Author Topic: infected with sirefef-ZEROACCESS  (Read 20601 times)

0 Members and 1 Guest are viewing this topic.

jeffce

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #30 on: March 13, 2012, 10:24:50 PM »
Hi,

Download Combofix from any of the links below but rename it to svchost.exe before saving it to your desktop.

Link 1
Link 2


==================================

Right-click and Run as Administrator on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

darkmata

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #31 on: March 13, 2012, 10:36:25 PM »
Hi jeffce,

no combofix.txt created, so sorry...

I don't know what's wrong...

thanks again

darkmata

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #32 on: March 13, 2012, 10:41:56 PM »
Hi jeffce

I supose mbam starts at windows start, the sometimes i get the prompt message of C:\windows\assembly\tmp\U\00000001.@

and sometimes two more with different numbers like 800000c0.@ and 800000cb.@

i don't know if it helps...

jeffce

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #33 on: March 13, 2012, 10:43:56 PM »
Hi darkmata,

No need to say sorry.  :)

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
SRV:[b]64bit:[/b] - [2009/07/14 02:39:46 | 000,005,120 | ---- | M] (Iomega) [Auto | Running] -- C:\Windows\SysNative\mcmscsvc.dll -- (mfesmfk)

:Files
C:\Windows\SysNative\mcmscsvc.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan.  Place the following into the Custom Scans section

    netsvc
    /md5start
    consrv.dll
    mcmscsvc.dll
    /md5stop
    createrestorpoint


  • Press Run Scan  ( don't check the boxes beside LOP Check or Purity this time )
  • Post a new OTL log

darkmata

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #34 on: March 13, 2012, 10:59:02 PM »
Hi jeffce,

i asume that it has to be a hard work to code/decode all this stuff, and supose how frustrating sometimes this could be, that's wahy i say sorry... ;)

but i know you can! :P

better take this with humor isn't it?

ok here is the OTL file

jeffce

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #35 on: March 13, 2012, 11:07:13 PM »
LOL!!  I actually have a lot of fun doing this and helping people.  :)

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe
  • Next,
  • Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

Code: [Select]
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
  • Save it to your desktop as File name: junc.bat
  • Save as type: All Files

Next,
Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.

darkmata

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #36 on: March 13, 2012, 11:18:38 PM »
lol! nice to hear that!

ok it gave me an error could not find log.txt file be sure that the file name is correct.
and behind that there is a window cmd.exe ,with "acces denied" written...

thanks.

darkmata

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #37 on: March 13, 2012, 11:32:21 PM »
Also i have to say that if i try to extract the flie directly to c: it gives an error:

C:\Users\Cure\Desktop\junction.zip could not create junction.exe acces denied

jeffce

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #38 on: March 14, 2012, 01:28:21 AM »
Hi darkmata,

Run a new scan with with TDSSKiller and remove anything that it finds.  Then post the logs that are made.  :)

darkmata

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #39 on: March 14, 2012, 08:28:47 AM »
Hi jeffce

no threats found with TDSSKILLER, here is the log.

thanks

jeffce

  • Guest
Re: infected with sirefef-ZEROACCESS
« Reply #40 on: March 14, 2012, 12:53:57 PM »
Hi darkmata,

This one is fighting LOL!!  :D
--------

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    • Save it where you can easily find it, such as your desktop, and attach it in your reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
    .
    ----------

    darkmata

    • Guest
    Re: infected with sirefef-ZEROACCESS
    « Reply #41 on: March 14, 2012, 01:11:49 PM »
    Hi jeffce,

    i cannot check/uncheck the ones that you tell me because they appear unusable (on grey) i can only check/unchek services, registry, files, the partitions, ADS and show all.

    do i continue? and just uncheck the show all one and the partition that is not C:?

    jeffce

    • Guest
    Re: infected with sirefef-ZEROACCESS
    « Reply #42 on: March 14, 2012, 01:15:06 PM »
    Hi,

    Yes just be sure that Show All and C: is not checked.  :)

    darkmata

    • Guest
    Re: infected with sirefef-ZEROACCESS
    « Reply #43 on: March 14, 2012, 01:21:15 PM »
    Hi jeffce,

    yeah this one is fighting! i usually play on-line fps and since i have this i'm always lagging as hell, but my ping to server is just between 15 and 40 ms.. ???

    well i don't know if it helps in any way, but...

    here is the file.

    thanks

    jeffce

    • Guest
    Re: infected with sirefef-ZEROACCESS
    « Reply #44 on: March 14, 2012, 01:32:20 PM »
    Ok...

    Reboot Your System in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
    Once in Safe Mode try to run a scan with ComboFix again.  If the log is created please post that.