infected with sirefef-ZEROACCESS

[darkmata]

Hi, my PC is infected with sirefef and/or ZEROACCESS and i think i've followed your instructions on this post(if not please tell me..):http://forum.avast.com/index.php?topic=53253.0

i'm attaching the results on the tests and the logs. I'll be so thankful for your help!

thanks in advance.

[darkmata]

Also i have to say, that i have purchased the Avast!internet security for 2 years, and everytime i'm installing it, on the next reboot pc doesn't load windows, then it automatically goes to windows will try to scan for errors and try to fix them, well Windows is not able to repair, so all i can do is turn off PC or go to restore windows to previous date, well i restore and then i go when the Antivirus is not installed...and this forever an ever in a loop...

thanks again.
P.D:i'm attaching the last file i have...

[jeffce]

Hi,

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

File::
C:\Windows\SysNative\bb-run.dll
C:\Windows\SysNative\dds_log_ad13.cmd
C:\Windows\SysNative\dds_log_trash.cmd

Registry::
Netsvc::
snoopfreesvc

Driver::
snoopfreesvc


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[darkmata]

Hi Jeffce,
thanks for your help, ok now i run combofix but i cannot see the report, also it never restarts the pc, seems like it has finished scanning, window disappear and that's it...i'm not even touching the mouse or anything.

[jeffce]

Hi,

Go to your C:\ folder and look for a file named Combofix.txt   If you see that please post that into your next reply. 

[darkmata]

sorry but there is no combofix.txt file...

[darkmata]

would you like a tdsskiller report?

[darkmata]

i was reading on the essexboy post, and when i have to run OTL he says select ALL USERS..what does it mean, i'm never asked for that or cannot even see that to check it.

[jeffce]

Hi darkmata,

Seems like the ZeroAccess infection is preventing some of our tools that we need. 

Go ahead and run TDSSKiller but use these instructions and not those posted previously and then post the log created.

Please download TDSSKiller.zip

• Extract it to your desktop
• Right-click and Run as Administrator TDSSKiller.exe
  
• Press Start Scan
  
  • Only if Malicious objects are found then ensure Cure is selected
    
  • Then click Continue > Reboot now
    
• Copy and paste the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

----------

[darkmata]

Done.
No malicious found just one threat.i skiped.

thanks.

[jeffce]

Hi darkmata,

We need to make all files and folders VISIBLE:

• Go to start>control panel>folder options>view
  
• Choose to "show hidden files and folders,"
  
• Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  
• Close the window with ok

Please delete your copy of ComboFix from your Desktop using right-click >> delete. 

Now visit the link here >> http://www.mediafire.com/?3wuubumznr3cs8h and download the file to your Desktop.  Once downloaded to your Desktop, run the program.  There will be a log produced I will need in your next reply. 

[darkmata]

Hi jeffce,

the same issue as before, it scans, looks like it has finished, but i'm not even able to close the window, it disappears and that's all, also on C: there is no report at all...

this is a hard stuff!!

[darkmata]

Hi jeffce

i have folder on C: named 32788R22FWJFW it's  like 12mb and it says that it shows all the harddrives and hardware connected to this pc....

is that normal?

[jeffce]

Hi darkmata,

Don't worry about the folder.  I believe it is fine. 

I am going to work up a fix using OTL and will return as quick as I can. 

[darkmata]

 hi jeffce

ok , here are some roguekiller reports, maybe this could help!

thanks a lot!

P.D.: if you fix it...i'll send you good bottle of catalan wine!