infected with sirefef-ZEROACCESS

[darkmata]

oh! i'm terribly sorry, i've noticed that those reports are on UTF-8, do you want them on ANSI?

[jeffce]

Hi,

Please download ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\bb-run.dll -- (snoopfreesvc)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
IE - HKCU\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {FD63BF63-BFFF-4B8F-9D26-4267DF7F17DD}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell - "" = AutoRun
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
NetSvcs:[b]64bit:[/b] snoopfreesvc - C:\Windows\SysNative\bb-run.dll (Iomega)
[2012/03/12 13:33:01 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_log_ad13.cmd
[2012/03/02 12:54:55 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_log_trash.cmd
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

:Files
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[darkmata]

Hi jeffce

i've done it all and post the log...
I don't know if you need anything else.
thanks a lot for your hard work!

[darkmata]

Hi jeffce

do i have to scan again with MBAM or any other prog.?

or maybe my pc is ok and i can do a party?

[darkmata]

Hi jeffce , sorry my fault didn't do the otl scan...

here is the file...

thnx!

[darkmata]

here is the OTL.txt file done just after rebooting fromthe fix on OTL...
i attached it because maybe it's different than if i have been using the pc for a while like before...
sry

[jeffce]

Hi there darkmata,

I see that you are running more than I ask you to do.  Please try to refrain from that as it may actually hinder our progress even though you have good intentions.  So please only run the tools I ask you to. 
--------

Seems like our fix hasn't taken yet.  Sometimes we need to hit this infection several times before it breaks.  I appreciate your patience. 
--------

Run ERUNT again to make a new backup of your registry.
--------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
MOD - [2010/11/21 04:24:09 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\SiS300i.dll -- (co_mon)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
IE - HKCU\..\URLSearchHook: {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - SOFTWARE\Classes\CLSID\{db131c55-60c8-4adc-84dc-9e76ab06e2dc}\InprocServer32 File not found
IE - HKCU\..\SearchScopes,DefaultScope = {FD63BF63-BFFF-4B8F-9D26-4267DF7F17DD}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2851619
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar_ES Toolbar) - {db131c55-60c8-4adc-84dc-9e76ab06e2dc} - C:\Program Files (x86)\uTorrentBar_ES\prxtbuTor.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value found
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell - "" = AutoRun
O33 - MountPoints2\{16478422-317d-11e1-9f37-00241d15fa81}\Shell\AutoRun\command - "" = L:\LaunchU3.exe -a
NetSvcs:[b]64bit:[/b] snoopfreesvc - C:\Windows\SysNative\bb-run.dll (Iomega)
[2012/03/12 13:33:01 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_log_ad13.cmd
[2012/03/02 12:54:55 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_log_trash.cmd
[3 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

:Files
C:\Windows\SysNative\SiS300i.dll
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]


• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[darkmata]

Hi jeffce,

sry for all the incovenience...and absolutely thanks for your support!when i try to do a new backup, an emerging message appears:
error saving file C:/windows/ERDNT/13-03-2012/BCD
continue with next file?
[ RegCreateKeyEX:5 - acces denied ]

I press yes, and same message but instead BCD, it changes it to system, software, default, security, sam, ntuser.dat and UsrClass.dat.

and then it appears "OK your backup is done"

now i'll try to run OTL, first fix , then scan.

thank you.

[darkmata]

Hi Jeffce

this is the OTL report.

thanks agian.

[darkmata]

Hi there darkmata,

I see that you are running more than I ask you to do.  Please try to refrain from that as it may actually hinder our progress even though you have good intentions.  So please only run the tools I ask you to. 
--------

[/list]

Hi jeffce, i've done that!

[darkmata]

Hi there jeffce,

just wanted to know if otl file is correct?or maybe i didi something wrong, but I don't know what. I just did what you tell me...and I runed the scan on the fresh reboot, nothing else.
well I'm sure you are still working on it, but maybe you need something else, if I can help you any other way just tell me.

thanks.

[jeffce]

Hi darkmata,

No everything is fine.  I am clarifying something with Essexboy before we continue.  Hang tight and I will return as quickly as I can. 

[darkmata]

ok thanks to both for your kindful help!

[jeffce]

Hi darkmata,

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
MOD - [2010/11/21 04:24:09 | 000,232,448 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.DLL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\SiS300i.dll -- (co_mon)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\ufdsvc.dll -- (swupdtmr)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\USBCamera.dll -- (SlNtHal)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\ati.dll -- (IFP700)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\networkx.dll -- (dmboot)
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\U81xmdfl.dll -- (defragfs)

:Files
C:\Windows\SysNative\SiS300i.dll
C:\Windows\SysNative\ufdsvc.dll
C:\Windows\SysNative\USBCamera.dll
C:\Windows\SysNative\ati.dll
C:\Windows\SysNative\networkx.dll
C:\Windows\SysNative\U81xmdfl.dll
ipconfig /flushdns /c
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[darkmata]

Hi jeffce,

here is the report.

thanks a lot!