Avast WEBforum
Other => Viruses and worms => Topic started by: Gimmick on July 25, 2012, 04:05:20 AM
-
Hello Forum,
I detected a problem file through Avast! about 2 weeks ago after I had noticed that my Miscrosoft Security Essentials had been failing to update. I downloaded avast to change my protection and the first full scan detected the seemingly popular win32:Sirefef-PL [Rtk]. It was located at C:\Windows\assembly\GAC32\desktop.ini and also C:\Windows\assembly\GAC64\desktop.ini. My original attempts to move the infected files to the chest failed and so did my attempts to delete them. I ran my computer in safe mode and went offline to attempt a scan, and this time I was successful and moving the infected files to the chest and then continuing to delete them.
I spent some time researching the virus and searching for possible ways of removal, and even now that I have removed the discovered files I feel as though my computer certainly is still infected. Through research and fiddling around I believe I may have actually been infected back on January 10th and failed to notice until a week or two ago when I had a barrage of pop ups and noticed that my windows firewall had been refusing to turn on and protect my computer. I also had a popup that would surface every time I tried to run a MSE scan that would force restart my computer. I have frequently used malwarebytes and MSE throughout this computer’s life, but I never found anything infected until I switched to avast (kudos). Now that I have removed the files and avast scans do not detect any problems I still feel as though my computer is infected. Throughout the last 6 or so months while I believe I have been infected my CD-ROM drive has gone bad (who knows if it is related or not), so while I have decided I wanted to do a hard format and OS re-install I cannot do so because my install CD cannot be read by my computer. It is quite the fail boat!
Would it be alright if I simply posted some logs for a sense of security from you great minds? I have tried to follow forum guidelines of how to best aid you in this process. P.S. I am currently running avast, RUBotted, and PrivateFirewall as my protection if that is of relevant information. Logs are either posted or attached! Thanks you!
-Derek
Malwarebytes:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.24.12
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
owner :: OWNER-PC [administrator]
7/24/2012 5:44:00 PM
mbam-log-2012-07-24 (17-44-00).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 194048
Time elapsed: 3 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
aswMBR
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-24 18:47:35
-----------------------------
18:47:35.512 OS Version: Windows x64 6.1.7601 Service Pack 1
18:47:35.512 Number of processors: 1 586 0x170A
18:47:35.514 ComputerName: OWNER-PC UserName: owner
18:47:36.973 Initialize success
18:47:37.509 AVAST engine defs: 12071700
18:47:50.236 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:47:50.239 Disk 0 Vendor: FUJITSU_MJA2320BH_G2 8919 Size: 305245MB BusType: 11
18:47:50.257 Disk 0 MBR read successfully
18:47:50.259 Disk 0 MBR scan
18:47:50.263 Disk 0 Windows 7 default MBR code
18:47:50.275 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293279 MB offset 2048
18:47:50.307 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11962 MB offset 600637440
18:47:50.337 Disk 0 scanning C:\Windows\system32\drivers
18:48:04.056 Service scanning
18:48:48.432 Modules scanning
18:48:48.440 Disk 0 trace - called modules:
18:48:48.483 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
18:48:48.491 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c0a790]
18:48:48.824 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa8004c095d0]
18:48:48.830 5 hpdskflt.sys[fffff880019f8289] -> nt!IofCallDriver -> [0xfffffa8004aca0d0]
18:48:48.836 7 ACPI.sys[fffff88000f8f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004ab7680]
18:48:50.119 AVAST engine scan C:\Windows
18:48:52.473 AVAST engine scan C:\Windows\system32
18:51:26.866 AVAST engine scan C:\Windows\system32\drivers
18:51:40.049 AVAST engine scan C:\Users\owner
19:00:25.231 AVAST engine scan C:\ProgramData
19:01:21.027 Scan finished successfully
19:01:33.040 Disk 0 MBR has been saved successfully to "C:\Users\owner\Desktop\Maintenance\MBR.dat"
19:01:33.046 The log file has been saved successfully to "C:\Users\owner\Desktop\Maintenance\aswMBR.txt"
-
malware removers are notified. It may take several hours before one arrive so be patient
-
Thank you for the update! I am in -6 GMT so the overlap may be quite different but I will be checking as frequently as I can.
-
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
:Files
ipconfig /flushdns /c
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\owner\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Thank you for the guidance Essexbboy. I am working on running the fix using the script you provided in OTL but the program is "not responding" during the creating retore point phase of the script. It has been stuck on not responding for about 20 minutes. I have not tampered with anything within this time but am just waiting it out. Should I do a power button manual restart and attempt again if the program does not respond for some time? Or perhaps this is expected to take a while? I will wait it out for some time and hopefully you will have time to respond. I would imagine there have been some changes made to my system with this script so I don't want to make any presumptive moves. If it begins responding I will continue with the process and post the logs you requested. Thanks.
Edit: I am currently accessing this website through a roommate's computer
-
Yes restart and continue with Combofix, we may need to check out system restore later
-
Essexboy,
It seems as though OTL did indeed run its fix because there was a notification and a log after I manually restarted my computer. I have downloaded and ran combofix, it appeared to delete one file at the end of its run and my computer is generating a log from combofix now. However, I need to run to work for a few hours and will be back to check in about 4 hours from this posting. I have the log report from OTL and assume I will have the one from combofix for that posting in a few hours. I'll get back to you then. Thanks again.
-
No problem but I will be offline in about two hours
-
I have not encountered any problems in my 10 minutes of browsing around on my computer, obviously it will take some time before I know with certainty that things are better. I have just noticed a generally less functional system since I think I may have acquired the suspected virus. Have any of the logs I have posted led you to believe that there is still a virus or problems within my system? Here are the updated OTL and ComboFix logs. I hope attachments are fine for this.
OTL:
Files\Folders moved on Reboot...
C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\owner\AppData\Local\Temp\JET9E60.tmp not found!
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\Windows\temp\WebEx\Log\724\atashost.log moved successfully.
PendingFileRenameOperations files...
File C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\owner\AppData\Local\Temp\JET9E60.tmp not found!
[2012/07/25 12:12:14 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5
File C:\Windows\temp\WebEx\Log\724\atashost.log not found!
Registry entries deleted on Reboot...
-
I would like to do one further check as the services file was not infected, that sometimes means the MBR is
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
-
Essexboy,
The log was over 10,000 characters so I will need to attach it rather than paste it. I hope that is alright. There were 3 suspicious files found.
-
No thats good, how is the computer behaving ?
-
Essexboy,
I am running a final scan with avast now, but as far as the computer condition goes it seems quite well. I believe I mentioned earlier that I have not been able to turn on my windows firewall since acquiring the virus, but I successfully turned it on just not for the first time since January! That must be a good sign. I am running privatefirewall as my firewall with windows' firewall off and avast as my antivirus. I use Glary utilities and CCleaner regularly and malwarebytes as my scanner. Do you think that is sufficient or would you recommend anything else or any switches? The last problem I have encountered is that whenever I try to update some software (it just happened with Glary and Ccleaner) it opens up Microsoft Word and loads the updating website as a text file within work-of course making it so I can't easily get the update. Perhaps it just changed some setting on my computer in this process, but any idea how to easily fix that? The same thing also happened when I tried to update my old tdsskiller to run for you, but I simply downloaded your updated file from your link to my desktop and everything worked fine. Any idea why this may be happening? Thank you for your help so much!
-
Sounds like an association problem
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
Thank you you Essexboy! I am running the program as instructed now, but again I must head to work for a few hours. I will respond on the condition of my computer later and hopefully tomorrow we will have this all finished! Thanks again.
-Derek
-
I am still having problems updating programs. This utility is great but it hasn't fixed the update from opening in Word. Aside from this does everything seem clean as far as my system goes? Should I remove all of these programs that I installed for the purpose of this testing?
-
What I will do is remove the programmes that we have used, tidy you up and then look at the association problems..
On that front is it all exe programmes that open in word or just ones downloaded from the web. Or is it that the auto updates instead of going to the website to download open a word document ?
If it is the later there is a link to a reg file at the end with installation instruction
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
Reg file link https://dl.dropbox.com/u/73555776/Default_LNK_%28Shortcut%29.reg
Download to the desktop
Right click and select merge
Accept the warnings
Reboot and try an update again
-
Essexboy,
You have been incredibly helpful and it is extremely appreciated! I have completed all of the steps in your previous post. I downloaded Filehippo update checker and when I ran it the 4 updates it recommended for me were opened into a word document-I am going to attempt to attach the word file that I saved as a webpage to this post. It seems to be only programs I have downloaded from the web, at least that is all I have noticed. Any ideas? I did not do the last step of your previous post since I was not sure if it was fitting to my situation. Thank you.
*Edit: file was too large to attach
-
Yes run that association fix and see if it cures it
-
Sorry but I am unsure how to download the file you posted. The link is simply a bunch of text within the website and if I save link as it is merely a text file on my desktop. Sorry for my ignorance here, but how am I supposed to get that into the registry?
-
OK right click the link and select save as..
Save it to your desktop
Right click the file and select merge
Acept any warnings
Rebbot
-
Ah OK. I merged it and rebooted but updates continue to open in word documents? I am attaching a printscreen of what opened when I clicked to update my Glary Utilities. Any other ideas? Sorry this is being so pesky.
Edit: png was too large so I guess that part of this post is out.
-
Have you been using a registry cleaner as your associations appear to be totally skewed
There are association reg fixes here http://www.winhelponline.com/blog/file-asso-fixes-for-windows-7/
I would recommend that you run the main ones initially but do include the HTML one
-
Hey Essexboy,
Sorry I have not replied for a few days, I just finished a 1700 mile road trip back home. I have run the majority of the reg fixes and and merged them. However, I still continue to have the problem. I have uploaded an image of the word document it opens to ImageShack and will try to post it here. Hopefully it works, again sorry for the delay!
(http://img171.imageshack.us/img171/3240/updatecapture.jpg) (http://imageshack.us/photo/my-images/171/updatecapture.jpg/)
Uploaded with ImageShack.us (http://imageshack.us)
-
Please run the following tool, then try the updates
Please download exe_fix (http://noahdfear.net/downloads/exe_fix.com) and save it to your desktop
Double click on exe_fix.com to run it.
Type the number 1 at the prompt and allow the tool to run
-
Essexboy,
It merely saves as a text file to my desktop and opens as such. The only clear sentence in the file is that it must be run using Win32? I run 64 bit if that is what it is referring to? I am sorry if I do not understand the process you are asking me to do. I saved the link to my desktop in both txt and "all files" and neither ran in the manner which I expected it to (such as a normal exe would run) nor prompted me to type "1" as a command prompt.
-
When you download an exe file to the desktop and click it does it run ?
-
When I right click to save link as it only gives me the options of a text file or "all files". However, I just tried to save it from the page during this post and it was able to save as a binary file. So I ran that but after opening a blue box it reported that "this tool is not compatible with your system" and to press any key to continue (I even tried pressing 1 here for the slim chance but no success). :( this is so frustrating.
-
Does this apply to all exe files that you put on your desktop
-
No. I dropped Ccleaner to my desktop from a separate folder and tried opening it and it opened just fine.
-
So it is only the updater from within the programme ?
-
I'm sorry, I thought you were talking about exe fix file you had posted that I had trouble downloading. I have a folder called "Maintenance" on my desktop in which I keep all of my antimalware and cleaning tools. I just attempted updating filehippo and ccleaner and both opened their respective updates in word files similar to the previously posted image. I hope that makes sense and is a proper response to your question.
-
It definitely looks like an association problem but I have never come across this one before
Could you uninstall Filehippo, download a fresh copy and see if that still opens in word
-
Still opens in word :/. Should I maybe try to restore back to the original restore point you had me make after we finished our cleaning and see if that fixes the problem?
-
Yes reset to that
-
Essexboy,
I have reset my computer to that original restore point but the problem persists. Thank you for your time, regardless of whether we were able to fix this minor problem or not.
Edit: I tried re-running the All in One fix program that you provided me with in hopes of it correcting the problem, but it actually seemed to make it worse. One more thing I noticed that may help you understand the problem is that when I click to visit the piriform website (the apple on ccleaner) it opens up the link into a word document as though it were a website. So any link offline seems to be taking me to word documents. Filehippo continues to do the same when it finds updates. However, malwarebytes, which updates itself via a server is still able to update.
-
This is definitely an association problem of some sort... I will have a further rummage around
I wonder what happens if you uninstall word ?
-
I repaired my Microsoft office suite but did not do a full uninstall. My CD ROM drive is broken so I am afraid if I uninstall it that I will not be able to re-install it? The repair did not "repair" the problem.
-
It is a word problem.. I will see if MS has a download for it. What version of word ? Also do you still have the licence key
-
I have Office 2007 and yes I do still have the product key.
-
Download from here first http://www.microsoft.com/office/downloads/ before you uninstall
-
I uninstalled word and then re-installed it from that link. Now, however, when I try to upgrade-such as with Ccleaner (also with Glary) it opens up a print option rather than a word document. My goodness what a mess.
(http://img571.imageshack.us/img571/5402/ccleanery.jpg) (http://imageshack.us/photo/my-images/571/ccleanery.jpg/)
Uploaded with ImageShack.us (http://imageshack.us)
-
Now this is something really new... Time to start digging again