cleaning sirefef-FQ, error running aswMBR

I am trying to clean a machine that initially reported having sirefef-FQ. I was following the instructions from this forum at:
http://forum.avast.com/index.php?topic=53253.0

When I ran aswMBR it gave the following dialog
aswMBR.exe – entry point not found
The procedure entry point aswscnGetVirusID could not be located in the dynamic link library aswScan.dll’

I Clicked OK and it downloaded Avast for scanning
After download, it repeats the message above
Logs says Initialize success followed by
AVAST engine error: 2

When the scan runs it reports:
SuSystem.windows: c:\windows\system32\consrv.dll SUSPICIOUS
It does not appear to find any other errors.

Is aswMBR.exe running properly if the entry Point is not found? What should I do about the Suspicious consrv.dll entry?

Any information and advice is greatly appreciated.

Any information and advice is greatly appreciated
well.....you found the guide.... so the advice would be to attach (not copy and paste) the logs from Malwarebytes / OTL / aswMBR

the you will get help from a trained and certified malware remover

the aswMBR problem may be a result of the infection?

Monitoring

Hello. Thank you for the reply. The logs are attached. I think that it may take two uploads. The last attempt says that the files are too large

This is a continuation of the upload from the previous post.

OK lets get at it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\Windows\SysNative\enum1394.dll

NetSvc::
MSMQTriggers

Driver::
MSMQTriggers

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Thank you for your help. I ran comboFix. It produced a log that indicated that some problems were fixed. But to be honest, I don’t understand all of what is in the log. Has the malware/virus been cleaned out of the computer or is there more that I need to do? The Combofix log is attached.

A few more pieces to kill… On completion of this can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b} IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703 IE - HKU\S-1-5-21-4065879505-1619725938-3682193580-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2233703 IE - HKU\S-1-5-21-4065879505-1619725938-3682193580-1000\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - No CLSID value found IE - HKU\S-1-5-21-4065879505-1619725938-3682193580-1000\..\SearchScopes,DefaultScope = {67A2568C-7A0A-4EED-AECC-B5405DE63B64} IE - HKU\S-1-5-21-4065879505-1619725938-3682193580-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703 FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2233703&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT2233703&SearchSource=13" [2011/01/17 15:41:56 | 000,000,925 | ---- | M] () -- C:\Users\Mojique\AppData\Roaming\Mozilla\Firefox\Profiles\aa9ngjrk.default\searchplugins\conduit.xml O20 - Winlogon\Notify\axsefda: DllName - (C:\Windows\system32\config\systemprofile\AppData\Local\axsefda.dll) - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\axsefda.dll () @Alternate Data Stream - 55919 bytes -> C:\ProgramData:$SS_DESCRIPTOR_PVX2VCGFMVF9V8N4TKBRVDNGCM1LH4M48WDP46MVVGVKVFJVPJVD

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks for the ongoing support. I’ve attached the OTL file. Note I added OTL log to the filename to make sure I could find it.

Big question now… How is the computer behaving ?

I haven’t done much since these fixes were made. It seems fine. But I don’t know what was wrong in the first place. It is my son’s computer and he didn’t mention any problem except with the graphics when he plays games and I suspect this is a problem with the graphics card and not a virus. Are there virus/malware that makes graphics flicker when playing games? This seems to be a continuing problem. The only reason I noticed that there was a virus is that his AVAST was not updated and it was turned off and when I turned it on, the scan found some problems. So I don’t know what problem I should be looking for. I can run programs and reboot. And Windows update is asking to be updated. I will do this now. If that leads to any problem, I will let you know.

Thanks again.

Allow windows to update also check for any other problems

You may have a video driver problem, so an update may cure it