Avast WEBforum
Other => Viruses and worms => Topic started by: Darthmufasa on September 04, 2012, 12:44:26 AM
-
I've tried every way I can think of to keep my computer from automatically restarting to give my anti virus (MSE) time to remove the Sirefef.A virus but nothing seems to work.
Any help would be greatly appreciated.
-
follow this guide and attach (not copy and paste) Malwarebytes / OTL / aswMBR logs
http://forum.avast.com/index.php?topic=53253.0
-
OTL will run for about two minutes and then stops responding.
I attached the Malwarebytes log
-
So two things: I have to end the process for MSE to keep the auto shutdown message from popping up.
Also, OTL stops responding when it gets to firefox settings.
-
Here is the aswMBR log:
-
Uninstalled firefox and got the OTL logs
-
Extras
-
Should I continue to try and remove as much as I can with these tools (OTL etc) or wait for a response to the logs I submitted?
I'm hesitant to remove anything else or run other things as it would differ the logs from how I submitted them.
-
Should I continue to try and remove as much as I can with these tools (OTL etc) or wait for a response to the logs I submitted?
I'm hesitant to remove anything else or run other things as it would differ the logs from how I submitted them.
you can not remove anything with OTL untill the removal expert have created the OTL fix ......and to do that you need to know what you are doing
malware removers are notified: It may take hours before one arrive so be patient
-
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
@Alternate Data Stream - 1237 bytes -> C:\ProgramData\Microsoft:UfHVhvoorYY18qNNWJhn8
@Alternate Data Stream - 1109 bytes -> C:\ProgramData\Microsoft:9HxsEcd9W6siwkGfrFKJMr3tZ
:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
00,20,02,00,00
:Files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\Luka-Cola\AppData\Local\Temp\6o45r5kg5oeu2bf6.exe
C:\Users\Luka-Cola\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\396e86d-6a0fc5f4
C:\Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
FINALLY
Download AdwCleaner from here (http://general-changelog-team.fr/en/tools/15-adwcleaner) to your desktop
Run AdwCleaner and select Delete
(https://dl.dropbox.com/u/73555776/AdwCleaner.GIF)
Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that
-
I attached the OTL log after it applied the fix. I will post the combo fix log after it's finished.
-
Here is the comboFix log:
-
And finally the last log:
-
Well I really, really appreciate the help. You guys are awesome.
I have one question though:
I'm going to keep Malwarebytes PRO but it seems that Microsoft Security Essentials wasn't enough. What anti-malware and virus protection do you guys reccommend?
-
Bit more to kill
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\services.exe.8320158123F88379
c:\windows\system32\services.exe.232F8A6919273E4C
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
When I dropped the file on the comboFix exe it froze up my computer. It's just sitting there, will wait for further instructions.
-
OK stop combofix and reboot please
-
I cannot open task manager, should I just reboot? I'm typing from a laptop, not the desktop that's infected.
-
Does control-alt-delete work ?
-
No, all I have is the spinning icon for a mouse, cannot click on anything or use ctrl alt del.
-
OK reboot
-
Ok, rebooted and typing from the infected desktop.
-
Could you run an OTL quickscan please to see if combofix removed them
-
New quickscan log
-
OK I do not see them any more, how is the computer behaving ?
-
Malwarebytes has detected two objects so far while I'm running this full scan. Should I run a aswMBR and OTL full scan as well?
-
Could you post the malwarebytes log please
-
Not quite finished scanning yet, but I will as soon as it's done.
-
Here is the malwarebytes log
-
I haven't removed selected yet from the malwarbytes scan, it's showing the 8 detected objects, should I click remove selected?
-
C:\Qoobox\Quarantine\C\Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\80000000.@.vir (Rootkit.0Access.64) -> No action taken.
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir (Rootkit.0Access) -> No action taken.
D:\_OTL\MovedFiles\09042012_145542\C_Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
D:\_OTL\MovedFiles\09042012_145542\C_Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\000000cb.@ (Rootkit.0Access) -> No action taken.
D:\_OTL\MovedFiles\09042012_145542\C_Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\80000000.@ (Rootkit.0Access.64) -> No action taken.
D:\_OTL\MovedFiles\09042012_154436\C_Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\00000008.@ (Trojan.Dropper.BCMiner) -> No action taken.
D:\_OTL\MovedFiles\09042012_154436\C_Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\000000cb.@ (Rootkit.0Access) -> No action taken.
D:\_OTL\MovedFiles\09042012_154436\C_Windows\Installer\{a387f1a0-6a21-f6e6-5552-eaa0c58a6904}\U\80000000.@ (Rootkit.0Access.64) -> No action taken.
Not a problem as they are already quarantined
How is the computer behaving