Hi All,
Need some expert help with this one. :-[
I usually run MBAM weekly, never picks anything up.
Looked at some resume/job sites a few days ago and IE shut down unexpectedly :o
Checked with process explorer, and a couple of SVChost.exes were popping up from nasty looking sources such as:
\.\globalroot\systemroot\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\U
so I would cancel them as soon as they popped up, and went looking for info on net…
checked registry for “globalroot” and found two keys
HKCR and HKLM\software\classes\CLSID[99d6c928-147d-54d5-377f-bd821ed462e7]\InprocServer32
\.\globalroot\systemroot\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\n.
updated MBAM, full scan = nothing?
DL’d AVAST free version and quick scan found nothing, but it would block Win32:Sirefef-AO, and Win64:Sirefef-A from running every 5 minutes.
tried TDSSKiller and it found sptd.sys locked, but nothing else i can remember…
then did a full system scan with AVAST and found:
Win32:Dropper-gen in \local settings\temp\tempfiles.exe
HTML:RedirME-inf in \temp internet files
Win32:Malwae-gen in \program files\Winace\order.exe|>[ASPack]
Win32:Krap-AIL in PSFactoryBuffer.exe (I had already deleted it)
Then the big ones,
Win64:Sirefef-A in \windows\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\U\80000000.@
Win32:Sirefef-AO in \windows\installer[99d6c928-147d-54d5-377f-bd821ed462e7]\U\800000cb.@
Then did a boot-time scan with AVAST and found 2 more:
Win32:Malware-gen in C:\System Volume Information\restore{F3916368-82B8-44E9-A6BE-254B11BEFE11}\RP1807\A014070.exe|>[ASPack]
Win32:Krap-AIL in C:\System Volume Information\restore{F3916368-82B8-44E9-A6BE-254B11BEFE11}\RP1807\A014071.exe
disabled system restore after seeingthat.
Did aswMBR and it found \windows\system32\hkcmd.exe was infected with Win32:Malware-gen
Then did more MBAM/TDSS etc and not really finding anything, but the threats for the two Sirefef’s would come up every 5mins when connected to net, or when opening new browser tab in IE (and maybe Chrome?)
Uninstalled Java (was out of date) and installed new one, and was fine for an hour or so, then the Sirefef threats started poppng up again in AVAST.
Did another boot-time scan in AVAST and this time it found:
Win32:Hoblig-B in \documents and settings\owner\local settings\temp\apart.dll
Now, am getting the two sirefef threats continually popping up every 5 mins with net cable plugged in.
followed log advice here http://forum.avast.com/index.php?topic=53253.0
logs for MBAM, aswMBR and TDSS are attached.
OTL won’t run and gives error:
Exception EReadError in module OTL.exe at 00016A6B
Error reading DIskParttionInfo1.Active: .
what can I do??? any and all help appreciated!!