Win32:Malware-gen, Win64:sirefef-A [Trj], and Win32:Downloader-Pku [Trj] problem

Viruses and worms
1

I receive warnings about these three problems repeatedly within minutes of each other. I have tried malwarebytes, but it just quarantined most of the files, not delete them.

2

attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

3

Monitoring

4

Here are the OTL and Malwarebytes logs. Both times that I attempted to run aswMBR, the computer crashed.

5

i’ve added the malwarebytes logs to my previous post

6

Hi

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE - HKLM\..\SearchScopes\{44f44034-6036-4f06-9336-74ec4620edab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm160YYus&ptb=A5267D14-C689-45EA-9B66-8E052DC5FC51&ind=2011012014&ptnrS=RGxdm160YYus&si=1903&n=77dd9bae&psa=&st=sb&searchfor={searchTerms}
IE - HKCU\..\SearchScopes\{44f44034-6036-4f06-9336-74ec4620edab}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=RGxdm160YYus&ptb=A5267D14-C689-45EA-9B66-8E052DC5FC51&ind=2011012014&ptnrS=RGxdm160YYus&si=1903&n=77dd9bae&psa=&st=sb&searchfor={searchTerms}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll ()
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartNowToolbarHelper] "C:\Program Files\StartNow Toolbar\ToolbarHelper.exe" File not found
O33 - MountPoints2\{7a6bcd32-9593-11df-b562-00219b2692cc}\Shell - "" = AutoRun
O33 - MountPoints2\{7a6bcd32-9593-11df-b562-00219b2692cc}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{7a6bcd3c-9593-11df-b562-00219b2692cc}\Shell - "" = AutoRun
O33 - MountPoints2\{7a6bcd3c-9593-11df-b562-00219b2692cc}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{7a6bcd46-9593-11df-b562-00219b2692cc}\Shell - "" = AutoRun
O33 - MountPoints2\{7a6bcd46-9593-11df-b562-00219b2692cc}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{9fb6d73a-77e3-11e0-b76e-00219b2692cc}\Shell - "" = AutoRun
O33 - MountPoints2\{9fb6d73a-77e3-11e0-b76e-00219b2692cc}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true


:files
C:\Program Files\Microsoft Security Client
C:\Windows\System32\msfeedssync.exe
C:\Program Files\StartNow Toolbar
C:\Windows\Installer\{67b18a24-da56-7d61-2b62-39e65e052b02}
C:\Windows\System32\config\systemprofile\AppData\Local\{67b18a24-da56-7d61-2b62-39e65e052b02}
ipconfig /flushdns /c

:services
NisSrv
Updater Service for StartNow Toolbar

:commands
[CREATERESTOREPOINT]
[emptytemp]
[EMPTYJAVA]
[Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
7

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{44f44034-6036-4f06-9336-74ec4620edab}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{44f44034-6036-4f06-9336-74ec4620edab}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{44f44034-6036-4f06-9336-74ec4620edab}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{44f44034-6036-4f06-9336-74ec4620edab}\ not found.
File HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{6E13D095-45C3-4271-9475-F3B48227DD9F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{6E13D095-45C3-4271-9475-F3B48227DD9F}\ deleted successfully.
C:\Program Files\StartNow Toolbar\Toolbar32.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{5911488E-9D1E-40ec-8CBB-06B231CC153F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{5911488E-9D1E-40ec-8CBB-06B231CC153F}\ deleted successfully.
File C:\Program Files\StartNow Toolbar\Toolbar32.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSC deleted successfully.
C:\Program Files\Microsoft Security Client\msseces.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\StartNowToolbarHelper deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6bcd32-9593-11df-b562-00219b2692cc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7a6bcd32-9593-11df-b562-00219b2692cc}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6bcd32-9593-11df-b562-00219b2692cc}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7a6bcd32-9593-11df-b562-00219b2692cc}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6bcd3c-9593-11df-b562-00219b2692cc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7a6bcd3c-9593-11df-b562-00219b2692cc}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6bcd3c-9593-11df-b562-00219b2692cc}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7a6bcd3c-9593-11df-b562-00219b2692cc}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6bcd46-9593-11df-b562-00219b2692cc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7a6bcd46-9593-11df-b562-00219b2692cc}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7a6bcd46-9593-11df-b562-00219b2692cc}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7a6bcd46-9593-11df-b562-00219b2692cc}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9fb6d73a-77e3-11e0-b76e-00219b2692cc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9fb6d73a-77e3-11e0-b76e-00219b2692cc}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9fb6d73a-77e3-11e0-b76e-00219b2692cc}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9fb6d73a-77e3-11e0-b76e-00219b2692cc}\ not found.
File “F:\WD SmartWare.exe” autoplay=true not found.
========== FILES ==========
C:\Program Files\Microsoft Security Client\en-us folder moved successfully.
C:\Program Files\Microsoft Security Client\Backup\x86 folder moved successfully.
C:\Program Files\Microsoft Security Client\Backup\en-us folder moved successfully.
C:\Program Files\Microsoft Security Client\Backup folder moved successfully.
C:\Program Files\Microsoft Security Client\Antimalware\EN-US folder moved successfully.
C:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpnwmon folder moved successfully.
C:\Program Files\Microsoft Security Client\Antimalware\Drivers\mpfilter folder moved successfully.
C:\Program Files\Microsoft Security Client\Antimalware\Drivers folder moved successfully.
C:\Program Files\Microsoft Security Client\Antimalware folder moved successfully.
C:\Program Files\Microsoft Security Client folder moved successfully.
File move failed. C:\Windows\System32\msfeedssync.exe scheduled to be moved on reboot.
C:\Program Files\StartNow Toolbar\Resources\skin folder moved successfully.
C:\Program Files\StartNow Toolbar\Resources\reactivate folder moved successfully.
C:\Program Files\StartNow Toolbar\Resources\protect folder moved successfully.
C:\Program Files\StartNow Toolbar\Resources\images folder moved successfully.
C:\Program Files\StartNow Toolbar\Resources folder moved successfully.
C:\Program Files\StartNow Toolbar folder moved successfully.
C:\Windows\Installer{67b18a24-da56-7d61-2b62-39e65e052b02}\U folder moved successfully.
C:\Windows\Installer{67b18a24-da56-7d61-2b62-39e65e052b02}\L folder moved successfully.
C:\Windows\Installer{67b18a24-da56-7d61-2b62-39e65e052b02} folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local{67b18a24-da56-7d61-2b62-39e65e052b02}\U folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local{67b18a24-da56-7d61-2b62-39e65e052b02}\L folder moved successfully.
C:\Windows\System32\config\systemprofile\AppData\Local{67b18a24-da56-7d61-2b62-39e65e052b02} folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\reception\Downloads\cmd.bat deleted successfully.
C:\Users\reception\Downloads\cmd.txt deleted successfully.
========== SERVICES/DRIVERS ==========
Service NisSrv stopped successfully!
Service NisSrv deleted successfully!
Service Updater Service for StartNow Toolbar stopped successfully!
Service Updater Service for StartNow Toolbar deleted successfully!
========== COMMANDS ==========
Unable to start System Restore Service. Error code 1084

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 11908646 bytes
->Temporary Internet Files folder emptied: 919493 bytes
->Flash cache emptied: 848 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: reception
->Temp folder emptied: 239698606 bytes
->Temporary Internet Files folder emptied: 1076765779 bytes
->Java cache emptied: 3489 bytes
->Google Chrome cache emptied: 6491114 bytes
->Flash cache emptied: 1838311 bytes

User: User
->Temp folder emptied: 32284 bytes
->Temporary Internet Files folder emptied: 120316137 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1911946884 bytes
RecycleBin emptied: 4396471929 bytes

Total Files Cleaned = 7,407.00 mb

[EMPTYJAVA]

User: administrator

User: All Users

User: Default

User: Default User

User: Public

User: reception
->Java cache emptied: 0 bytes

User: User

Total Java Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.56.0 log created on 08092012_172927

Files\Folders moved on Reboot…
File move failed. C:\Windows\System32\msfeedssync.exe scheduled to be moved on reboot.
File\Folder C:\Windows\temp\flaB86D.tmp not found!
File\Folder C:\Windows\temp\flaB8FC.tmp not found!

PendingFileRenameOperations files…
[2011/07/08 17:01:43 | 000,010,752 | ---- | M] (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe : MD5=1D3EE28BA231CBB9600F5D102EAF4EA7
File C:\Windows\temp\flaB86D.tmp not found!
File C:\Windows\temp\flaB8FC.tmp not found!

Registry entries deleted on Reboot…

8

I wait Step2