Avast and all av knock out

Viruses and worms
1

Infected 20Mar, still having problems
Unrecognised virus-type scanner appeared on screen and scanned, no visible i/d. Pulled webcon and shutdown.
MSEventViewer>Security 21Mar’10 04:23 onwards lists lots of System Events and Policy Changes.

Next startup: no security progs would update (said no con to web) and no con to IE7.
But Firefox/T’bird were ok so got to Avast & MBAM sites … said check my IE Conns settings,
found changed (autodetect was Off, Use Proxy Svr was On) - reversed these …
access to IE7 and MBAM,SASpyware, Avast updating restored.

Scanned with updated MBAM immediately after event
found-
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxccylog (Trojan.FakeAlert.Gen) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxccylog (Trojan.FakeAlert.Gen) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I’ve since scanned (incl in SafeMode) with Avast, MBAM, SASpyware, Sophos, BitdefenderQuickscan, Housecall,
Stinger. All report clear. But …

On restarts, IE LAN settings are sometimes still off.
I still can’t open some files eg

  • my saved anti-spyware and anti-virus downloaded files
  • the ones stored on memory stick either
    They both just blank (with no message)

Seems that something has targeted and reset all my A/S and A/V files and programmes … ??

Followed yr recomms per Essexboy and LogstoAssist …

Posting all now, incl OHT

Wondering where i go from here?

2

Hi give this a whirl and let me know what problems remain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
[2010/03/23 17:03:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\John Gray\Application Data\Mozilla\Firefox\Profiles\gnupcutf.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
O2 - BHO: (no name) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - No CLSID value found.
O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found.
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O2 - BHO: (no name) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No CLSID value found.
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} Reg Error: Value error. (Installation Support)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} Reg Error: Value error. (MUWebControl Class)
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {CA6F0A67-18BB-4E39-BB8A-A1E04D6AACDF} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Value error.)
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} Reg Error: Value error. (QDiagHUpdateObj Class)
O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

3

Hi and many thanks.

I followed all your steps with OTL, the Quick Scan log is attached. Still seem to be some registry
problems mentioned in it?

Then i checked Internet Options LAN settings; found no tick in the Proxy Server box - ok.
Internet Explorer is working.
Thunderbird setting found as no proxy.

Laptop performing better now, generally quicker, and i can update my security programmes.

4

Hi you appear to have saved the log as Unicode rather than Ansi - it is rather garbled

5

Ok. Hope this one is better.

6

OK one final run to confirm all is gone. Also I would be very careful using this Advanced SystemCare 3 as it can cause more problems than it solves

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

7

Ok. New MBAM downloaded, updated and run. No mals detected.
Here’s the log:

Malwarebytes’ Anti-Malware 1.44
Database version: 3914
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

25/03/2010 22:38:14
mbam-log-2010-03-25 (22-38-14).txt

Scan type: Quick Scan
Objects scanned: 132293
Time elapsed: 9 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Questions:
Have noted comment about ASC3, Is it better to not use its Registry clean tool or to not use ASC3 at all?

If my comp is now clear, should i make a new Restore Point then purge all previous RPs?

Should i do a “Spring Clean”, as i have seen it mentioned in other posts in these forums?

Very many thanks for all your help.

8

AS3 has been known to remove valid registry keys, disable required services etc…

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

9

All cleanups and other recommendations done. Comp is working
really well now, much more responsive too.

Very many thanks again for your excellent help.

10

My pleasure - keep safe