Author Topic: : C:\Windows\system32\services.exe **INFECTED** Win32:Sirefef-ZT [Trj]  (Read 31268 times)

0 Members and 1 Guest are viewing this topic.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Good morning to you.  ;D


Attach JunctionPoints.txt log. It should be on your desktop somewhere ...

dee455

  • Guest
 :)

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
1.
Please download Farbar Recovery Scan Tool and save it in some folder on your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    2.


    Open notepad.
    • Click Start
    • Type notepad.exe in the search programs and files box and click Enter.
    • A blank Notepad page should open.



    Copy - paste the content below[/list][/list]


    Code: [Select]
    DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
    DeleteJunctionsInDirectory: C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306
    • Save fixlist.txt in the same folder where you saved FRST.exe
    fixlist.txt must be in the same location where FRST.exe tool is!


    Run FRST.exe
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Please note: The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
    •     Press the Fix button once and wait.
    •     FRST will process fixlist.txt
    •     When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.
    > Attach here fixlog.txt logreport.





    =========== Next ==============




    1.

    Delete old zoek.exe and download new, fresh copy from here:
    zoek.exe


    2.
    • Close any open browsers.
    •   Temporarily disable your AntiVirus program. (If necessary)
      If you are unsure how to do this please read this or this Instruction.



    • Double click on zoek.exe to run the tool .
      Please wait while the tool does not start...


    • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
    Code: [Select]

    process;
    srinfo;
    systemscpecs;
    installedprogs;
    DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
    filesrcm;
    startupall;
    skipfix-iedefaults;
    firefoxlook;
    chromelook;

    • Click on button
      Please wait until a logreport will open (this can be after reboot)

    • Save notepad to your Desktop and attach here zoek-results.log

      Note: It will also create a log in the C:\ directory named "zoek-results.log"


    =========== Next ==============


    Attach here:


    1. fixlog.txt from FRST tool
    2. zoek-results.log from Zoek tool


    « Last Edit: May 22, 2013, 01:13:56 PM by magna86 »

    dee455

    • Guest
    next logs. Hopefully we will get this fixed today.  :)
    « Last Edit: May 23, 2013, 12:32:49 AM by dee455 »

    dee455

    • Guest
    the last ones. I hope.

    Offline magna86

    • Anti Malware Fighter
    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4235
      • Ambulanta MyCity Forum - ASAP Member
    Re-run zoek.exe as you did before but use this script:

    Code: [Select]
    {0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
    {0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
    emptyclsid;
    fsutil reparsepoint delete "C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea";b
    fsutil reparsepoint delete "C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll";b
    FFdefaults;
    chrdefaults;
    shortcutfix;
    resetIEproxy;
    ipconfig /flushdns >> %temp%\log.txt;b
    resethosts;
    emptyalltemp;
    autoclean;


    ---------------------------------------



    How is your computer running now?

    dee455

    • Guest
    I don't know yet. I will test it out. I think I am going to run those other tests that I couldn't before and do the window fix. What do you think.  I also noticed I don't have a backup or system restore point
    Thanks
    « Last Edit: May 23, 2013, 11:50:41 PM by dee455 »

    Offline magna86

    • Anti Malware Fighter
    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4235
      • Ambulanta MyCity Forum - ASAP Member
    Hi,

    Please go to this filesharing website and upload sample which was created by zoek.exe program.

    C:\Users\Public\Desktop\sample_20130523_0224.zip

    http://www.wikisend.com/


    Paste here download link.
    PS: brake download link by changing "http://" into "hxxp://"

    Quote
    I think I am going to run those other tests that I couldn't before and do the window fix.
    What other tool? Don't run blotware or varius junkware tool for so colled test-windows. Test it by hand. Run browsers, run/start AntiVirus ...etc.
    If all works well, that's it.




    « Last Edit: May 24, 2013, 12:11:00 AM by magna86 »

    jomeryeoboy

    • Guest
    I cant get this removed. : C:\Windows\system32\services.exe  **INFECTED** Win32:Sirefef-ZT [Trj]
    00:54:31.133    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]
    00:54:32.319    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-PL [Rtk]

    avast said it cleaned the last two but I ran all programs listed on the help page. I guess there are still there. I don't know how long there have been there or what they do.
    Thank you in advance for all your help

    p.s. I hope I did this all right.



    I ALSO ENCOUNTERED THIS VIRUS AND I WAS ABLE TO FIX IT...

    In Windows 7 and Vista
          Go to Start Menu and Inside the Search box type CMD.
          Now at the Top side if the Start menu you can see one file Called CMD.
          Right Click on that one and Select the Option RUN AS ADMINISTRATOR
    In Windows XP
          Go to Run and  type "cmd" to open the command prompt
    Now you will get a black Window. Inside that black window type the commands.
    Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe"and press enter
    Restart your computer
    Then Scan It Again Using AVAST.. You would be able to detect it again but now in temp files and it will be deleted at this time...






    Offline magna86

    • Anti Malware Fighter
    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4235
      • Ambulanta MyCity Forum - ASAP Member

    I ALSO ENCOUNTERED THIS VIRUS AND I WAS ABLE TO FIX IT...

    In Windows 7 and Vista
          Go to Start Menu and Inside the Search box type CMD.
          Now at the Top side if the Start menu you can see one file Called CMD.
          Right Click on that one and Select the Option RUN AS ADMINISTRATOR
    In Windows XP
          Go to Run and  type "cmd" to open the command prompt
    Now you will get a black Window. Inside that black window type the commands.
    Type or copy & paste "sfc /scanfile=c:\windows\system32\services.exe"and press enter
    Restart your computer
    Then Scan It Again Using AVAST.. You would be able to detect it again but now in temp files and it will be deleted at this time...



    @ jomeryeoboy

    This is the topic of this user. You need to open a new topic and set the logs to review:
    Follow guide from here: http://forum.avast.com/index.php?topic=53253.0

    AdwCleaner <-- cleening adware & junkware
    Malwarebytes <-- preventive for malware rmeoval
    OTL and aswMBR <-- primary diagnostic system and antirootkit tool

    dee455

    • Guest
    I am sorry but I am lost.  Are saying that I have a file from zoek that states sample or do you want me to make one?  Let me know what you would like me to do.  Do I have to remove all this stuff again?
    « Last Edit: May 27, 2013, 02:01:10 PM by dee455 »

    Offline magna86

    • Anti Malware Fighter
    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4235
      • Ambulanta MyCity Forum - ASAP Member
    I am sorry but I am lost.  Are saying that I have a file from zoek that states sample or do you want me to make one?  Let me know what you would like me to do. 
    Since you don't know for existence of this filesample, you probably deleted it by mistake. Doesn't matte. Skip that.  ;)

    Quote
    Do I have to remove all this stuff again?
    Yap, remove it by downloading & running DelFix tool.

    Download DelFix by "Xplode" to your Desktop.

    Run the tool and check the following boxes below;
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore

    Now click on "Run" button. Wait for the programme completes his work.
    All the tools we used should be gone.
    Tool will create and open an log report (DelFix.txt)
    Note: The report will also be stored on C:\DelFix.txt


    > I don't need DelFix log report.

    dee455

    • Guest
    I found the log but it is zipped and and has a password so I can't do anything with it.  Sorry.  Thank you for your help.  Do you know why the virus came right back?
    « Last Edit: May 27, 2013, 09:57:11 PM by dee455 »

    Offline magna86

    • Anti Malware Fighter
    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 4235
      • Ambulanta MyCity Forum - ASAP Member
    I found the log but it is zipped and it wont unzip. Sorry.  Thank you for your help.  Do you know why the virus came right back?

    Yes. You got a new variant of ZeroAccess rootkit and our tools were not been updated to target/shows all parts of this malware. Now everything is removed.