exe on System32 folder~!
I tried Advanced System care Pro , Malware pro ~ Noth just killed some infected files from it except the main Win32:Sirefef-ZT / Services.exe
So i logged here and tried  (1st see) Combofix!  it said finally deleted all files BUT!
I started program on normal mode without disable Avast! While program was running i disabled avast and program like frozen and pc restarted!
When booted screen was black and only mouse was visible!
I started program Combofix on safe mode and as i said deleted everyth etc
here is the report
http://www.megafileupload.com/en/file/398438/ComboFix-txt.html

Listen! After this screen was still black except mouse and seems that noth happens so i can wait etc! So i tried restore point 10 days or so on safe mode so cant cancel now! Combo fix program gone so only  File left!

What i can do guys :/ plz help because i am from safe mode and am gonna crazy
P.S On System32 now exist 3 Services so 1 more x2 .exe Services & Services(35) and one another file ! The new is the Services(35) one