Win32:Sirefef-AO, and Win64:Sirefef-A and others?

[oldcorollas1]

it was "completing report", then icons disappeared, now seems to be hung (15 mins)
cursor is present and still moves.
only very occasional sound from HDD.

wait for something to happen? pull network plug? force reboot?

[essexboy]

Yes go for a reboot please - the log should pop up on restart.. If not it will be on your root c drive

[oldcorollas1]

log did not pop up on restart to normal mode.
no new log files in C:\

in c:\Gotcha    the last file to be created was catchlog, and a few before that, combofix.txt

screenshot attached, along with  combofix.txt


observations:
normal mode, avast running, cable plugged in, have opened up IE and got no popups.
opening new tab or ctrl-k in IE8 causes it to hang (which it only started doing after the initial infection)
can open new tabs in Chrome with no problem

so far no popups or outgoing threats

Java update is running as a process, but it is disabled in "startup" page of msconfig, and java quick starter is disabled in services.. could have ben called by IE opening?

[essexboy]

Possibility - Could you retry combofix now please

If it hangs again then run an OTL quickscan selecting all users

[oldcorollas1]

will do.

hopefully OTL will run in normal mode now, but if not, will do from the CD boot.

Thanks muchly for help so far!

running Gotcha named file now.
says there is newer version available and is updating. fingers crossed!

[oldcorollas1]

this time didn't hang.
got to the end blue page where it said wait for report. then window just closed. no log came up.

attached are combofix.txt and catchlog (renamed to be txt) from second combofix scan

cannot run OTL in normal mode. going to run from REATOGO boot CD again. (same partition read error as before)

[essexboy]

Still not running properly ..

OK big boy time

This programme will produce a zip file analysis log for me .. Could you upload it to mediafire or any other file sharing site for me to download.. And post the sharing link

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 


 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post 
 

[oldcorollas1]

here are files from OTLPE scan

[oldcorollas1]

and the extras.txt from OTLPE scan


It will take an hour or so to DL the AVPtool (crappy connection), and it's 5.30am here now.
Thanks for sticking with me so far, but unfortunately I need to catch some sleep while the file comes down

I'll download it and run those scans, and find somewhere to upload the report for you later this morning

[essexboy]

No probs as I will be offline in about three hours

[oldcorollas1]

doing ok so far 
has found trojan.win32.inject.ectc in the C:\ windows\installer\[99d6c928-147d-54d5-377f-bd821ed462e7]\n file
and managed to delete it.

[oldcorollas1]

AVP detected threats log attached.

[oldcorollas1]

http://www.mediafire.com/?v6vmhtgc32gx7tt

avptoolsysinfo.zip

hopefully it found a few juicy things

[essexboy]

One or two ... Once this has completed can you let me know how the system is running

• Re-run AVPTool 
• Select the Manual Disinfection tab and press Script execution
  
  
  
  
• Where it states  Insert text  script in the following box copy the below script and press Run script
  Copy from Begin until End
  
  
  
  

Code: [Select]

begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{9E5BD40E-6287-11D6-9772-0002A5DD2483}');
 DelBHO('{B37B14B8-699F-4002-9254-D1AB00FD07B5}');
 QuarantineFile('C:\Program Files\@nifty toolbar\nbho.dll','');
 QuarantineFile('C:\PROGRA~1\jBrowse\JBO.dll','');
 TerminateProcessByName('c:\documents and settings\owner\ѓfѓxѓnѓgѓbѓv\setup_11.0.0.1245.x01_2012_05_19_21_09.exe');
 QuarantineFile('c:\documents and settings\owner\ѓfѓxѓnѓgѓbѓv\setup_11.0.0.1245.x01_2012_05_19_21_09.exe','');
 DeleteFile('c:\documents and settings\owner\ѓfѓxѓnѓgѓbѓv\setup_11.0.0.1245.x01_2012_05_19_21_09.exe');
 BC_DeleteFile('c:\documents and settings\owner\ѓfѓxѓnѓgѓbѓv\setup_11.0.0.1245.x01_2012_05_19_21_09.exe');
 DeleteFile('C:\WINDOWS\system32\NavLogon.dll');
 BC_DeleteFile('C:\WINDOWS\system32\NavLogon.dll');
 DeleteFile('C:\PROGRA~1\jBrowse\JBO.dll');
 DeleteFile('C:\Program Files\@nifty toolbar\nbho.dll');
 BC_DeleteFile('C:\PROGRA~1\jBrowse\JBO.dll');
 BC_DeleteFile('C:\Program Files\@nifty toolbar\nbho.dll');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end..

• Your system will reboot on completion, if it does not please do so yourself   
• On completion please run another analysis scan and attach the zip file   

[oldcorollas1]

Welcome back
will do.
I changed "ѓfѓxѓnѓgѓbѓv" to Desktop in japanese in the script, (can't change it on the C:drive without hassles)

while shutting down it had some memory error? write to memory error?
is rebooting itself now, and I'll run scan.

analysis scan= gathering system info?
doing now.


fwiw, the "setup_11 etc" file is the AVP file. Jbrowse is a japanese plugin for IE, and nifty toolbar is pre-installed thing i never bothered to delete.

the setup_11 file was still present on the desktop after rebooting..