Avast WEBforum
Other => Viruses and worms => Topic started by: anusmyn on December 16, 2011, 03:11:41 AM
-
I ran avast and this came up as a threat:
C:\Windows\assembly\GAC_32\Desktop.ini Threat: Win32:Sirefef-FQ [Drp]
I can't get rid of it!!! What do I do?!
-
- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.
-
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 8377
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
15/12/2011 7:13:29 PM
mbam-log-2011-12-15 (19-13-29).txt
Scan type: Quick scan
Objects scanned: 179319
Time elapsed: 6 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files (x86)\common files\akkg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files (x86)\common files\akkg1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files (x86)\common files\insta.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files (x86)\common files\insta1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
-
Here is the OTL log. I can't print screen for some reason.
-
aswMBR has made my computer crash and blue screen twice... ???
-
At what point, during the AV scan element ?
If so try running it again and from the AV scan: drop down list, select None as the scanning option.
The first time that you run OTL it should also produce an Extras file, if you can attach that.
Unfortunately you may be playing time zone ping pong as essexboy who normally analyses these is at work and is usually on the forums around 7pm (now almost 11:50am in the UK).
-
Here is the OTL extra file.
aswMBR crashes at 1%...
-
When set to none answMBR works fine. Here is the log.
-
Ok, so I tried to run a quick scan and aswMBR errors at 1% on agrdel64.exe then blue screens.
-
I see you have run combofix - could you attach that log please
-
Sorry... I'm not sure where it is...
-
It should be at C:\combofix txt
If it is not there then we will re-run it as I need to see if there is a driver remaining
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here it is. Thanks for the help.
-
What are your current problems ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
ipconfig /flushdns /c
C:\Windows\assembly\GAC_32\Desktop.ini
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here is ODT log. Running scan now.
-
According to avast! I am still infected with this:
C:\Windows\assembly\GAC_32\Desktop.ini Threat: Win32:Sirefef-FQ [Drp]
:-[
-
...?
-
It may still be a remnant, but are you getting any of the other symptoms ?
Unfortunately it is 1:05am in the UK so essexboy will be in bed and normally back on the forums after work about 7pm UK time.
-
Could you re-run an OTL please with the following script
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
C:\Windows\assembly\GAC_32\*.ini
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Here is the OTL log.
-
Here is the extras log.
-
Hmm that showed one file that should not be there
color=green]Download and Install Combofix[/color]
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Sorry, I was away on holidays and had no access to a computer.
Here is the log from Combofix.
-
Help! ???
-
Because of the delay essexboy may not be subscribed to this topic, I will PM him to notify.
I'm afraid that you may be in for a little time zone ping pong as it 1:42pm in the UK and essexboy may not be back in the forums until later in the day around 7pm.
-
Hi there are the alerts still occuring ?
-
Thought you would be at work essexboy ;D
-
Nope taking a few days off ;D
-
Scan finds this:
C:\_OTL\MovedFiles\12182011_132538\C_Windows\...Destop.ini Threat Win32:Sirefef-FQ [Drp]
-
That is the OTL quarantined file
Any other problems ?
-
Nope!
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
.
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave: