Removing GAC_32 and 64\Desktop.ini

Hi all. First post, so be gentle...
Well, I've got the Windows\assembly\GAC_32\Desktop.ini and GAC_64\Desktop.ini malware. I think it happened Sunday evening. I installed a game and within minutes, AVG detected it. The problem, as you know, is that AVG can not delete it.
I found this forum and went searching. I worked through the READ and RUN ME FIRST section. I will attach the logs. However, I could NOT get combofix to run. I followed all the steps (I think), but it would not work.
Anyway, I am attaching the logs I was able to get.
I hope someone can help out. This is very frustrating, being a technology teacher and not being able to remove malware!
Thanks in advance.

 

Welcome to Major Geeks, dislocatedkarma

Please download and run AVG Remover

Give the following tool a try: yorkyt.exe by Panda Security

• Download it to your desktop and run it.

• Yes, restart

• Let it restart again.

• Be patient as the tool is working after the 2nd reboot.

• Attach the Yorkyt.exe.log to your next message (it will be in the same directory the tool was run from). (How to attach)

Delete this file: C:\Users\Dislocated Karma\AppData\Roaming\yuvcodecs-1.3.exe

__

Notice that your Windows Firewall is broken too? Intend on using this or a third party firewall?

 

Hi again,
Well, I already ran the AVG removal tool before doing any of the above, so that should not have been a problem.
I ran the Panda software and will attach the log.
No, I didn't realize the Firewall was broken. Got the Fix it tool from Microsoft. Didn't fix it. So now I have two problems to fix.

 

That looks good. Now try this:

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Repair WMI
  • Repair Windows Firewall
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Remove Temp Files
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

Attempt to run ComboFix using these directions:

• Press and hold the Windows key and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

OK,
So one problem down. After running Window Repair, the firewall is working! Thanks! I now promote you to demigod.
One more problem to go.
I still can not get Combofix to run. I did exactly what you said, but I get a pop up window that says:
HP On Screen Display has stopped working.
I can then choose to check online for a solution or close the program.
When I close the program, nothing seems to happen. I'm not sure what this on screen display is, but it seems to interfere with combofix. I'll try one more time, but's that's where I'm stuck.

 

Forgot to mention,
The same message popped up when I ran Windows Repair.

 

QUick update.
Both times I ran MGTools, I got a pop up saying:
nslookup.exe
The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll
Not sure if this helps you out...

 

Major Update!
I failed to mention that up to this point, I could not simply find the infected files on my computer. When I went to the folder that supposedly contained the infected file, it was not there. I made sure that I had show hidden files checked, but it still wasn't there.
After running all these programs, I am now somehow able to locate and see the infected files. The problem? I can not delete them! I have tried using lockhunter to unlock them but they still won't delete.
At least some progress is being made...

 

Have you tried ComboFix from Safe Mode yet? If not, try that at this time. Remember to OK any prompts from ComboFix and make sure that ComboFix.exe is being run from your desktop.
It shouldn't be hanging as your logs are fairly clean at this point. Are you saying that it does not open at all? Try to be more descriptive on what is happening so that I can help you better.


Then run this scan regardless if ComboFix is successful or not.

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  ComboFix.exe 
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Alright,
Combofix still will not run...
I did run OLT. Attached are the two logs it generated.
Also, I can no longer locate the infected files. The folder that contained them is now "different" than before. Oh well...

 

You have to give me more details on what ComboFix does other than "Combofix still will not run...".
This doesn't help me at all to help you. But as I said earlier, your logs are pretty clean so I do not think we will need ComboFix for the remainder of this.
This next fix can run from Normal Mode (preferably) or Safe Mode with Networking.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchTerms}&l=dis&o=HPNTDF
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchTerms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1088924568-2233380376-3065605376-1001\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchTerms}&l=dis&o=HPNTDF
O2:[b]64bit:[/b] - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
[2012/05/22 10:24:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Free Window Registry Repair
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/05/13 15:49:02 | 000,034,936 | ---- | M] () -- C:\Windows\SysWow64\uninstHelixYUV.exe
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
@Alternate Data Stream - 261 bytes -> C:\ProgramData\Temp:A5C00DEE
@Alternate Data Stream - 167 bytes -> C:\ProgramData\Temp:58A5270D
[COLOR="DarkRed"]:files[/COLOR]
C:\32788R22FWJFW /d
C:\Users\Dislocated Karma\Desktop\ComboFix.exe /d
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
c:\windows\system64 /d
C:\Users\Dislocated Karma\AppData\Roaming\Imgburn.exe /d
C:\Users\Dislocated Karma\AppData\Roaming\yuvcodecs-1.3.exe /d
dir "C:\Users\Dislocated Karma\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1" /c
dir C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001} /c
dir C:\ProgramData\{A8DA1505-E615-42BB-BB77-74D5CC91FE7E} /c
C:\ProgramData\AVG2012 /d
C:\Windows\TEMP\avginfo.id /d
C:\Program.exe /d
netsh winsock reset /c
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

WOW!
The last OTL fix you gave me seemed to work!
I have been on the internet for close to an hour now with no pop ups!
Thanks so much!!!!
As for not being clear on Combofix, sorry. Literally all that would happen is I would click the I agree button, the load screen would appear. The problem was when it hit the end of the load screen it would go away and nothing more would happen.
That's kind of why I couldn't be more specific. Literally nothing would happen.
Thanks again for all the help. I'll keep my fingers crossed that it is gone for good!

 

Great! Can you attach the log so I can review?

 

Ok,
Here is the latest scan log from OTL.
I'm crossing my fingers.
Thanks a bunch!

 

Hi,

Actually I need the log in this folder: C:\_OTL\MovedFiles

as well as MGlogs.zip

Re-read the instructions in post #11 so you know how to obtain them.

 

Oops!
I spoke too soon.
So, in the READ and RUN ME, it talked about removing AVG, as did you. I had it removed, but re installed it when my laptop seemed safe. Five minutes ago, guess what it detected? GAC_32\Desktop.ini.
The weird thing is that my laptop is not acting like it did before. I am getting no pop ups or anything. Oh well....
So anyway, here are the correct logs.
Here we go again.

 

- TDSSKiller updated to version 2.7.37.0
Scan with the latest version and attach the new log.

__

1.Please download HitmanPro.

• For 32-bit Operating System - .
• This is the mirror -
• For 64-bit Operating System -
• This is the mirror -

2.Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

3.Click on the next button. You must agree with the terms of EULA.

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done right click on the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Export scan results to XML file".

10.Save that file to your desktop and zip and attach it in your next reply.