Win XP NASTY rootkit virus

[Niice]

Yep!  A NASTY rootkit virus on an old Win XP Pro SP3 system.
c:\windows\assembly\GAC\Desktop.ini  Win32: Sirefef-PL

This is effecting lots of programs and executables, and not just the above, in DIFFERENT ways! For instance...

I can NOT run regedit. The executable regedit.exe is present but I get a "Windows cannot find file" error even if I try to execute the file directly from within the Windows folder.

Task Manager will NOT open no matter what I do, although it is intact and there. Right-clicking on the taskbar or CTRL+ALT+DEL will do nothing. If I try to execute the taskmgr.exe file directly from within the Windows\System32 folder, I get a "Windows cannot find file" error.

And the WORST is that the same happens with Malewarebytes after installation. It just will NOT run and I can NOT post any log for you as you ask for here: http://forum.avast.com/index.php?topic=53253.0

So, I can NOT follow that guide as you need me to do and attach (not copy and paste) Malwarebytes / OTL / aswMBR logs.

SO... the above said, what can I do?  How can you help me?  I've already performed a full system scan with Avast and over 130 infections were quarantined.

Thanks in advance! I'm at wit's end so I really need some help!

[Asyn]

Try to run the tools in safe mode.

[DavidR]

You could also try running the Chameleon variant of MBAM, Start, All Programs, MalwareBytes AntiMalware - Tools - MalwareBytes AntiMalware Chameleon.

The others as mentioned will probably have to be run from safe mode.

[Niice]

OK!  First let me say thanks!  I now see why you guys are Überevangelists!
I should have mentioned in my FIRST post that Safe mode had the same nasty results. Couldn't run Malwarebytes and same problems with Task Manager, Registry Editor, etc.
BUT... that Chameleon "doohicky" did the trick and was able to start Malwarebytes!
Everything is working GREAT now, after Malwarebytes found 911 other problems and after I checked everything to fix, and then rebooted. EVERYTHING seems in order now!

Now, if you want me to, I can post a log for you but I don't think it's needed any longer. Let me know.

Thanks guys! You da BEST!!

P.S. I was SO impressed by Malwarebytes that I purchased a license and I now have Malwarebytes Pro and I have it protecting my puter as a protection module when Windows starts.

[DavidR]

Please post the contents of the MBAM scan, copy and paste if small (though I suspect not) otherwise attach it using the Attachments and other options link.

Are you able to run OTL, etc. from normal mode now, if not run them from safe mode as suggested by Asyn.

[Niice]

OK! Ask and ye shall receive! And yes... I can run everything from normal mode now with no problems!
First, the MBAM scan log. The OTL thingie is running now so I'll include that attachment in a following reply.
MBAM scan log attached to this reply.
btw... your CAPTCHA is VERY hard to read. I need to keep looking for one I can read in order to post!

EDIT: I can not attach the MBAM scan log due to your forum size limitation on attachments. Error... your file is too large. Maximum total size 192k.  So instead I've uploaded it to my server. Go here to view...
http://nunzioweb.com/logs/mbam-log.txt

[Niice]

btw... this is my idiotic nephew's computer I'm trying to fix for him. He visits sites he should NOT visit! My puter is running Win 7, not the archaic Win XP.  OTL scan still running. Will try and attach log when complete unless too large for attachment here. In that case I'll upload to my server again for you!

[essexboy]

Monitoring

[Niice]

OK. Will attempt to attach the 2 OTL text logs now:
OTL.Txt
Extras.Txt

Let's hope this works...

[essexboy]

This should quiet it down some

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O2 - BHO: (no name) - {45011CF5-E4A9-4F13-9093-F30A784EB9B2} - No CLSID value found.
O2 - BHO: (no name) - {56E4076B-A42B-4745-BA35-34DA8AC4C2F2} - No CLSID value found.
O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1993962763-1425521274-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O3 - HKU\S-1-5-21-1993962763-1425521274-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O3 - HKU\S-1-5-21-1993962763-1425521274-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Background Intelligent Transfer Service"
"DependOnService"=hex(7):52,00,70,00,63,00,73,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled."
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,71,00,6d,00,\
  67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

:Files
C:\WINDOWS\Installer\{71b36945-27a9-f021-1e4d-6309be0238a9}
C:\Documents and Settings\user\Local Settings\Application Data\{71b36945-27a9-f021-1e4d-6309be0238a9}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks
• Allow the installation of the recovery console

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

NEXT

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

FINALLY

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

[Niice]

OK. Here's the last and I think, final log, since everything in your guide refers to "specific infection logs" after this one.
Attachment: aswMBR.txt

OK guys!  I gotta leave for a few. Thanks for the help!

[essexboy]

Fix is posted above your last post

[Niice]

Eh! I just saw your reply, essexboy, after I posted that last log. I guess the last log wasn't really needed.  Like I said, gotta go for awhile but when I get back I'll follow the instructions in your last reply above and then get back to you.

Thanks AGAIN for the help!  You guys ROCK!  Later!

[essexboy]

aswMBR did not in this case provide any additional data

[Niice]

Hmmm... been gone for about 1 1/2 hours and OTL is still running the "Fix" and is "stuck on stupid" with the same "Killing processes. DO NOT INTERRUPT" message it was at 1 1/2 hours ago.  So... now what?  Can't leave it like that!  Any suggestions?  I pasted this into it as you had indicated above and then clicked the "Run Fix" button...

Code: [Select]

:OTL
O2 - BHO: (no name) - {45011CF5-E4A9-4F13-9093-F30A784EB9B2} - No CLSID value found.
O2 - BHO: (no name) - {56E4076B-A42B-4745-BA35-34DA8AC4C2F2} - No CLSID value found.
O2 - BHO: (no name) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1993962763-1425521274-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O3 - HKU\S-1-5-21-1993962763-1425521274-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O3 - HKU\S-1-5-21-1993962763-1425521274-1644491937-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Background Intelligent Transfer Service"
"DependOnService"=hex(7):52,00,70,00,63,00,73,00,73,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"="Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled."
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,68,e3,0c,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,71,00,6d,00,\
  67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

:Files
C:\WINDOWS\Installer\{71b36945-27a9-f021-1e4d-6309be0238a9}
C:\Documents and Settings\user\Local Settings\Application Data\{71b36945-27a9-f021-1e4d-6309be0238a9}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]