virus in c:\windows\system32\services.exe Threat: Win32:Sirefef-ZT [Trj]

[dingomartin]

Still here - was out of town for the weekend. Fixlog attached.

[jeffce]

Great job! 

Please download and run ESET ServicesRepair

Once complete please run a new scan with FRST and post the new log created.  You can just run FRST in Normal Mode. 

[dingomartin]

I tried running the services repair in normal mode, didn't get an error message, but nothing actually happened; so I ran it in safe mode, where it worked and forced a reboot. Then tried running FRST in normal mode, but got the usual error message, so rebooted again and ran it once more in safe mode. File attached.

[jeffce]

Hi,

First open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Copy the contents of the code box > right click in the command window and select paste

Code: [Select]

replace "C:\Windows.old\Windows\System32\services.exe C:\Windows\System32\services.exe"
Press Enter (you won't actually see anything happen)
Close the Command Prompt window.

Run a new scan with FRST and post the new log please.    Let me know how your system is running as well.

[essexboy]

Hi Jeff is away for a few days so I will be helping now....   Could you update me on the current status of your computer ..  Also are you able to run OTL

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post  both logs

[dingomartin]

Hi Essex Boy, thanks for the help in advance!
That OTL scan is a scarily powerful program! As usual (random environment error message - see earlier in thread for more details), I couldn't run it in normal mode. So I rebooted in safe mode. First I ran through Jeff's last instructions and have attached the FRST file he was after. Then I ran OTL and you'll find the files attached.

[dingomartin]

The OTL.txt file was 3kb too big (!) to upload by itself, so I have split it into two text files. Please just C&P part 2 into the end of the OTL.txt.

[dingomartin]

And Part 2...

[essexboy]

OK this is an upgrade to windows 7 ..  Hence the big log

Methinks we are now in the repair phase

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
O33 - MountPoints2\{430ba810-0faf-11e1-9213-ec9f1b2e4f70}\Shell - "" = AutoRun
O33 - MountPoints2\{430ba810-0faf-11e1-9213-ec9f1b2e4f70}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{6c096a27-faad-11e1-aa47-001e101fa1f5}\Shell - "" = AutoRun
O33 - MountPoints2\{6c096a27-faad-11e1-aa47-001e101fa1f5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{6c096a35-faad-11e1-aa47-001e101fa1f5}\Shell - "" = AutoRun
O33 - MountPoints2\{6c096a35-faad-11e1-aa47-001e101fa1f5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{8e08862c-2279-11e1-9152-b0fc61eacf4a}\Shell - "" = AutoRun
O33 - MountPoints2\{8e08862c-2279-11e1-9152-b0fc61eacf4a}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{8e08863b-2279-11e1-9152-b0fc61eacf4a}\Shell - "" = AutoRun
O33 - MountPoints2\{8e08863b-2279-11e1-9152-b0fc61eacf4a}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{999d27ae-f793-11e1-b0c6-f31a42c70a9f}\Shell - "" = AutoRun
O33 - MountPoints2\{999d27ae-f793-11e1-b0c6-f31a42c70a9f}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{999d27be-f793-11e1-b0c6-f31a42c70a9f}\Shell - "" = AutoRun
O33 - MountPoints2\{999d27be-f793-11e1-b0c6-f31a42c70a9f}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{bb92472c-4791-11e2-af7b-bd087aaaf849}\Shell - "" = AutoRun
O33 - MountPoints2\{bb92472c-4791-11e2-af7b-bd087aaaf849}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{bb92473c-4791-11e2-af7b-bd087aaaf849}\Shell - "" = AutoRun
O33 - MountPoints2\{bb92473c-4791-11e2-af7b-bd087aaaf849}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{ff88ffdd-fe40-11e1-b16c-001e101f4da1}\Shell - "" = AutoRun
O33 - MountPoints2\{ff88ffdd-fe40-11e1-b16c-001e101f4da1}\Shell\AutoRun\command - "" = F:\AutoRun.exe
[2013/07/01 21:16:46 | 000,004,608 | -HS- | M] () -- C:\Windows\assembly\GAC_32\Desktop.ini
[2013/07/01 21:16:46 | 000,006,144 | -HS- | M] () -- C:\Windows\assembly\GAC_64\Desktop.ini

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Open an elevated command prompt :

Go > Start > All Programs > Accessories
Right click Command Prompt and select run as administrator
In the black box that opens type the following command and press enter :

sfc /scannow

Once it has rebooted then re-run OTL scan with the following script

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe

[dingomartin]

So I managed to run OTL in safe mode and paste the fix stuff in. WHen it rebooted, I was presented with a text file whose title comprised of numbers, when I clicked save, i didn't notice the path and now I cannot find it - it's not on the desktop where everything else associated with OTL is.

However, it rebooted (in safe mode, as I couldn't run CMD prompt as admin in normal mode). I then ran the quick scan, the result of which is attached.

When I tried to run the sfc/scannow, it stopped at 12% saying "windows resource protection found corrupt files but was unable to fix some of... em. Details are included in the CBS .log windir\logs\CBS\CBS.log. For example"

Though when I go to 'c:\windows\logs\CBS\CBS.txt, it says 'access denied' when I run it. However, I can go to windows.old and access the log file there, which I attach now, though it's probably not helpful.

I have not performed the final bit of your instructions "Once it has rebooted then re-run OTL scan with the following script

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe" as the previous scan part failed.

Please advise what to do now.

[essexboy]

It looks like the path is a bit messed up



1.Go to Control Panel --> System and Security --> System
2.Click Advanced system settings
3.Click Environment Variables
4.In the System Variables area, locate the Path variable, highlight it and click Edit...
5.Is the path as below ? If not then change it to that
 
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\system32\WindowsPowerShell\v1.0;

6.Make the required changes, Click OK, OK, OK

[dingomartin]

I've done that. Then rebooted, all in safe mode, and tried to do the sfc/scannow. It still stops at 12% with the same error message.

[essexboy]

OK I am currently trying to locate a method of resetting all the system variables. 

Meanwhile could you create a new user account and try to run SFC from there please http://www.howtogeek.com/howto/5261/beginner-geek-add-a-new-user-account-in-windows-7/

[dingomartin]

Nope, it won't let me do it, in safe or normal mode. I click on the option (and many others for that matter) and nothing happens

Let me know what you think of next.

[essexboy]

The only other option now is a repair install, you will retain all your data.  You will need the windows 7 disc, do you have one ? 

If not there is a link and instructions on this page  http://www.sevenforums.com/tutorials/3413-repair-install.html