virus in c:\windows\system32\services.exe Threat: Win32:Sirefef-ZT [Trj]

[jeffce]

You are really doing a great job.    This is a serious infection we are dealing with....

Please run a new Scan with FRST just as you have been normally and post the new log so that we can see what we are dealing with now. 

[jeffce]

Still here?

[dingomartin]

Apologies - I was out the country for a few days.

Attached is the latest scan file.

[jeffce]

ComboFix

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please attach the C:\ComboFix.txt for further review.

[dingomartin]

I get the error message "The System could not find the environment option that was entered." when I right click and try to Run as Administrator

[jeffce]

Try to run ComboFix from Safe Mode.  If a log is made please attach it....if not let me know what happens. 

[dingomartin]

It started running in safe mode, got fairly far by the looks of it, and the stopped with an error message in 7 languages saying 'Incompatible OS'. 

[jeffce]

Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page.
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  
• Scan your system for malware
• If malware is found, please go to the MBAR folder and then attach the contents of the MBAR-log-***.txt file to your next reply.
  

If there is no malware found, please let me know as well.
----------

[dingomartin]

When I try to run it, or run as admin, I get the usual '"The System could not find the environment option that was entered."'. If I try to run it from safe mode or command prompt, I get the error message "The subsystem needed to support the image type is not present."

What now?

[jeffce]

Run a new scan with FRST and attach the new log as well as doing the following...

SystemLook

Please use either of the following links:
Download Mirror 1
Download Mirror 2

• Right-click and Run as Administrator SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
*services.exe


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[dingomartin]

Hi, neither of those SystemLook links work (on either my infected or other computer). Also, attached is my latest FRST64 scan.

In other news, a disappointing ending to World War Z... Who'd have thunk it.

[jeffce]

Sorry about that....that was my fault.  Try it now.

Run a new scan with FRST and attach the new log as well as doing the following...

SystemLook

Please use either of the following links:
Download Mirror 1
Download Mirror 2

• Right-click and Run as Administrator SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
*services.exe


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

I agree with the WWZ ending too.  Not quite what I was expecting. 

[dingomartin]

Attached.

[jeffce]

Hi,

Just so you know...this infection is the real deal and effects every system differently so this may take a bit. 

Please go back to Reply 10 and follow the instructions there.  Do Not run these instructions in Recovery Mode.  If possible, please just run them on your system in Normal Mode or Safe Mode.  If you run the instructions in Safe Mode, allow the tool to reboot your system (or do so manually if asked to do so) and then let FRST complete it's run.  It will produce a log that I need for you to attach. 

[jeffce]

Still here?