Avast boot scan not running from Safemode reboot, nothing works! OTS log posted.

Hi,

I am running xp on a laptop, suspect trojan infection. In normal mode I see a red box on the bottom with a pop up “your computer might be at risk”. I did not have this before, and none of my programs are working. Every time I try to run Avast or MBAM or any program I get a gray box popping up saying “choose the program you want to use to open the file” , and the program is not in the list.

I restarted, went into safe mode as Admin, where I was able to run my programs. Avast did not find anything, but I scheduled a boot time scan and rebooted. The Avast boot scan did not run. I have MBAM installed and on 2 successive runs it showed 4 registry items infected needing reboot. I can upload a log, but on the last run MBAM did not find anything.

Still in safe mode, I went into the control panel, where I cannot start the windows firewall/Internet Connection Service (ICS) service. I even tried to do a system restore prior to the infection, but it was no use.

I think my system has been hijacked! Please help. I have uploaded the OTS log file. Thank you.

Essexboy is notified, he will review you log when he arrives here later today

if you have a Malwarebytes log with detected malware in, post it

Hi there - there are a lot of AVG 9 remanants on your system. I will remove them as well as the malware I can see. On completion of this run can you let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> avgchsvx.exe -> C:\Program Files\AVG\AVG9\avgchsvx.exe
[Win32 Services - Safe List]
YY -> (AVG Security Toolbar Service) AVG Security Toolbar Service [On_Demand | Stopped] -> C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
YY -> (avg9emc) AVG Free E-mail Scanner [Auto | Stopped] -> C:\Program Files\AVG\AVG9\avgemc.exe
YY -> (avg9wd) AVG Free WatchDog [Auto | Stopped] -> C:\Program Files\AVG\AVG9\avgwdsvc.exe
[Driver Services - Safe List]
YY -> (AvgTdiX) AVG Free8 Network Redirector [Kernel | System | Stopped] -> C:\WINDOWS\System32\Drivers\avgtdix.sys
YY -> (AvgLdx86) AVG Free AVI Loader Driver x86 [Kernel | System | Stopped] -> C:\WINDOWS\System32\Drivers\avgldx86.sys
YY -> (AvgMfx86) AVG Free On-access Scanner Minifilter Driver x86 [File_System | System | Stopped] -> C:\WINDOWS\System32\Drivers\avgmfx86.sys
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YY -> HKEY_USERS\.DEFAULT\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YY -> HKEY_USERS\S-1-5-18\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> C:\Program Files\AVG\AVG9\avgssie.dll [AVG Safe Search]
YN -> {3CE34EFC-D093-4626-97D6-E3682ECC5A72} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {6EE09159-4133-460A-A410-2F8A02559ED4} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YY -> {A3BC75A2-1F87-4686-AA43-5347D756017C} [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar BHO]
YN -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {EECEE87C-E612-4B88-BD27-934C9B47B846} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [AVG Security Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "AVG9_TRAY" -> C:\Program Files\AVG\AVG9\avgtray.exe [C:\PROGRA~1\AVG\AVG9\avgtray.exe]
< RunOnce [HKEY_USERS\S-1-5-21-2993078827-757225962-2738381258-500\] > -> HKEY_USERS\S-1-5-21-2993078827-757225962-2738381258-500\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YY -> "avg_spchecker" -> C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe ["C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe" /start]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2993078827-757225962-2738381258-500\] > -> HKEY_USERS\S-1-5-21-2993078827-757225962-2738381258-500\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> avgrsstarter -> C:\WINDOWS\System32\avgrsstx.dll
YN -> TPSvc -> 
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YN -> C:\WINDOWS\system32\xxyxWOHX -> 
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Levent Canyas\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" -> [C:\Documents and Settings\Levent Canyas\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Disabled:Octoshape add-in for Adobe Flash Player]
YN -> "C:\Program Files\AVG\AVG8\avgnsx.exe" -> [C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe]
YN -> "C:\Program Files\AVG\AVG8\avgupd.exe" -> [C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe]
YY -> "C:\Program Files\AVG\AVG9\avgemc.exe" -> C:\Program Files\AVG\AVG9\avgemc.exe [C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe]
YY -> "C:\Program Files\AVG\AVG9\avgnsx.exe" -> C:\Program Files\AVG\AVG9\avgnsx.exe [C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe]
YY -> "C:\Program Files\AVG\AVG9\avgupd.exe" -> C:\Program Files\AVG\AVG9\avgupd.exe [C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe]
[Files/Folders - Modified Within 30 Days]
NY ->  Launch Internet Explorer Browser.lnk -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
NY ->  zssjpoue.job -> C:\WINDOWS\tasks\zssjpoue.job
NY ->  null -> C:\WINDOWS\System32\null
NY ->  ueu4ue45lg20w7c4ddf -> C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
NY ->  avgtdix.sys -> C:\WINDOWS\System32\drivers\avgtdix.sys
[Files - No Company Name]
NY ->  ueu4ue45lg20w7c4ddf -> C:\Documents and Settings\All Users\Application Data\ueu4ue45lg20w7c4ddf
[File - Lop Check]
NY ->  AVG Security Toolbar -> C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
NY ->  avg9 -> C:\Documents and Settings\All Users\Application Data\avg9
NY ->  zssjpoue.job -> C:\WINDOWS\Tasks\zssjpoue.job
[Custom Items]
:Files
ipconfig /flushdns /c
C:\Program Files\AVG
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

I ran the fix but before I ran it though I noticed that in my add/remove programs that it was showing AVG installed still, so I ran an uninstall before I ran the fix.

On another note I tried a couple of other things. While I was in safe mode as admin I created a 2nd admin account and when I rebooted normally I went into that account, where I was able to reactivate windows firewall. This still had no effect on the main log on that was having issues.

I will check things out and update again on my end soon. Thanks again.

I logged back in normal mode, still had the same problems.
I logged into a 2nd admin and from normal mode was able to reboot into an Avast bootscan, which found 3 viruses which were moved to the chest.
Then I tried the main account and same errors, so I went into safe mode.

In safe mode it seems that I cannot enable MBAM protection and cannot start the avast file system shields. I keep getting error messages, like “shield unreachable”. Not sure what else to try so I am going to try another boot scan and see what comes up.

Btw must I be in safe mode when I run the fix?

From the affected logon could you go to this MS site and run the fixit there, let me know the result please
http://support.microsoft.com/mats/windows_firewall_diagnostic/en-us

ok I tried to do like you asked but I cannot run IE from the affected log on, even in safe mode. I went into the 2nd log on and was able to run it, said no problems were detected.
I am thinking to install a new browser and see if I can use that to access that website on the affected log on and try to do the fix. I will update if I make any progress. Thank you.

Btw I noticed windows update is not working. I tried to go to the site and it crashes on me or gives me a connection error after I click on windows update from the main windows site, yet I can still surf other sites.

Ok lets use CF now

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ok I downloaded the file to the desktop and ran. I must mention one thing though. I had to do this from the newest account. In the infected account I cannot run anything.

I even tried to save a copy of CF into a shared folder, which I then accessed from the infected account. I pasted it onto the desktop and when I tried to run it I got the same gray box popping up asking me to pick the program to open from a list, so I had to go back into the newest account to actually run it.

I did have to download the recover console, and I have included the log from the scan.

From the infected account could you do the following please

Download RogueKiller to your desktop

[]Quit all running programs
[
]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[
]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Then run OTS from that account

I downloaded Roguekiller onto a jump drive since I cannot get any programs to work from the infected account. I used the jump drive to save a copy to the desk top of the infected account.

When I tried to open the program by double clicking my desktop icon for roguekiller I get the same pop up asking me to choose the program to open the file. I am using XP, so I tried to use the run command, but I get a pop up saying windows cannot find roguekiller.exe.

I opened task manager and it seems that no programs are running. I suspect some running processes are still malware, but I cannot tell which.

I would try this in safe mode, but since I have installed the windows recovery console I cannot do this anymore, is that normal?

OK lets try to cure the windows update access problem, also did you rename RogueKiller to winlogon ?

[*]To open a command prompt, click Start > All Programs > Accessories and then click command prompt
[*]Copy and paste (or type) the following command in the command box box and then press ENTER:
netsh winsock reset c:\resetlog.txt
[*]Reboot the computer.
[*]In next reply please post content of the file c:\resetlog.txt

Also let me know whether rogue killer worked when renamed

Hello, I renamed roguekiller to winlogon but when I double click I get the open with pop up box asking me what program I want to use to open winlogon.exe. Similarly when I tried the run command I got the same box asking me what program to open netsh.exe with.

I was able to run windows update from the newly created account on the computer. Seems like the trojan is only affecting the one account that I cannot run any .exe on. I no longer am getting the message about automatic updates being turned off.

From the infected account rename OTS.exe to OTS.scr and then see if it will run

I tried to rename it to ots.scr from the infected account, but then when I double clicked I get the same Open With pop up asking me how to open Ots.scr.exe.

Is there anything important on that login that you need to keep ?

I have some data on there I would like to keep. I have not been using the affected log on but I still have access to the files from the new account.

After rereading your previous posts I went ahead and ran the roguekiller from the account that is actually working, and posted the RK report below.

I then went ahead and ran OTS from the same account and attached the log.

I am running MBAM and avast scans and may run a boot scan before attempting to log back into the intial problem account, will update any results. Thank you.

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Hey You [Admin rights]
Mode: Scan – Date : 06/05/2011 16:14:32

Bad processes: 1
[SUSP PATH] stsystra.exe – c:\windows\stsystra.exe → KILLED

Registry Entries: 1
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[1].txt >>
RKreport[1].txt

OTS has confirmed that the registry hives for that user are corrupt. All you can do now is save what data you can and then delete the user - sorry

Ok I am sad to hear this but I am concerned still though about malware on this cpu. Avast does not autoload on the working log on.

I just finished a boot scan and it found 2 trojans - JS:Downloader-AQO and WIN32:FakeAlert-NO. I was able to send the javascript downloader to the chest, but I could not send the win32 trojan to the chest.

When I tried to sent the Win32 to the chest or repair it I got an error message saying the disk was full (?!) then when I tried to delete it I got a messasge saying file cannot be opened because share access flags are incompatible, so my only choice was to choose ignore.

I started avast after logging back on and looked at the scan result. Now it is telling me that the process cannot access the file because it is being used by another process.

I don’t know how else to get rid of that win32:FakeAlert if I cannot remove it with the bootscan and I am hesitant to try a data backup with the infection lurking.

Thanks again for your help.