Need help removing two Sirefef files

Viruses and worms
1

I picked up some viruses by the names of Java:Agent- ADV and Java:Agent- ACW, which were succesfully removed. Avast is also picking up the Assembly/GAC_32 and GAC_64 files, but I can’t seem to get rid of them. MBAM detects nothing.

I wasn’t having many symptoms other than random words being linked to text enhance on my web browser. I’ve also been unable to upload files to the sites like youtube or soundcloud, but I don’t know if that’s a related issue or not. I can’t seem to post any of the other logs I have either… =/

2

I literally cannot find a way to post the OTL log on here. If I upload it, the post fails. If I copy-paste it in, it STILL fails.

3

did you save OTL as ANSI before you try to attach ?

if still to big, upload here www.mediafire.com and post the download link

4

Here we go: http://www.mediafire.com/file/j896x7b5pncfp5o/OTL.Txt

5

On completion of this run can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 76 63 D0 02 BA E1 E2 4A 8C 4C F9 F2 81 87 07 DE [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 76 63 D0 02 BA E1 E2 4A 8C 4C F9 F2 81 87 07 DE [binary data]
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$R5D8XNH\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$REO6FTN\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RRNKWVS\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\paul\AppData\Local\Temp\RarSFX0\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Users\paul\AppData\Local\Temp\RarSFX1\procs\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$R5D8XNH\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RB19RGT\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RE43SN2\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$REO6FTN\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RGBRGDB\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RIS7HZ1\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$ROQSMQA\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RRNKWVS\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\paul\AppData\Local\Temp\RarSFX0\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Users\paul\AppData\Local\Temp\RarSFX1\h\explorer.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$R5D8XNH\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RB19RGT\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RE43SN2\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$REO6FTN\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RGBRGDB\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RIS7HZ1\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$ROQSMQA\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RRNKWVS\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\paul\AppData\Local\Temp\RarSFX0\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\paul\AppData\Local\Temp\RarSFX1\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$R5D8XNH\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RB19RGT\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RE43SN2\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$REO6FTN\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RGBRGDB\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RIS7HZ1\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$ROQSMQA\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\$RECYCLE.BIN\S-1-5-21-2287459066-2634481093-120854041-1000\$RRNKWVS\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\paul\AppData\Local\Temp\RarSFX0\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Users\paul\AppData\Local\Temp\RarSFX1\winlogon.exe
[2011/11/25 20:44:21 | 000,000,650 | ---- | M] ()(C:\Users\paul\AppData\Local\PMB Filer?pa) -- C:\Users\paul\AppData\Local\PMB Filer?pa
[2011/11/15 15:24:11 | 000,000,650 | ---- | C] ()(C:\Users\paul\AppData\Local\PMB Filer?pa) -- C:\Users\paul\AppData\Local\PMB Filer?pa
(C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\??????) -- C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\??????

:Reg
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\tasks\At*.job
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

6

We may have a problem… I started the fix on OTL, but it stopped responding, so I ended it with the task manager and started again (which, in retrospect, was a bad idea). I got the blue screen. Now when I boot my computer all I get is a completely blank screen. It DOES work in safe mode, which is what I’m currently using. I’m going to try to run OTL from here, but it doesn’t seem like it’s responding at all.

7

Re run OTL but in the fix remove the emptytemp line

Do you have MBAM as that can cause a conflict when OTL tries to stop the processe

8

I have the free version of MBAM. To my knowledge, it doesn’t have any ongoing processes, and I don’t see anything to disable. Is it only the registered version your talking about? Should I simply uninstall it?

OTL is still not responding. It’s freezing on “Processing Registry Data HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]…”. I’m going to leave it on this time and hope it responds until you tell me to do something different.

9

Even the free version has a driver running at all times

OK there is something not quite right here

Stop OTL and reboot - you should be able to achieve normal mode

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

10

Combofix is giving me a warning that Microsoft Security Essentials Anti-spyware and Anti-virus real-time scanners are still running. Microsoft Security Essentials didn’t appear to be working properly after I rebooted, so there was no icon in the system tray, nor was it listed on the control panel. I reinstalled, and then untinstalled Microsoft Security Essentials, but Combofix says it’s still there. I closed Combofix before it could do anything else, and tried rebooting, which didn’t change anything either. Should I proceed with Combofix? I don’t understand how MSE could still be running.

11

so you had avast and Microsoft Security Essentials installed!
never install multiple AV as this will create all kind of mysterious windows errors and false positve detections

12

Yeah, I have come to that realization. But what do I do? Run Combofix regardless?

13

wait for Essexboy

14

Yes run Combofix and accept the warning

15

Looks like it worked. Here’s the log: http://www.mediafire.com/?mu22xphfce64r0i. What now, Cap’n?

16

OK what is your main AV as I can see AVG, and Avast

How is the system behaving now ?

17

Avast is. I never finish installing AVG, so again, I don’t know why it would be there.

System’s running fine. The text enhance isn’t there anymore. I still can’t upload files to sites like soundcloud or youtube, but I don’t think that’s related to viruses.

18

What error do you get when you try to upload

19

It simply stops after uploading .3 or so MB.

20

The first thought that comes to mind is - is your ISP limiting you ?

Ref AVG you will need to use the removal tool to clear the rest

http://www.avg.com/ww-en/utilities