azzael321

I think you got it. Looks good like before, but this time no more threat alerts after restart. Did another scan after restart and no threats found. I guess I should set up a restore mark at this point. Thank you very much for your help and your time!

And here is the MBAM scan Database version: v2012.08.14.05 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 ADraghici :: ADRAGHICI2 [administrator] Protection: Disabled 8/14/2012 1:05:03 PM mbam-log-2012-08-14 (13-05-03).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 296282 Time elapsed: 2 minute(s), 1 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Ok will do. Also combofix put 3 files in a Quarantine folder. Should I delete those?

Done. ComboFix.txt

Done. It found 2 suspicious threats which I skipped. I think they're ok, I recognized both of them. TDSSKiller.2.8.6.0_14.08.2012_11.20.49_log.txt

Done. Please see fixlog attached. Fixlog.txt

Hi MrCharlie, thanks for the quick reply. Please see attached the report. Seems to have found ZeroAccess. Note those dalnet hosts entries are kosher, I put those in. RogueKiller V7.6.6 [08/10/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo...13-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User: ADraghici [Admin rights] Mode: Scan -- Date: 08/14/2012 09:49:55 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 5 ¤¤¤ [DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{65D10027-0771-4DBE-971A-F509A8562C9F} : NameServer (10.1.1.10,192.168.1.7) -> FOUND [DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{65D10027-0771-4DBE-971A-F509A8562C9F} : NameServer (10.1.1.10,192.168.1.7) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\users\adraghici\appdata\local\{cc807c63-8f1d-f95b-7808-43b7928c1759}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\users\adraghici\appdata\local\{cc807c63-8f1d-f95b-7808-43b7928c1759}\U --> FOUND [ZeroAccess][FOLDER] L : c:\users\adraghici\appdata\local\{cc807c63-8f1d-f95b-7808-43b7928c1759}\L --> FOUND ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 10.1.1.10 dalnetca 192.168.1.2 dalnet ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST31000528AS ATA Device +++++ --- User --- [MBR] 1834908372dd965172afef95aa0f0181 [bSP] 989d61b6697a8cbd7432b81bae30b738 : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 492696 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1009248256 | Size: 461070 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt

Hi, Was recently infected with a version of trojan.sirefef. As soon as it happened I disconnected from the internet and restored the win 7 to an earlier state (I have win 7 64). Then it appears the installed trojan programs were gone and no more spamming. After that I ran MSE and found one more entry of trojan.sirefef. Deleted successfully, then rebooted. Plugged network cable back in, installed malwarebytes, updated and ran a scan. Found one problem which it successfully removed. Then rebooted again. Now after reboot another sirefef infection is found which again, successfully deleted. I think it's a root problem, which means computer still infected and starts again after every reboot. Currently have no symptoms, spamming gone, running fast and normal, but those infection keep being detected it def. not normal. Also ran an FRST diagnostic, which I attached if helpfull. Also ran a hijackthis instance which had it analyzed and didn't find any problems there. Anyone with more experience willing to take a look at the logs for me? Would appreciate it! Attach.txt DDS.txt FRST.txt Search.txt