Got infected by Win32:Sirefef-HO

[il_melo]

Hi,
I recently got infected by Win32:Sirefef-HO, I tried to remove it using all the existing antimalawares without any success.
I saw on this forum some thread regarding the Win32:Sirefef-HO infection but I wasn't sure I could apply the steps described in my case as well.
Now I'm running all the scan described in this trhead http://forum.avast.com/index.php?topic=53253.0  and I will post the logs, then could somebody help me?

thanks a lot

[il_melo]

Malawarebytes log:

Malwarebytes Anti-Malware (Prova) 1.60.1.1000
www.malwarebytes.org

Versione database: v2012.03.22.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
en :: MELO-PORTATILE [amministratore]

Protezione: Disattivata

22/03/2012 11:39:17
mbam-log-2012-03-22 (11-39-17).txt

Tipo di scansione: Scansione veloce
Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File system | Euristica/Extra | Euristica/Shuriken | PUP | PUM
Opzioni di scansione disattivate: P2P
Elementi esaminati: 233521
Tempo impiegato: 4 minuti, 50 secondi

Processi rilevati in memoria: 0
(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0
(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 0
(non sono stati rilevati elementi nocivi)

Valori di registro rilevati: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MozillaAgent (Spyware.Sniffer) -> Dati: C:\Windows\Temp\_ex-68.exe -> Spostato in quarantena ed eliminato con successo.

Voci rilevate nei dati di registro: 0
(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0
(non sono stati rilevati elementi nocivi)

File rilevati: 2
C:\Windows\System32\abRCrx.com_ (Trojan.Agent) -> Spostato in quarantena ed eliminato con successo.
C:\Windows\SysWOW64\abRCrx.com_ (Trojan.Agent) -> Spostato in quarantena ed eliminato con successo.

(fine)

[il_melo]

aswMBR logs:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-22 12:21:24
-----------------------------
12:21:24.355    OS Version: Windows x64 6.1.7601 Service Pack 1
12:21:24.355    Number of processors: 8 586 0x1E05
12:21:24.355    ComputerName: MELO-PORTATILE  UserName: en
12:21:25.977    Initialize success
12:21:26.040    AVAST engine defs: 12030600
12:21:51.951    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:21:51.951    Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
12:21:51.967    Disk 0 MBR read successfully
12:21:51.967    Disk 0 MBR scan
12:21:51.998    Disk 0 unknown MBR code
12:21:52.014    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
12:21:52.029    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       456858 MB offset 409600
12:21:52.076    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        19778 MB offset 936054784
12:21:52.092    Disk 0 Partition 4 00     0C    FAT32 LBA MSDOS5.0      103 MB offset 976560128
12:21:52.154    SubSystem.Windows: C:\Windows\system32\consrv.dll  **SUSPICIOUS**
12:21:52.154    Disk 0 scanning C:\Windows\system32\drivers
12:21:58.347    Service scanning
12:22:11.514    Modules scanning
12:22:11.514    Disk 0 trace - called modules:
12:22:11.560    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
12:22:11.560    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d4a790]
12:22:11.560    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8004c52a50]
12:22:11.576    5 hpdskflt.sys[fffff88001b95289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004b14050]
12:22:13.900    AVAST engine scan C:\Windows
12:22:17.566    AVAST engine scan C:\Windows\system32
12:22:29.892    File: C:\Windows\system32\consrv.dll  **INFECTED** Win32:Sirefef-HO [Rtk]
12:23:51.932    File: C:\Windows\assembly\GAC_32\Desktop.ini  **INFECTED** Win32:Sirefef-FQ [Drp]
12:23:54.163    File: C:\Windows\assembly\GAC_64\Desktop.ini  **INFECTED** Win32:Sirefef-HO [Rtk]
12:24:59.933    File: C:\Windows\assembly\temp\U\80000004.@  **INFECTED** Win64:ZAccess-A [Trj]
12:24:59.964    File: C:\Windows\assembly\temp\U\80000032.@  **INFECTED** Win32:DNSChanger-VJ [Trj]
12:25:00.915    AVAST engine scan C:\Windows\system32\drivers
12:25:13.021    AVAST engine scan C:\Users\en
12:25:56.873    Disk 0 MBR has been saved successfully to "C:\Users\en\Documents\Antivirus\rimuovi\MBR.dat"
12:25:56.873    The log file has been saved successfully to "C:\Users\en\Documents\Antivirus\rimuovi\aswMBR.txt"

[jeffce]

Hi,

Have you had a chance to run OTL yet as well?  If not please do so and post the logs. 

[il_melo]

yes, but the log is too big and I can't upload it. Now I try to split it in smaller files and I'll upload it.

Thanks

[il_melo]

Since I can't upload it on the forum I used mediafire.
Here you have the link to the file: http://www.mediafire.com/?a2edzciaw3ldtdu

[jeffce]

Thank you.  That was what I would have had you do anyway.    I will return shortly.

[jeffce]

Hi,

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

[il_melo]

Ok, this is the log from Combofix

http://www.mediafire.com/?6j0b9q8ndhe5nbo

[jeffce]

Hi,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

AtJob::

File::
c:\windows\system32\dds_trash_log.cmd
C:\Windows\SysNative\vds.dll
C:\ProgramData\4AicM5Uyn.dat
C:\Users\en\AppData\Local\9e7168ec
C:\Users\en\AppData\Roaming\ba24d031
C:\ProgramData\22cd857d

Netsvc::
kbstuff

Driver::
kbstuff


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[jeffce]

Hi,

Do you still need help?