ComboFIx Question

I have completed the first two steps of the malware removal procedures and have now moved on to the combofix step. It says to disable all AV programs. However, I am worried to do so. My computer has a virus that is generating the sirefef.J virus every 60 seconds or so. However, my Microsoft security essentials deletes it every time it is generated. Thus, my computer performance has not been effected at all and I am still able to run the necessary removal programs. I have had viruses in the past that have made the computer inoperable, and I worry that disable MSE might allow this sirefef.J virus to do just that. What should I do? Thanks.

 

Thanks. I decided to leave it up to be safe. I have all my logs ready, but am not sure if I should make a new thread. I will post them hear, but please let me know if a new thread is needed.

The only real issue I ran into with any of these test is that combofix could not update my system restore point.

My computer appears to be virus free and is running well. But here are the logs, just to make sure all is well. Thanks so much!!

 

Here is the last file.

 

Bump

 

You had a rootkit known as Max++/Sirefef/ZeroAccess. Some traces remain.

You have two AVs installed:

• Microsoft Security Essentials
• Panda Cloud Antivirus

Choose one to keep and then uninstall the other.

If you choose to remove Panda AV, also uninstall these:

• Panda Security Toolbar
• Panda Security URL Filtering

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 16
• Java(TM) 6 Update 18

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon:
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\WINDOWS.0\685997021
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\Administrator.CHRISTIA-CC271E\Local Settings\Application Data\dd7be328
C:\Documents and Settings\Administrator.CHRISTIA-CC271E\Local Settings\temp\is1598539481
C:\Documents and Settings\Administrator.CHRISTIA-CC271E\Local Settings\temp\nse13.tmp
C:\Documents and Settings\Administrator.CHRISTIA-CC271E\Local Settings\temp\nsh7.tmp
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-1547161642-299502267-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,79,97,31,e6,50,0d,41,9b,fa,16,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,79,97,31,e6,50,0d,41,9b,fa,16,\

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Download Junction by Mark Russinovich to your desktop.

• Extract junction.exe to your desktop.
• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  cmd /c %userprofile%\desktop\junction -s c:\ >%userprofile%\desktop\junction.txt
  
• When it's finished, there will be a log called junction.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

My computer is running great (actually faster than before the virus). My logs are attached. Junction wouldn't run. A black screen would pop up for .5 seconds and disappear. Also, I completely uninstalled (via add/remove programs) my MSE, however combofix still detected it...

Thank you so much for your help. I have two other quick questions. Let me know if I should ask these elsewhere...

1. Is there a specific antivirus program you recommend?

2. I plan to buy a new computer soon (Windows 7) and am curious what I should do to maximize security (in addition to having a firewall/antivirus). I imagine some of these steps, like disabling windows messenger, etc, were precautionary security measures. If this makes no sense I apologize.

Thanks!

 

MGLogs...

 

Glad to hear it

Here's a fix for that, it is optional.

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
MpKsl0336c5e8
MpKsl07793078
MpKsl0978f877
MpKsl0d79eb7d
MpKsl1090d1fe
MpKsl130916c3
MpKsl1357e478
MpKsl148e5ae4
MpKsl16657be6
MpKsl173a6356
MpKsl180789ac
MpKsl18939800
MpKsl1ab6836a
MpKsl1c72f5ba
MpKsl1d1b321c
MpKsl206cdc43
MpKsl224731ce
MpKsl250eaabd
MpKsl25be9356
MpKsl25ce6910
MpKsl28e182ea
MpKsl2a39c6d6
MpKsl2dce4051
MpKsl30117146
MpKsl3034299d
MpKsl32169b0f
MpKsl3597911a
MpKsl37f85176
MpKsl40e2c5b5
MpKsl4155ade3
MpKsl427a8b30
MpKsl43deb064
MpKsl47212347
MpKsl4ac9387b
MpKsl4d35e64d
MpKsl4ef6a7bc
MpKsl538d7f27
MpKsl552f90cc
MpKsl557284e9
MpKsl5e46bc01
MpKsl5f9fb1e7
MpKsl604f73da
MpKsl645b0046
MpKsl6d599a01
MpKsl6ec23e4a
MpKsl710eaa9b
MpKsl7156b284
MpKsl7365b67d
MpKsl73cf0fbd
MpKsl742ccdd3
MpKsl74c49785
MpKsl75f7cf5d
MpKsl769ab26b
MpKsl7a2849b7
MpKsl7a3826f3
MpKsl7bf83954
MpKsl7c0fc083
MpKsl7cc2d0e1
MpKsl7d30ffda
MpKsl82dedfba
MpKsl83559844
MpKsl84f6dbdf
MpKsl855ef27e
MpKsl8578284c
MpKsl8bd87dc0
MpKsl8d0b9a9f
MpKsl8d19d8b3
MpKsl90a07e74
MpKsl91205dad
MpKsl92e447d1
MpKsl93f020b6
MpKsl93f477c0
MpKsl958c05a3
MpKsl96f65206
MpKsl9af3a9ea
MpKsl9e78c58a
MpKsla03ac2f1
MpKsla0efeec1
MpKsla2118457
MpKsla8559b38
MpKslaa59f8b9
MpKslaa9bd531
MpKslac768f86
MpKslb648b5b2
MpKslbb31744c
MpKslbc2be509
MpKslbffd15a6
MpKslc2d5da52
MpKslc4eac3a2
MpKslc8446489
MpKslcb25244d
MpKslcbe4538b
MpKsld0ffa6b8
MpKsld2dc0b17
MpKsld2e60a6e
MpKsld592ed99
MpKsld6cc2d97
MpKsld8942b55
MpKsle07b5dd1
MpKsle34b4adf
MpKsle379e17d
MpKsle4764c84
MpKsle6131c73
MpKsle6e67b26
MpKsle7e8f995
MpKsle7fbf571
MpKslea89413b
MpKsleab5b1d5
MpKslec05d55a
MpKsled100418
MpKslef39f583
MpKslf107109e
MpKslf1078280
MpKslf2f09f76
MpKslf57cad70
MpKslf90eb34b
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Administrator.CHRISTIA-CC271E\Local Settings\temp\1wlXmYbT.exe.part
C:\Documents and Settings\Administrator.CHRISTIA-CC271E\Local Settings\temp\X0vJkjH9.exe.part
[COLOR="DarkRed"]Folder::[/COLOR]
c:\documents and settings\All Users.WINDOWS.0\Application Data\Microsoft\Microsoft Antimalware\Definition Updates
[COLOR="DarkRed"]SecCenter::[/COLOR]
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Free -> Ad-Aware -> Download Link
Paid -> NOD32 -> Home Page
Note: You should only run one Anti-Virus.

Read the following: How to protect yourself from malware

The rest of your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!