Win32:Sirefef-FQ [Drp] in assembly\GAC_32\Desktop.ini - help! :)

I’ve been working on a computer for a friend and have already run a couple of things and defragged it. When I managed to get the Avast boot scan to run without crashing, after running a few tools, it came up with the Sirefef notification.

What I’ve done so far:
Ran SpyBot, removed a couple of registry keys, a RightMedia cookie and a ShoptoWin directory.
Installed Avast! ran a full scan with no threats found
defragged the registry & deleted pointers to nowhere & empty keys with Glary Utils
replaced the hosts file for Google redirect, thinking it was just a leftover from what the friend did before I got the computer
defragged the system
Ran Avast! boot scan, where it’s found this and something in an IE install file according to the hubby, who deleted that (it was in the temp internet files)

How should I proceed from here? Please help; this is a bit over my head!

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

I’m getting to the desktop, but the utils won’t run - it says something about the service not starting. Right click doesn’t work on the icon to run as admin and quite frankly I’m sick of messing with it tonight. I’ll try again in the morning after some sleep and calming down. Maybe if I’m lucky I can run it from a command prompt…

Nada on the command prompt working; service still ‘didn’t respond in a timely fashion’. :frowning: I think I shot myself in the foot restarting after I had it running again.

Aha, Avast found a hidden rootkit. Am going ahead to delete in smcservice.dll in hopes I can do something with this machine at all. If I can run the log tools after that, I’ll try it.

A malware removal specialist has been informed of your topic.

Hopefully he can get around the inability to run the utilities.

Hi there, first what flavour of windows are you running ? XP, Vista, 7 or 8 and is it 32 or 64 bit
Additionally do you have access to either a CD burner or a spare USB stick

I have Windows 7 64-bit on both the machine I’m on now and the one I’m trying to fix & an 8 GB usb drive with the tool/log exes on it. I may be able to get my CD burner hooked up to this machine (no internal CD/DVD drive), but I’m not entirely certain I have drivers for it on 7. It’s a bit dated.

OK if you have a USB we are on our way

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows 7 64bit RC
  3. Farbar Recovery Scan Tool x64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7. Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Here’s what I have; thank you! It’ll be in a few posts due to length.Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-12-2012
Ran by SYSTEM at 10-12-2012 09:33:59
Running from I:
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM.…\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM.…\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
HKLM.…\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe” [171520 2009-08-21] (Sun Microsystems, Inc.)
HKLM-x32.…\Run: [StartCCC] “C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun [98304 2009-07-02] (Advanced Micro Devices, Inc.)
HKLM-x32.…\Run: [QPService] “C:\Program Files (x86)\HP\QuickPlay\QPService.exe” [468264 2009-06-23] (CyberLink Corp.)
HKLM-x32.…\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [320056 2009-06-24] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32.…\Run: [UpdatePRCShortCut] “C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe” “C:\Program Files (x86)\Hewlett-Packard\Recovery” UpdateWithCreateOnce “Software\CyberLink\PowerRecover” [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32.…\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32.…\Run: [Adobe Reader Speed Launcher] “C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe” [35736 2011-01-30] (Adobe Systems Incorporated)
HKLM-x32.…\Run: [Adobe ARM] “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [932288 2010-11-10] (Adobe Systems Incorporated)
HKLM-x32.…\Run: [Adobe Acrobat Speed Launcher] “C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe” [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM-x32.…\Run: [Acrobat Assistant 8.0] “C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe” [821144 2010-10-25] (Adobe Systems Inc.)
HKLM-x32.…\Run: [BCSSync] “C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe” /DelayServices [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32.…\Run: [nmctxth] “C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe” [647216 2009-07-07] (Cisco Systems, Inc.)
HKLM-x32.…\Run: [nmapp] “C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe” -autorun -nosplash [472112 2011-04-26] (Cisco Systems, Inc.)
HKLM-x32.…\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32.…\Run: [NBAgent] “C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe” /WinStart [1406248 2011-04-08] (Nero AG)
HKLM-x32.…\Run: [avast] “C:\Program Files\AVAST Software\Avast\avastUI.exe” /nogui [3493720 2011-07-04] (AVAST Software)
HKU\Chuck Laptop.…\Policies\system: [WallpaperStyle] 2
HKU\Default.…\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default.…\Policies\system: [WallpaperStyle] 2
HKU\Default User.…\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [1668664 2009-07-15] (Hewlett-Packard)
HKU\Default User.…\Policies\system: [WallpaperStyle] 2
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
SubSystems: [Windows] ATTENTION! ====> ZeroAccess

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 avast! Antivirus; “C:\Program Files\AVAST Software\Avast\AvastSvc.exe” [42184 2011-07-04] (AVAST Software)
2 FastUserSwitchingCompatibility; C:\Windows\SysWow64\FastUserSwitchingCompatibilityex.dll [73748 2004-08-17] ()
2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2011-12-06] ()
4 NMSSvc; C:\Windows\System32\smcservice.dll [6656 2009-07-13] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
2 RichVideo; “C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe” [247152 2009-01-21] ()
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-21] (IDT, Inc.)

==================== Drivers (Whitelisted) =====================

3 61205996; C:\Windows\System32\drivers\34010681.sys [116016 2012-04-06] (Kaspersky Lab, GERT)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [22360 2011-07-04] (AVAST Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [64856 2011-07-04] (AVAST Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [31064 2011-07-04] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [600920 2011-07-04] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [288088 2011-07-04] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [45400 2011-07-04] (AVAST Software)
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys

==================== NetSvcs (Whitelisted) ====================

NETSVC: AGV → No ServiceDLL Path.
NETSVC: lxbu_device → No ServiceDLL Path.
NETSVC: flashcom → No ServiceDLL Path.
NETSVC: cwafadminmonitor → No ServiceDLL Path.
NETSVC: NMSSvc → C:\Windows\system32\smcservice.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
NETSVC: WUSB54GCSVC → No ServiceDLL Path.
NETSVC: ichaud → No ServiceDLL Path.
NETSVC: HBtnKey → No ServiceDLL Path.
NETSVC: zumbus → No ServiceDLL Path.
NETSVC: slapd-data52 → No ServiceDLL Path.

==================== One Month Created Files and Folders ========

2012-12-09 18:34 - 2012-12-06 15:23 - 00696379 ____A (Farbar) C:\Users\Chuck Laptop\Desktop\FSS.exe
2012-12-09 18:18 - 2012-12-09 17:17 - 00545819 ____A C:\Users\Chuck Laptop\Desktop\adwcleaner.exe
2012-12-09 18:12 - 2012-12-09 18:12 - 00000000 ____D C:\Users\Chuck Laptop\Desktop\Loggers
2012-12-09 03:46 - 2012-12-09 03:46 - 00000000 ____D C:\Program Files\Defraggler
2012-12-08 20:57 - 2012-12-09 19:00 - 00000338 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-12-08 20:57 - 2012-12-08 21:02 - 00000000 ____D C:\Users\Chuck Laptop\AppData\Roaming\GlarySoft
2012-12-08 20:57 - 2012-12-08 20:57 - 00000000 ____D C:\Program Files (x86)\Glary Utilities
2012-12-08 20:08 - 2012-12-08 20:08 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-12-08 20:08 - 2011-07-04 04:43 - 00253888 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-12-08 20:08 - 2011-07-04 04:43 - 00199304 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-12-08 20:08 - 2011-07-04 04:43 - 00040112 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-12-08 20:08 - 2011-07-04 04:36 - 00600920 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-12-08 20:08 - 2011-07-04 04:36 - 00288088 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-12-08 20:08 - 2011-07-04 04:35 - 00045400 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-12-08 20:08 - 2011-07-04 04:32 - 00064856 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-12-08 20:08 - 2011-07-04 04:32 - 00031064 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-12-08 20:08 - 2011-07-04 04:32 - 00022360 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-12-08 20:07 - 2012-12-08 20:07 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-12-08 20:07 - 2012-12-08 20:07 - 00000000 ____D C:\Program Files\AVAST Software
2012-11-21 19:12 - 2012-11-21 19:12 - 00454960 ____A C:\Windows\Minidump\112112-17846-01.dmp
2012-11-21 13:22 - 2012-11-21 13:23 - 00000000 ____D C:\Samsung Galaxy S3 ToolKit
2012-11-21 13:13 - 2012-11-21 13:16 - 119496104 ____A (SkipSoft, markskippen@gmail.com) C:\Users\Chuck Laptop\Downloads\SGS3_International_ToolKit_v6.0.exe
2012-11-18 21:24 - 2012-11-18 21:24 - 00454960 ____A C:\Windows\Minidump\111812-27362-01.dmp
2012-11-18 19:40 - 2012-11-18 19:41 - 00454960 ____A C:\Windows\Minidump\111812-26130-01.dmp
2012-11-18 14:31 - 2012-11-18 14:31 - 00454960 ____A C:\Windows\Minidump\111812-18033-01.dmp
2012-11-17 19:28 - 2012-11-17 19:28 - 00454960 ____A C:\Windows\Minidump\111712-17940-01.dmp
2012-11-17 00:34 - 2012-11-17 00:34 - 00454960 ____A C:\Windows\Minidump\111712-17908-01.dmp
2012-11-16 05:17 - 2012-07-25 20:55 - 00785512 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\Wdf01000.sys
2012-11-16 05:17 - 2012-07-25 20:55 - 00054376 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WdfLdr.sys
2012-11-16 05:17 - 2012-07-25 18:36 - 00009728 ____A (Microsoft Corporation) C:\Windows\System32\Wdfres.dll
2012-11-16 05:17 - 2012-06-02 06:35 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2012-11-16 05:07 - 2012-10-08 04:19 - 17811968 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-11-16 05:07 - 2012-10-08 03:42 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-11-16 05:07 - 2012-10-08 03:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-11-16 05:07 - 2012-10-08 03:24 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-11-16 05:07 - 2012-10-08 03:23 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-11-16 05:07 - 2012-10-08 03:22 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-11-16 05:07 - 2012-10-08 03:22 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-11-16 05:07 - 2012-10-08 03:20 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-11-16 05:07 - 2012-10-08 03:18 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-11-16 05:07 - 2012-10-08 03:17 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-11-16 05:07 - 2012-10-08 03:17 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2012-11-16 05:07 - 2012-10-08 03:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-11-16 05:07 - 2012-10-08 03:15 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-11-16 05:07 - 2012-10-08 03:13 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-11-16 05:07 - 2012-10-08 03:13 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-11-16 05:07 - 2012-10-08 03:09 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-11-16 05:07 - 2012-10-08 00:28 - 12320768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-11-16 05:07 - 2012-10-08 00:02 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-11-16 05:07 - 2012-10-07 23:56 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-11-16 05:07 - 2012-10-07 23:48 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-11-16 05:07 - 2012-10-07 23:48 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-11-16 05:07 - 2012-10-07 23:47 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-11-16 05:07 - 2012-10-07 23:46 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-11-16 05:07 - 2012-10-07 23:45 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-11-16 05:07 - 2012-10-07 23:44 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-11-16 05:07 - 2012-10-07 23:43 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-11-16 05:07 - 2012-10-07 23:43 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2012-11-16 05:07 - 2012-10-07 23:42 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-11-16 05:07 - 2012-10-07 23:41 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-11-16 05:07 - 2012-10-07 23:41 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-11-16 05:07 - 2012-10-07 23:40 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-11-16 05:07 - 2012-10-07 23:37 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-11-16 05:05 - 2012-07-25 19:08 - 00744448 ____A (Microsoft Corporation) C:\Windows\System32\WUDFx.dll
2012-11-16 05:05 - 2012-07-25 19:08 - 00229888 ____A (Microsoft Corporation) C:\Windows\System32\WUDFHost.exe
2012-11-16 05:05 - 2012-07-25 19:08 - 00194048 ____A (Microsoft Corporation) C:\Windows\System32\WUDFPlatform.dll
2012-11-16 05:05 - 2012-07-25 19:08 - 00084992 ____A (Microsoft Corporation) C:\Windows\System32\WUDFSvc.dll
2012-11-16 05:05 - 2012-07-25 19:08 - 00045056 ____A (Microsoft Corporation) C:\Windows\System32\WUDFCoinstaller.dll
2012-11-16 05:05 - 2012-07-25 18:26 - 00198656 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFRd.sys
2012-11-16 05:05 - 2012-07-25 18:26 - 00087040 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WUDFPf.sys
2012-11-16 05:05 - 2012-06-02 06:57 - 00000003 ____A C:\Windows\System32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2012-11-16 04:59 - 2012-11-16 04:59 - 00454960 ____A C:\Windows\Minidump\111612-43664-01.dmp
2012-11-15 10:05 - 2012-10-18 10:25 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-11-15 10:05 - 2012-10-09 10:17 - 00226816 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcore6.dll
2012-11-15 10:05 - 2012-10-09 10:17 - 00055296 ____A (Microsoft Corporation) C:\Windows\System32\dhcpcsvc6.dll
2012-11-15 10:05 - 2012-10-09 09:40 - 00193536 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2012-11-15 10:05 - 2012-10-09 09:40 - 00044032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2012-11-15 10:05 - 2012-10-03 09:56 - 01914248 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-11-15 10:05 - 2012-10-03 09:44 - 00303104 ____A (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2012-11-15 10:05 - 2012-10-03 09:44 - 00246272 ____A (Microsoft Corporation) C:\Windows\System32\netcorehc.dll
2012-11-15 10:05 - 2012-10-03 09:44 - 00216576 ____A (Microsoft Corporation) C:\Windows\System32\ncsi.dll
2012-11-15 10:05 - 2012-10-03 09:44 - 00070656 ____A (Microsoft Corporation) C:\Windows\System32\nlaapi.dll
2012-11-15 10:05 - 2012-10-03 09:44 - 00018944 ____A (Microsoft Corporation) C:\Windows\System32\netevent.dll
2012-11-15 10:05 - 2012-10-03 09:42 - 00569344 ____A (Microsoft Corporation) C:\Windows\System32\iphlpsvc.dll
2012-11-15 10:05 - 2012-10-03 08:42 - 00175104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netcorehc.dll
2012-11-15 10:05 - 2012-10-03 08:42 - 00156672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2012-11-15 10:05 - 2012-10-03 08:42 - 00018944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netevent.dll
2012-11-15 10:05 - 2012-10-03 08:07 - 00045568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-11-15 10:05 - 2012-09-25 14:47 - 00078336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\synceng.dll
2012-11-15 10:05 - 2012-09-25 14:46 - 00095744 ____A (Microsoft Corporation) C:\Windows\System32\synceng.dll
2012-11-15 10:05 - 2012-01-12 23:12 - 00052224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll

2012-11-15 09:55 - 2012-11-15 09:55 - 00454960 ____A C:\Windows\Minidump\111512-17066-01.dmp
2012-11-14 15:00 - 2012-11-14 15:00 - 00454960 ____A C:\Windows\Minidump\111412-16738-01.dmp
2012-11-13 20:06 - 2012-11-13 20:06 - 00454960 ____A C:\Windows\Minidump\111312-15366-01.dmp
2012-11-13 01:14 - 2012-11-19 06:19 - 00000424 ____A C:\Windows\Tasks\RegCure Pro.job
2012-11-13 01:14 - 2012-11-13 01:14 - 00000000 ____D C:\Program Files (x86)\ParetoLogic
2012-11-13 01:13 - 2012-11-13 01:13 - 00454960 ____A C:\Windows\Minidump\111312-15646-01.dmp
2012-11-12 06:19 - 2012-11-12 06:20 - 00454960 ____A C:\Windows\Minidump\111212-16021-01.dmp
2012-11-10 22:37 - 2012-11-10 22:37 - 00454960 ____A C:\Windows\Minidump\111112-15678-01.dmp
2012-11-10 16:49 - 2012-11-10 16:49 - 00454960 ____A C:\Windows\Minidump\111012-18501-01.dmp
2012-11-10 09:39 - 2012-11-10 09:39 - 00454960 ____A C:\Windows\Minidump\111012-21247-01.dmp

==================== One Month Modified Files and Folders =======

2012-12-10 09:33 - 2012-12-10 09:33 - 00000000 ____D C:\FRST
2012-12-10 07:17 - 2012-09-04 05:20 - 00011492 ____A C:\Windows\setupact.log
2012-12-09 19:03 - 2011-04-26 10:02 - 00001536 ____A C:\Users\All Users\hpqp.ini
2012-12-09 19:00 - 2012-12-08 20:57 - 00000338 ____A C:\Windows\Tasks\GlaryInitialize.job
2012-12-09 19:00 - 2012-08-22 03:45 - 00000508 ____A C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job
2012-12-09 19:00 - 2011-05-29 09:05 - 00000906 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-12-09 18:59 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-09 18:12 - 2012-12-09 18:12 - 00000000 ____D C:\Users\Chuck Laptop\Desktop\Loggers
2012-12-09 17:17 - 2012-12-09 18:18 - 00545819 ____A C:\Users\Chuck Laptop\Desktop\adwcleaner.exe
2012-12-09 13:44 - 2012-09-04 05:23 - 01389689 ____A C:\Windows\WindowsUpdate.log
2012-12-09 13:22 - 2011-05-29 09:05 - 00000910 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-12-09 12:49 - 2012-06-17 18:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-12-09 12:45 - 2009-07-13 20:45 - 00023248 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-09 12:45 - 2009-07-13 20:45 - 00023248 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-09 03:46 - 2012-12-09 03:46 - 00000000 ____D C:\Program Files\Defraggler
2012-12-08 21:20 - 2009-07-13 21:13 - 00733832 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-08 21:12 - 2011-04-26 08:37 - 00000000 ____D C:\users\Chuck Laptop
2012-12-08 21:12 - 2009-07-13 18:34 - 90963968 ____A C:\Windows\System32\config\SOFTWARE.gbck
2012-12-08 21:12 - 2009-07-13 18:34 - 14417920 ____A C:\Windows\System32\config\SYSTEM.gbck
2012-12-08 21:12 - 2009-07-13 18:34 - 05767168 ____A C:\Windows\System32\config\DEFAULT.gbck
2012-12-08 21:12 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.gbck
2012-12-08 21:12 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SAM.gbck
2012-12-08 21:02 - 2012-12-08 20:57 - 00000000 ____D C:\Users\Chuck Laptop\AppData\Roaming\GlarySoft
2012-12-08 20:57 - 2012-12-08 20:57 - 00000000 ____D C:\Program Files (x86)\Glary Utilities
2012-12-08 20:08 - 2012-12-08 20:08 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-12-08 20:07 - 2012-12-08 20:07 - 00000000 ____D C:\Users\All Users\AVAST Software
2012-12-08 20:07 - 2012-12-08 20:07 - 00000000 ____D C:\Program Files\AVAST Software
2012-12-06 15:23 - 2012-12-09 18:34 - 00696379 ____A (Farbar) C:\Users\Chuck Laptop\Desktop\FSS.exe
2012-11-21 19:12 - 2012-11-21 19:12 - 00454960 ____A C:\Windows\Minidump\112112-17846-01.dmp
2012-11-21 19:12 - 2012-09-06 17:31 - 439602414 ____A C:\Windows\MEMORY.DMP
2012-11-21 19:12 - 2012-04-02 13:02 - 00000000 ____D C:\Windows\Minidump
2012-11-21 19:12 - 2009-07-13 21:08 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-11-21 18:38 - 2012-09-05 17:31 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-11-21 18:36 - 2012-09-04 00:01 - 00000482 ____A C:\Windows\Tasks\ParetoLogic Registration3.job
2012-11-21 13:23 - 2012-11-21 13:22 - 00000000 ____D C:\Samsung Galaxy S3 ToolKit
2012-11-21 13:16 - 2012-11-21 13:13 - 119496104 ____A (SkipSoft, markskippen@gmail.com) C:\Users\Chuck Laptop\Downloads\SGS3_International_ToolKit_v6.0.exe
2012-11-19 08:08 - 2011-04-29 09:28 - 66395536 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-11-19 06:19 - 2012-11-13 01:14 - 00000424 ____A C:\Windows\Tasks\RegCure Pro.job
2012-11-18 21:24 - 2012-11-18 21:24 - 00454960 ____A C:\Windows\Minidump\111812-27362-01.dmp
2012-11-18 19:41 - 2012-11-18 19:40 - 00454960 ____A C:\Windows\Minidump\111812-26130-01.dmp
2012-11-18 14:31 - 2012-11-18 14:31 - 00454960 ____A C:\Windows\Minidump\111812-18033-01.dmp
2012-11-17 19:28 - 2012-11-17 19:28 - 00454960 ____A C:\Windows\Minidump\111712-17940-01.dmp
2012-11-17 19:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-11-17 00:34 - 2012-11-17 00:34 - 00454960 ____A C:\Windows\Minidump\111712-17908-01.dmp
2012-11-16 05:40 - 2009-07-13 20:45 - 00440792 ____A C:\Windows\System32\FNTCACHE.DAT
2012-11-16 05:39 - 2012-09-04 05:20 - 00032092 ____A C:\Windows\PFRO.log
2012-11-16 05:21 - 2011-04-26 10:47 - 00000000 ____D C:\Users\All Users\Microsoft Help
2012-11-16 05:00 - 2011-04-26 08:44 - 00119768 ____A C:\Users\Chuck Laptop\AppData\Local\GDIPFONTCACHEV1.DAT
2012-11-16 04:59 - 2012-11-16 04:59 - 00454960 ____A C:\Windows\Minidump\111612-43664-01.dmp
2012-11-16 04:46 - 2009-07-13 18:34 - 00000478 ____A C:\Windows\win.ini
2012-11-15 09:55 - 2012-11-15 09:55 - 00454960 ____A C:\Windows\Minidump\111512-17066-01.dmp
2012-11-15 09:55 - 2011-05-12 06:06 - 00000360 ____A C:\Windows\Tasks\HPCeeScheduleForChuck Laptop.job
2012-11-14 15:00 - 2012-11-14 15:00 - 00454960 ____A C:\Windows\Minidump\111412-16738-01.dmp
2012-11-13 20:06 - 2012-11-13 20:06 - 00454960 ____A C:\Windows\Minidump\111312-15366-01.dmp
2012-11-13 01:14 - 2012-11-13 01:14 - 00000000 ____D C:\Program Files (x86)\ParetoLogic
2012-11-13 01:13 - 2012-11-13 01:13 - 00454960 ____A C:\Windows\Minidump\111312-15646-01.dmp
2012-11-12 06:20 - 2012-11-12 06:19 - 00454960 ____A C:\Windows\Minidump\111212-16021-01.dmp
2012-11-10 22:37 - 2012-11-10 22:37 - 00454960 ____A C:\Windows\Minidump\111112-15678-01.dmp
2012-11-10 16:49 - 2012-11-10 16:49 - 00454960 ____A C:\Windows\Minidump\111012-18501-01.dmp
2012-11-10 09:39 - 2012-11-10 09:39 - 00454960 ____A C:\Windows\Minidump\111012-21247-01.dmp

ZeroAccess:
c:\Windows\System32\consrv.dll

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM.….exe: exefile => OK
HKLM.…\exefile\DefaultIcon: %1 => OK
HKLM.…\exefile\open\command: “%1” %* => OK

==================== Restore Points =========================

Restore point made on: 2012-12-09 07:46:03

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 2812.2 MB
Available physical RAM: 2234.34 MB
Total Pagefile: 2810.35 MB
Available Pagefile: 2244.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:219.44 GB) (Free:55.76 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:13.15 GB) (Free:2.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
4 Drive g: (kwqc_20120831_6p) (CDROM) (Total:0.4 GB) (Free:0 GB) CDFS
5 Drive h: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive i: () (Removable) (Total:7.48 GB) (Free:7.24 GB) NTFS
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt


Disk 0 Online 232 GB 0 B
Disk 1 Online 7657 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset


Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 219 GB 200 MB
Partition 3 Primary 13 GB 219 GB
Partition 4 Primary 103 MB 232 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 2 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 3 C NTFS Partition 219 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 4 E RECOVERY NTFS Partition 13 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 5 F HP_TOOLS FAT32 Partition 103 MB Healthy

=========================================================

Partitions of Disk 1:

Partition ### Type Size Offset


Partition 1 Primary 7655 MB 22 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 6 I NTFS Removable 7655 MB Healthy

=========================================================

Last Boot: 2012-12-09 07:38

==================== End Of Log =============================

Looks like bit of a mess! Thank you so much for helping with this; I don’t think I could do it without the help. :slight_smile:

You can attach the logs to the post using the Attachments and other Options link in the Reply window, that saves splitting it over many posts. Easier for you and the malware removal specialist.

Thanks; it’s here. :slight_smile:

You’re welcome, hopefully essexboy can get back to the topic soon.

Here I be … This is one of the older variants and looks to only be partially removed

Download the attached fixlist.txt to the same USB as FRST64
Start from the recovery console again and run FRST
Press FIX
On completion a log will be placed on the USB drive.
Attach that

Then reboot to normal windows and run OTL

Here are the logs from those two (I hope I did OTL correctly):

OK lets now clear the rest of the rubbish, you may have been infected via a bad FF addon
Once this run has completed could you check that windows updates works

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-3494315151-810144019-40093657-1001\..\SearchScopes\{B05F4DE1-C7FE-4A30-A51C-8F2218E306C7}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3247201
FF - prefs.js..extensions.enabledAddons: bjvkqqovoa@bjvkqqovoa.org:1.0
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{5FF28FA9-85AC-11E1-826D-B8AC6F996F26}: C:\Users\Chuck Laptop\AppData\Local\{5FF28FA9-85AC-11E1-826D-B8AC6F996F26}\ [2012/04/14 13:30:36 | 000,000,000 | ---D | M]
[2012/11/21 20:36:50 | 000,000,000 | ---D | M] (InternetHelper1.5) -- C:\Users\Chuck Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\oou71rfe.default\extensions\{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}
[1832/11/28 23:20:13 | 000,004,819 | ---- | M] () (No name found) -- C:\Users\Chuck Laptop\AppData\Roaming\Mozilla\Firefox\Profiles\oou71rfe.default\extensions\bjvkqqovoa@bjvkqqovoa.org.xpi
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-3494315151-810144019-40093657-1001\..\Toolbar\WebBrowser: (no name) - {1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D} - No CLSID value found.
O3 - HKU\S-1-5-21-3494315151-810144019-40093657-1001\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O36 - AppCertDlls: fontcaui - (C:\Windows\system32\compexec.dll) - File not found
O36 - AppCertDlls: mshttion - (C:\Windows\system32\compexec64.dll) - File not found
[2012/04/06 08:58:49 | 000,000,168 | ---- | C] () -- C:\ProgramData\-7jKzM7jG2IVl8Qr
[2012/04/06 08:58:49 | 000,000,000 | ---- | C] () -- C:\ProgramData\-7jKzM7jG2IVl8Q
[2012/04/06 08:58:35 | 000,000,256 | ---- | C] () -- C:\ProgramData\7jKzM7jG2IVl8Q
[2012/04/03 10:59:41 | 000,000,168 | ---- | C] () -- C:\ProgramData\-H597slbHa3Mobar
[2012/04/03 10:59:41 | 000,000,000 | ---- | C] () -- C:\ProgramData\-H597slbHa3Moba
[2012/04/03 10:59:34 | 000,000,256 | ---- | C] () -- C:\ProgramData\H597slbHa3Moba
[2012/04/01 08:32:48 | 000,000,208 | ---- | C] () -- C:\ProgramData\-g4DgLtOc3wVqQur
[2012/04/01 08:32:48 | 000,000,000 | ---- | C] () -- C:\ProgramData\-g4DgLtOc3wVqQu
[2012/04/01 08:32:37 | 000,000,256 | ---- | C] () -- C:\ProgramData\g4DgLtOc3wVqQu

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

And now the broken computer won’t recognize its USB ports, but I worked around that. Will post the log in a bit; need to pick up the kiddo from school while OTL runs the quick scan.

Edit: I was able to get the USB ports working again; I had tried to disable & re-enable earlier and they were disabled. Easy fix; I like.

Here’s the new OTL log. :slight_smile:

Edit: Windows Update seems to be working just fine.