Author Topic: : C:\Windows\system32\services.exe **INFECTED** Win32:Sirefef-ZT [Trj]  (Read 31270 times)

0 Members and 1 Guest are viewing this topic.

dee455

  • Guest
I cant get this removed. : C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
00:54:31.133    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
00:54:32.319    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]

avast said it cleaned the last two but I ran all programs listed on the help page. I guess there are still there. I don't know how long there have been there or what they do.
Thank you in advance for all your help

p.s. I hope I did this all right.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Monitoring

dee455

  • Guest
thank you :)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
 ;)


Step#1



Please download zoek.exe and save it to your desktop.

  • Close any open browsers.
  •   Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.



  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...


  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]

C:\Windows\assembly\GAC_32\Desktop.ini;f
C:\Windows\assembly\GAC_64\Desktop.ini;f
iedefaults;
emptyclsid;
[-HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{336D0C35-8A85-403a-B9D2-65C292C39087}];r64
[-HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}];r64
C:\PROGRAM FILES\IB UPDATER;fs
C:\PROGRAM FILES\UPDATER BY SWEETPACKS;fs
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\L;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\L\00000004.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\00000004.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\00000008.@;f
C:\Windows\Installer\{4311bbe4-06d6-fe94-e5d4-6ce1a49a8f07}\U\80000000.@;f
C:\install.exe;f
Conduit;z
Conduit;a
DataMngr;z
DataMngr;a
emptyalltemp;
autoclean;

  • Click on button
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log

    Note: It will also create a log in the C:\ directory named "zoek-results.log"


*******************************

Step#2


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

  • Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.


dee455

  • Guest
zoek results, doing next step

dee455

  • Guest
I disabled avast but when I go to run the last step it still says its running.  It also says that spybot is running and I don't show that it is. Help

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
if you have disabled then just ignore the Messages and run....

dee455

  • Guest
ok thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
and magna86 will be back later, he is in and out of the forum all day    ;)


dee455

  • Guest
ugh here are the files

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member



Re-run ComboFix and attach here fresh Combofix.txt logreport.




-----------------------------------------


Re-run Zoek as you did before with this script:

Code: [Select]
[-HKEY_USERS\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3678120768-2371748754-349669163-1000\Software\IB Updater];r
[-HKEY_USERS\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3678120768-2371748754-349669163-1000\Software\Updater By SweetPacks];r
kiplfnciaokpcennlkldkdaeaaomamof;chr
C:\Users\me\AppData\Local\Torch;fs
C:\Program Files (x86)\TornTV.com;fs
nbmafkdmkkckhggblphicnnhlgljnoje;chr
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
c:\programdata\iolo;vs
c:\users\me\AppData\Local\Savings Addon;f
c:\program files (x86)\GUTF603.tmp;f
c:\program files (x86)\GUTBEFC.tmp;f
tixati.exe;z
resetIEproxy;
emptyclsid;
emptyalltemp;
autoclean;


Click on RunScript button and attach here fresh zoek log.

dee455

  • Guest
first scan today

dee455

  • Guest
last one


Thank you again so much.  Can you tell mehow long I have had this?  What kind of damage does it do?

dee455

  • Guest
I don't mean to be a pain and I know we are different time zones but I was wondering if my computer is ok now. I posted my last information so I just have been waiting for a answer.

Thank you

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
You had an userland rootkit so-called Zerro Access or 0access. Also you had an varius crapware bad files&extensions that we had to remove.

---------


It is necessary to uninstall ComboFix :
  • Click Start (or ) then Run.


    On Windows7 or Vista you may use Start Search field if Run is not available.

  • In the line of text type in (Copy) the following:
Code: [Select]
ComboFix /Uninstall
    Note that there is a space between " ComboFix " and " /Uninstall " .

    • then click OK (or press Enter ).
    Wait for the uninstall process is complete.


    ---------

    Re-run Zoek with this script:
    Code: [Select]
    kiplfnciaokpcennlkldkdaeaaomamof;chr
    C:\Users\me\AppData\Local\Torch;fs
    mocblcnaofikinigmceddfghppkkjbog;chr
    C:\Users\me\AppData\Roaming\PlusWinks;fs
    c:\programdata\iolo;f
    emptyalltemp;
    emptyclsid;


    ------


    How is your computer running now?