Win32:Sirefef-AO, and Win64:Sirefef-A and others?

[oldcorollas1]

extras2.txt (didn't fit in last attachment)

[essexboy]

Thanks for that it appears that some systems have problems coping with the partition reading directive so I will remove that from my scans

Run OTL from normal mode please - it will work now

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O3 - HKLM\..\Toolbar: (jBrowse Toolbar) - {9E5BD40E-6287-11D6-9772-0002A5DD2483} - C:\Program Files\jBrowse\JBO.dll ()
  O3 - HKU\Owner_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (AzbyClub??(&A)) - {3DB1C21B-A7E0-4C3F-B39E-E00DD8792D90} - C:\Program Files\@nifty toolbar\ntoolbar.dll (NIFTY Corporation)
  O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (jBrowse Toolbar) - {9E5BD40E-6287-11D6-9772-0002A5DD2483} - C:\Program Files\jBrowse\JBO.dll ()
  O4 - HKLM..\Run: [csclem] C:\Documents and Settings\Owner\Local Settings\Temp\csclem.dll (DT Soft Ltd)
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks
• Allow the installation of the recovery console

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[oldcorollas1]

MBAM disabled, but OTL still will not run under normal mode.

SHould I try safe mode?
and if that fails, then try OTLPE from the boot disc again, but with the fix code?

[essexboy]

No go direct to combofix please

[oldcorollas1]

ok, doing now.
Thanks muchly

[essexboy]

If combofix should fail to run then download a fresh copy but rename it prior to saving as Gotcha

[oldcorollas1]

combofix ran, attepted to set recovery point, then i accepted install of windows recovery console
it asked to connect to internet to install windows recovery console, so i plugged in network cable.
downloaded 17.9% then window suddenly closed. (no log was produced, it never finished downloading recovery console)
no trace of combofix in process explorer..


Avast was "permanently disabled" via tray icon, but appears to have updated just after i plugged in network cable... could that have killed combofix?
should I kill all AVAst processes in process explorer and rerun combofix?


edit: seems that while it was connected to net with avast disabled, something changed so now Avast (re-enabled, but net cable pulled out) is detecting outgoing attempt to connect to: (3 attempts so far)
http://qrlisics.cn/4293284545?w=503i=2770035690   (but the i is underlined)
Avast (network shield says process was something like    documents and setting\...\temp\csclem.dll

[essexboy]

Could you go start > Run and type in the following

diskmgmt.msc

Then ensure all drives and pratitons are visible
Now take a screenshot and attach it here please

[oldcorollas1]

done. (i normally have two partitions.. C is main and D is 10gig at end of drive)

when i went to save file in Paint Shop Pro, new threat(named "n" in local settings\application data) was detected coming from psp.exe process, and moved to chest.
(c:\documents and settings\owner\local settings\application data\[99d6c928-147d-54d5-377f-bd821ed462e7]\n   )

outgoing threat (to .cn site) now occur every 5 minutes

[essexboy]

OK this is definately a new variant

Download the following to a USB
Run the Reatogo desktop
Run the FRST file on the USB


• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.

• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[oldcorollas1]

on it. desktop will take a few mins to load.


the outgoing threat only started after reconnecting to net with avast disabled while combofix was dl'ing recovery console.
I had not seen that pop up before. maybe it managed to connect and pull a new piece in during that time?

will post log in a few mins.

[oldcorollas1]

FRST log attached

[essexboy]

Download the attached fixlist.txt to the USB that has FRST on it.
Insert this into the computer and from the Reatogo desktop Run FRST
Once FRST is on the desktop press Fix

Once it has completed then reboot to normal windows
Rename Combofix to Gotcha and run it

[oldcorollas1]

will do.

should i let combofix download the recovery console? (and reconnect to net to do so)

edit: fixlog attached

[oldcorollas1]

renamed to Gotcha,
ran it
told it to download recovery console,
connected plug.
it started downloading.
about 20 seconds later it paused, and cursor went to sand timer icon for a few seconds, then download continued.
recovery console installed

now scanning for malware.


should i take out network cable while it is scanning, or leave in? am a bit worried it will grab something every 5 mins

edit: and another observation..
clock in tray now says 6.30am instead of actual 3.30am ... not sure when it changed, but it has?
will check if it is a timezone change after combofix finishes (almost there..was preparing report, now icons gone)