Hello Forum,

I detected a problem file through Avast! about 2 weeks ago after I had noticed that my Miscrosoft Security Essentials had been failing to update. I downloaded avast to change my protection and the first full scan detected the seemingly popular win32:Sirefef-PL [Rtk]. It was located at C:\Windows\assembly\GAC32\desktop.ini and also C:\Windows\assembly\GAC64\desktop.ini. My original attempts to move the infected files to the chest failed and so did my attempts to delete them. I ran my computer in safe mode and went offline to attempt a scan, and this time I was successful and moving the infected files to the chest and then continuing to delete them.

I spent some time researching the virus and searching for possible ways of removal, and even now that I have removed the discovered files I feel as though my computer certainly is still infected. Through research and fiddling around I believe I may have actually been infected back on January 10th and failed to notice until a week or two ago when I had a barrage of pop ups and noticed that my windows firewall had been refusing to turn on and protect my computer. I also had a popup that would surface every time I tried to run a MSE scan that would force restart my computer. I have frequently used malwarebytes and MSE throughout this computer’s life, but I never found anything infected until I switched to avast (kudos). Now that I have removed the files and avast scans do not detect any problems I still feel as though my computer is infected. Throughout the last 6 or so months while I believe I have been infected my CD-ROM drive has gone bad (who knows if it is related or not), so while I have decided I wanted to do a hard format and OS re-install I cannot do so because my install CD cannot be read by my computer. It is quite the fail boat!

Would it be alright if I simply posted some logs for a sense of security from you great minds? I have tried to follow forum guidelines of how to best aid you in this process. P.S. I am currently running avast, RUBotted, and PrivateFirewall as my protection if that is of relevant information. Logs are either posted or attached! Thanks you!

-Derek

Malwarebytes:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.24.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
owner :: OWNER-PC [administrator]

7/24/2012 5:44:00 PM
mbam-log-2012-07-24 (17-44-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 194048
Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-24 18:47:35

18:47:35.512 OS Version: Windows x64 6.1.7601 Service Pack 1
18:47:35.512 Number of processors: 1 586 0x170A
18:47:35.514 ComputerName: OWNER-PC UserName: owner
18:47:36.973 Initialize success
18:47:37.509 AVAST engine defs: 12071700
18:47:50.236 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
18:47:50.239 Disk 0 Vendor: FUJITSU_MJA2320BH_G2 8919 Size: 305245MB BusType: 11
18:47:50.257 Disk 0 MBR read successfully
18:47:50.259 Disk 0 MBR scan
18:47:50.263 Disk 0 Windows 7 default MBR code
18:47:50.275 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293279 MB offset 2048
18:47:50.307 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11962 MB offset 600637440
18:47:50.337 Disk 0 scanning C:\Windows\system32\drivers
18:48:04.056 Service scanning
18:48:48.432 Modules scanning
18:48:48.440 Disk 0 trace - called modules:
18:48:48.483 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
18:48:48.491 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004c0a790]
18:48:48.824 3 CLASSPNP.SYS[fffff8800161743f] → nt!IofCallDriver → [0xfffffa8004c095d0]
18:48:48.830 5 hpdskflt.sys[fffff880019f8289] → nt!IofCallDriver → [0xfffffa8004aca0d0]
18:48:48.836 7 ACPI.sys[fffff88000f8f7a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004ab7680]
18:48:50.119 AVAST engine scan C:\Windows
18:48:52.473 AVAST engine scan C:\Windows\system32
18:51:26.866 AVAST engine scan C:\Windows\system32\drivers
18:51:40.049 AVAST engine scan C:\Users\owner
19:00:25.231 AVAST engine scan C:\ProgramData
19:01:21.027 Scan finished successfully
19:01:33.040 Disk 0 MBR has been saved successfully to “C:\Users\owner\Desktop\Maintenance\MBR.dat”
19:01:33.046 The log file has been saved successfully to “C:\Users\owner\Desktop\Maintenance\aswMBR.txt”

malware removers are notified. It may take several hours before one arrive so be patient

Thank you for the update! I am in -6 GMT so the overlap may be quite different but I will be checking as frequently as I can.

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29 O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.

:Files
ipconfig /flushdns /c
C:\Windows\Installer{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\owner\AppData\Local{ff24043d-55f8-5ce9-a20a-8337d9b4b888}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thank you for the guidance Essexbboy. I am working on running the fix using the script you provided in OTL but the program is “not responding” during the creating retore point phase of the script. It has been stuck on not responding for about 20 minutes. I have not tampered with anything within this time but am just waiting it out. Should I do a power button manual restart and attempt again if the program does not respond for some time? Or perhaps this is expected to take a while? I will wait it out for some time and hopefully you will have time to respond. I would imagine there have been some changes made to my system with this script so I don’t want to make any presumptive moves. If it begins responding I will continue with the process and post the logs you requested. Thanks.

Edit: I am currently accessing this website through a roommate’s computer

Yes restart and continue with Combofix, we may need to check out system restore later

Essexboy,

It seems as though OTL did indeed run its fix because there was a notification and a log after I manually restarted my computer. I have downloaded and ran combofix, it appeared to delete one file at the end of its run and my computer is generating a log from combofix now. However, I need to run to work for a few hours and will be back to check in about 4 hours from this posting. I have the log report from OTL and assume I will have the one from combofix for that posting in a few hours. I’ll get back to you then. Thanks again.

No problem but I will be offline in about two hours

I have not encountered any problems in my 10 minutes of browsing around on my computer, obviously it will take some time before I know with certainty that things are better. I have just noticed a generally less functional system since I think I may have acquired the suspected virus. Have any of the logs I have posted led you to believe that there is still a virus or problems within my system? Here are the updated OTL and ComboFix logs. I hope attachments are fine for this.

OTL:

Files\Folders moved on Reboot…
C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\owner\AppData\Local\Temp\JET9E60.tmp not found!
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\Windows\temp\WebEx\Log\724\atashost.log moved successfully.

PendingFileRenameOperations files…
File C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\owner\AppData\Local\Temp\JET9E60.tmp not found!
[2012/07/25 12:12:14 | 000,000,000 | ---- | M] () C:\Windows\temp_avast_\Webshlock.txt : Unable to obtain MD5
File C:\Windows\temp\WebEx\Log\724\atashost.log not found!

Registry entries deleted on Reboot…

I would like to do one further check as the services file was not infected, that sometimes means the MBR is

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Essexboy,

The log was over 10,000 characters so I will need to attach it rather than paste it. I hope that is alright. There were 3 suspicious files found.

No thats good, how is the computer behaving ?

Essexboy,

I am running a final scan with avast now, but as far as the computer condition goes it seems quite well. I believe I mentioned earlier that I have not been able to turn on my windows firewall since acquiring the virus, but I successfully turned it on just not for the first time since January! That must be a good sign. I am running privatefirewall as my firewall with windows’ firewall off and avast as my antivirus. I use Glary utilities and CCleaner regularly and malwarebytes as my scanner. Do you think that is sufficient or would you recommend anything else or any switches? The last problem I have encountered is that whenever I try to update some software (it just happened with Glary and Ccleaner) it opens up Microsoft Word and loads the updating website as a text file within work-of course making it so I can’t easily get the update. Perhaps it just changed some setting on my computer in this process, but any idea how to easily fix that? The same thing also happened when I tried to update my old tdsskiller to run for you, but I simply downloaded your updated file from your link to my desktop and everything worked fine. Any idea why this may be happening? Thank you for your help so much!

Sounds like an association problem

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Thank you you Essexboy! I am running the program as instructed now, but again I must head to work for a few hours. I will respond on the condition of my computer later and hopefully tomorrow we will have this all finished! Thanks again.

-Derek

I am still having problems updating programs. This utility is great but it hasn’t fixed the update from opening in Word. Aside from this does everything seem clean as far as my system goes? Should I remove all of these programs that I installed for the purpose of this testing?

What I will do is remove the programmes that we have used, tidy you up and then look at the association problems…

On that front is it all exe programmes that open in word or just ones downloaded from the web. Or is it that the auto updates instead of going to the website to download open a word document ?

If it is the later there is a link to a reg file at the end with installation instruction

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

Reg file link https://dl.dropbox.com/u/73555776/Default_LNK_(Shortcut).reg
Download to the desktop
Right click and select merge
Accept the warnings
Reboot and try an update again

Essexboy,

You have been incredibly helpful and it is extremely appreciated! I have completed all of the steps in your previous post. I downloaded Filehippo update checker and when I ran it the 4 updates it recommended for me were opened into a word document-I am going to attempt to attach the word file that I saved as a webpage to this post. It seems to be only programs I have downloaded from the web, at least that is all I have noticed. Any ideas? I did not do the last step of your previous post since I was not sure if it was fitting to my situation. Thank you.

*Edit: file was too large to attach

Yes run that association fix and see if it cures it

Sorry but I am unsure how to download the file you posted. The link is simply a bunch of text within the website and if I save link as it is merely a text file on my desktop. Sorry for my ignorance here, but how am I supposed to get that into the registry?