Win32:Sirefef-AO, and Win64:Sirefef-A and others?

[oldcorollas1]

no threat popups from Avast. no apparent malware symptoms. am not using the infected PC atm (until it is verified to be clean)

only noticed strangeness is from IE not opening tabs correctly, but happy to reinstall IE.

worth doing a boot-time scan with Avast? or just a cleanup and see how it goes for a week?

[essexboy]

I reckon we will go for a cleanup - follow with an Avast scan (should be clean as AVP was also clear) then monitor  for a day or two to ensure that it is history

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Commands
  [resethosts]
  [emptytemp]
  [CLEARALLRESTOREPOINTS]
   [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  
• In the Run box, type in ComboFix /Uninstall
   (Notice the space between the "x" and "/")
  then click OK
  
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?Keep safe  :wave:

[oldcorollas1]

OTL still doesn't run, so ran the Fix under OTLPE boot CD

removed combofix

ran AVAST boottime scan and found the following:
c:\documents and settings\owner\local settings\application data\...80000000.@    Win64:Wirefef-A [Trj]
c:\documents and settings\owner\local settings\application data\...800000cb.@    Win32:Sirefef-AO [Rtk]

those files had previously been found in c:\windows\installer dir during first Avast Ful system scan. almost there
(they were also the two that kept popping up in Avast, trying to connect to something every 5 mins?)

will do a couple of quick reboots, windows update, then another Avast boot-time scan, see if it comes back.
then connect to net tonight, do same thing, and boot scan again.

edit: full MBAM scan shows clean.
windoze updated.
doing Avast bootime scan again now - came up clean.
will give ti a couple of days and bootscan again.

Thanks muchly for your help Essexboy!! Would have been in a pickle without it

edit2: IE problem seems to have been solved by just doing a setting reset no idea why though...

[essexboy]

Those were part of the delivery package, but without the main files they are impotent

So it appears that we may have killed it in a very roundabout way

I will now re-read all the logs and see if I could have done it quicker 

[oldcorollas1]

just a followup, of sorts..

Avast behaviour shield has been detecting iexplore.exe doing "something" 3 times in the last week, and a few more before that.

after that last Avast boot scan on 23rd that found 2 files,
another bootscan on 23rd found nothng.
quick scan on 24th = nothing
rootkit scan on 26th = nothing

did Avast boot scan last night and it found
Win32:Malware-Gen
c:\documents and settings\owner\local settings\application data\[99d6c928-147d-54d5-377f-bd821ed462e7]\n\00000001.@

new infection or backdoor still open?

will try another bootscan now.

fresh bootscan (all drives etc) shows nothing.
gmer = no red bits. no other scans show anything yet

hopefulyl just a failed attempt

[essexboy]

Again that shows a partial download and failed install..  So your protection is working

Can you delete the folder

c:\documents and settings\owner\local settings\application data\[99d6c928-147d-54d5-377f-bd821ed462e7]

Manually as I do not have access to my instructions on this laptop

[oldcorollas1]

this is getting a bit interesting.. (for me anyway mainly because i'm not sure what i'm doing )

searching from Windows Explorer, that directory does not exit.
i ran "unhide.exe" and still does not exist

from command prompt, i found it! using "dir /A"
the only file in it is the @ file that i guess was found before?
avast found 8000000cb.@ and 800000000.@ before in the U sub-dir, and recently 00000001.@ in same U dir.

I'll try deleting it from command prompt, reboot and see if i can find it again.

another random thing i found (from process explorer), the spoolsv.exe process had a *Crypt* thread associated with it (i didn't write down the full name) is that normal?

image of dir structure here http://i301.photobucket.com/albums/nn77/oldcorollas/99d6dir.jpg

deleted the @ file ("del /A /S")
then removed the [99d6c928-147d-54d5-377f-bd821ed462e7] dir and sub-dir ("rmdir /s {99 etc}" ) (in command prompt, it had {..} instead of [..] for brackets...)

rebooting now to see if gone

edit: ok, that DIR stayed gone.

so i went back to avast to see what other files were detected, and there was one with name
c:\windows\installer\{99d6c928-147d-54d5-377f-bd821ed462e7}\U

checked in command prompt, and there is hidden dir of that name..... (from 20/5/2012, 3 days after detection in that folder)
in that folder there is also hidden file called @, along with 00000001.@ from 16/5/2012 (date of infection! )
then rmdir'd that folder and dub-dir as well....
image of that dir structure here http://i301.photobucket.com/albums/nn77/oldcorollas/installer-99d6dir.jpg

from c:\ dir /S /A *.@ found nothing
from c:\ dir /S /A 800*.* and 800* found nothing sinister

new avast boot time scan, still nothing

AVP from normal mode found three vulnerabilities (old VLC, shockwave 11, and norton remnants from 2005)
but no nasties. have updated VLC and shockwave.

system is running good atm, nothing else to report.

[essexboy]

I am still away from my main system at the moment, so could you monitor for now please
 

[oldcorollas1]

No worries Essexboy, there are no symptoms or traces I can find, so it should be all clear now
more just a follow-up before closing thread.

[essexboy]

No problemo 

[oldcorollas1]

Thanks for all your help!

Enjoy the rest of your holiday