infected with sirefef-ZEROACCESS

[jeffce]

Hi,

Ok let me do some digging and I will get back as soon as I can. 

[darkmata]

ok thanks!

[jeffce]

Hi,

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  
  To enter System Recovery Options by using Windows installation disc:
  
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
    
  • Select English as the keyboard language settings, and then click Next.
    
  • Select the operating system you want to repair, and then click Next.
    
  • Select your user account and click Next.
  On the System Recovery Options menu you will get the following options:
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[/list]

[darkmata]

here we go!

[jeffce]

Hi darkmata,

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code: [Select]

SubSystems: [Windows] ==> ZeroAccess
C:\Windows\system32\consrv.dll
2 pinger; C:\Windows\System32\flashcom.dll [5120 2009-07-14] (Iomega)
C:\Windows\System32\flashcom.dll
3 MEMSWEEP2; \??\C:\Windows\system32\171F.tmp [x]
C:\Windows\system32\171F.tmp
2012-03-13 13:30 - 2012-03-14 20:41 - 0000000 __ASH C:\Windows\System32\dds_log_ad13.cmd

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system[/color]

On Vista or Windows 7: Now please enter System Recovery Options.
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ...
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

[darkmata]

Hi jeffce,

here is the log

[jeffce]

Hi,

LOL!!  Great avatar pic!!  hahahaha!! 
----------

Ok....lets give this another shot and see what we can do.

Delete all copies of ComboFix from your system.

Next

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[darkmata]

LOL, uah, dark +dalmata..
Answering from the phone Combofix working-class for first time..
 

[darkmata]

Hi jeffce
Answering from phone again now i cannot execute anything ,wanted to open FireFox to answer you but error
Attempt to ilegal operation on a regitsry key that was checked for its elimination, sale with explorer and everything else....

[jeffce]

Just reboot your system.  If it still happens after reboot, do it again.  That should fix it. 

[darkmata]

Oh yeah!

 

[jeffce]

Oh yeah!! 

That knocked it in the head. 

Please run a new scan with OTL
In Custom Scans put the following:
netsvc
/md5start
consrv.dll
/md5stop
createrestorpoint
Press Run Scan and post the newly made log. 

[darkmata]

You are a MASTER 

here is the log

THAAANK YYOOUU!

[jeffce]

Hi,

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
[2012/03/10 10:59:52 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{2EEA20C8-39EB-453B-9D2A-8D364CB105A9}
[2012/03/10 10:59:38 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{C0E6E625-AF36-4C80-9AAB-DB2FA7C924E2}
[2012/03/09 17:29:53 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{A9765B12-ABBD-438E-AB7B-9D486293A0EE}
[2012/03/09 17:29:42 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{18CCC289-B64F-4552-8E70-27B97944F5B6}
[2012/03/07 19:20:19 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{E793880A-BF52-4997-A09C-370B37BBE9AE}
[2012/03/07 19:20:09 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{09B93BFB-6E6A-43A4-A66E-5F76AFC729FD}
[2012/03/07 16:13:36 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{7F905CD3-AAB5-4A37-8A24-2AC8D8F817AD}
[2012/03/06 08:04:48 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{74CC19AC-6896-4BA1-9396-A559D12BC32D}
[2012/03/06 08:04:36 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{4C1CBED5-F790-4C25-B6F8-B18B6FCA6C67}
[2012/03/04 10:26:45 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{945A7F46-2F88-4270-B0E6-52D62C7340C4}
[2012/03/04 10:26:35 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{6C7A532A-90F1-42BD-AE1C-70CD1283CC2B}
[2012/03/03 10:18:10 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{30A9416E-2529-4370-A279-D433C35253B6}
[2012/03/03 10:17:59 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{761EF695-D1CC-4711-BB5E-4F01B1A39A9E}
[2012/03/02 07:21:40 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{6CB52A50-8ADD-4B4A-BB7F-91967E6FDDD6}
[2012/03/02 07:21:28 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{91FA6030-8D6C-466F-BE63-DE1318CD1AE6}
[2012/03/01 18:08:30 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{28A3D943-2D3A-4888-AEA8-DD98CB1FE89D}
[2012/03/01 18:08:20 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{71E9D2C3-BE6C-4C9F-A60E-48CC5CEF90AA}
[2012/03/01 17:25:16 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{EB3228DA-9CE5-40C7-84F9-6C6CD44AD946}
[2012/03/02 07:21:40 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{6CB52A50-8ADD-4B4A-BB7F-91967E6FDDD6}
[2012/03/02 07:21:28 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{91FA6030-8D6C-466F-BE63-DE1318CD1AE6}
[2012/03/01 18:08:30 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{28A3D943-2D3A-4888-AEA8-DD98CB1FE89D}
[2012/03/01 18:08:20 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{71E9D2C3-BE6C-4C9F-A60E-48CC5CEF90AA}
[2012/03/01 17:25:16 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{EB3228DA-9CE5-40C7-84F9-6C6CD44AD946}
[2012/02/28 17:34:47 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{829ECCA7-2ADA-4783-BC5C-A5EB5C4D621B}
[2012/02/28 17:34:34 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{E7485E0E-ADF7-4B00-8F30-BA4225D3B326}
[2012/02/27 16:52:51 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{1E47C8D2-815C-40C5-97F9-778BD64C5416}
[2012/02/27 16:52:41 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{9392265D-C1CC-4F8C-B167-F4FBB986EC0B}
[2012/02/25 08:49:17 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{9270C156-3AD2-44AA-A38E-F9098F2B8C6B}
[2012/02/24 17:11:25 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{33611E4E-7732-42A7-9DFC-4686BABBA81C}
[2012/02/24 17:11:12 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{826047E8-2689-4EF4-8F77-C3EBF66F14F4}
[2012/02/23 21:34:17 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{814B6225-B0D6-437B-9605-AE179A0A3CA2}
[2012/02/23 21:34:06 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{406357EC-F76F-4CC8-BB80-C7646B0A6384}
[2012/02/22 15:01:12 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{CE10A3BB-70B5-42C2-8C8C-79637018083D}
[2012/02/21 07:37:14 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{39989B8B-C12F-4D51-8516-96007EF949B1}
[2012/02/21 07:37:02 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{271B9FEA-7BA1-4431-AF38-24C2DE79B8D8}
[2012/02/20 18:02:25 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{D82808C5-BCAC-4AEC-B24C-2D364DB0A15A}
[2012/02/19 19:12:02 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{8F5D34A4-B477-4E7B-9E1F-0D1ABE45A9B1}
[2012/02/19 19:11:51 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{7D66D353-F098-4FFE-9DE3-7F5CFE5D8702}
[2012/02/19 12:05:12 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{2E2FF5A0-18C2-4806-9986-E91812C0F0F1}
[2012/02/19 12:05:02 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{AD7B2EA4-D711-46FA-AF23-8F63654F4DA7}
[2012/02/18 10:44:46 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{4511EB5A-575B-4BB3-8276-3F530276C50D}
[2012/02/18 10:44:31 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{4F7DE1B5-BF02-4FEB-B992-EB7A81C8688E}
[2012/02/17 16:27:43 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{C6DA5B47-493C-4B47-A2B4-4C4C5E78ACCD}
[2012/02/17 16:27:27 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{C55B1E1A-B4D6-4C43-8C37-395853334083}
[2012/02/16 18:46:26 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{CDD4F407-0982-4D64-8D0E-99DA9DA85D0A}
[2012/02/16 18:46:15 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{0D757FCC-B815-49ED-AB8B-374111FD15E5}
[2012/02/15 08:04:40 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{F5239709-1D47-44DC-82C9-3B45F0EABC60}
[2012/02/15 08:04:28 | 000,000,000 | ---D | C] -- C:\Users\Cure\AppData\Local\{0694624D-62A9-4E1C-9439-199A7DB96E19}

:Files
dir C:\Users\Cure\AppData\Local\cf5171c8 /s /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  
• In Custom Scans please put the following:

netsvcs
/md5start
consrv.dll
/md5stop
createrestorepoint

• Press Run Scan and post the new log.

[darkmata]

Hi jeffce

here is the log