Hi, I´m new in this forum.
I´m looking for help.

I´ve made this post trying to follow this guideline
http://forum.avast.com/index.php?topic=14433.0

1. How was it detected? What was scanning, you yourself or the back-ground scanner?
   Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert ? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.
   A capture of the message screen as image can be helpful or what the message says and
   where the suspicious file was detected.

It´s not my machine, it´s from a relative.
Were detected on a in depth scan and in a start-scan. Both were made because the pc started to get slow.
Btw, avast is running on this machine from like three yearsago.
When MS Windows starts, it gets automatically disabled. It can be enabled by clicking on the icon, but always starts disabled, (when the icon is with the little cross)

At the momen what I have done was

• An avast start scan (log included)
• An avast deep scan (log included)
  the infected files were moved to the vault chest

then I did what is said in
http://forum.avast.com/index.php?topic=53253.0

• AdwCleaner (log included)

• Malwarebytes’ Anti-Malware (log included)

• OTL (logs included)

• aswMBR.exe (log included)

---- all logs are in ANSI format ----

2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.

Don´t know. Many relatives, included childrens, use this pc.

3. When was it downloaded or received?
   Don´t know

4. What is the exact file name with extension.
   Don´t know. I´ll put all the logs requested.

5. What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!
   No message. Avast, like I said befor, starts disabled.

6. Now go back and do nothing yet. Scan the particular file once again with your AV product.
   A. The message is in the same wording: maybe positive alert
   B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.

7. Check with an on line scanner or update to Virustotal for a second opinion. VT resides at http://www.virustotal.com/index.html
   You can do an URL scan or file-scan. Also give the MD5 hash that is given further down the scan result page under additional information. This can help to identify the malware file.
   Other scan results can be found for a suspicious URL or link at: http://vscan.urlvoid.com/file/
   for filescans alternative scanners are: VirSCAN http://virscan.org/
   Metascan http://www.metascan-online.com/
   or you can ask on the forums to have the URL or link in question scanned with
   various scanners. A FP is more likely if the file is only flagged by avast and GData.

There are many infected files, I did VirScan with modpro.exe

SHA256: 986c96564b89aca045e31a84cd3ccd30eeeb1b7d4819aa2b5f9bcd99f8b16c8d
SHA1: 18fa5d8c42efe1288b64dbc977f35535a07b6864
MD5: e1340af626080c1a697a09affa16c464
File size: 385.0 KB ( 394240 bytes )
File name: modpro.exe
File type: Win32 EXE
Detection ratio: 34 / 46
Analysis date: 2013-03-05 17:06:41 UTC ( 0 minutes ago )
0
1
Less details

Analysis
Additional information
Comments
Votes

Antivirus Result Update
Agnitum Trojan.PWS.Delf!BmlovFadupE 20130305
AhnLab-V3 Trojan/Win32.Delf 20130305
AntiVir - 20130305
Antiy-AVL Trojan/Win32.Delf.gen 20130305
Avast Win32:Rootkit-gen [Rtk] 20130305
AVG Generic26.BDPJ 20130305
BitDefender Trojan.Generic.7150917 20130305
ByteHero - 20130304
CAT-QuickHeal - 20130305
ClamAV - 20130305
Commtouch W32/Trojan.PNPF-7705 20130305
Comodo UnclassifiedMalware 20130305
DrWeb Trojan.PWS.Banker.63539 20130305
Emsisoft Trojan.Generic.7150917 (B) 20130305
eSafe - 20130211
ESET-NOD32 Win32/Spy.Banker.XCC 20130305
F-Prot - 20130305
F-Secure Trojan.Generic.7150917 20130305
Fortinet W32/Delf.XF!tr 20130305
GData Trojan.Generic.7150917 20130305
Ikarus Trojan-Banker.Win32.Delf 20130305
Jiangmin Trojan/Banker.Delf.wh 20130304
K7AntiVirus Trojan 20130305
Kaspersky Trojan-Banker.Win32.Delf.xf 20130305
Kingsoft Win32.Malware.Heur_Generic.A.(kcloud) 20130304
Malwarebytes - 20130305
McAfee PWS-Banker.gen.fj.a 20130305
McAfee-GW-Edition PWS-Banker.gen.fj.a 20130305
Microsoft - 20130305
MicroWorld-eScan Trojan.Generic.7150917 20130305
NANO-Antivirus Trojan.Win32.Banker.ntjlv 20130305
Norman Suspicious_Gen5.AAOO 20130305
nProtect Trojan/W32.Agent.394240.EA 20130305
Panda - 20130305
PCTools - 20130305
Rising - 20130305
Sophos Mal/Generic-L 20130305
SUPERAntiSpyware - 20130305
Symantec WS.Reputation.1 20130305
TheHacker Trojan/Delf.xd 20130305
TotalDefense Win32/DfSpy.CD 20130305
TrendMicro TROJ_AGENTT.AAF 20130305
TrendMicro-HouseCall TROJ_AGENTT.AAF 20130305
VBA32 TrojanBanker.Delf.xr 20130305
VIPRE Trojan.Win32.Generic!BT 20130305
ViRobot Trojan.Win32.A.Delf.394240.C 20130305

8. Go get informed ask a Virus Encyclopedia or Virus Central. Remember Google is your best friend, also put a question on a forum.

9. Make an informed decision on the basis of what you have found.

10. Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings. Also send a mail to virus AT avast dot com. If you send a suspicious file there for detection password zip this as an attachment and put the password in the mail. This will help us all and in case of a non-detect avast will add it to avast detection or in the case of a false positive remove that with a next virus update.

Waiting for help, thanks.

here are the rest of the logs (total: 7)

hey thank you for attaching the necessary logs a malware expert will help you from here

Hi there, you have a few services disabled, so we will look at fixing those as well as clearing the system

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\STARTXP.BAT ()

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi essexboy
thanks for your help

I runned OTL, here is the log

BUT

then I runned Combo fix and couldn find any log or Combofix.txt anywhere on this PC at the end.

While running the program showed a couple of signs, don´t remember the first, , but the second says ¨regedit.exe is mising- copy from somewhere else¨or something like that.
Im sorry for the inaccuraccy of my statments, but I didn´t thought that those signs would be relevant.
Will take note of everything in the future,

Btw, I didn´t runned Combofix again to take note of the alerts, because the Notes says: “2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.”

Hmm could you run combofix one more time please and not the errors… How is the computer at the moment , is Avast starting

The computer runs normally, but avast is still starting disabled.

The first sign of Combofix said ¨There´s a newer version of Combofix available
Would you like to update Combofix?¨
Should I update?

Yes please … Update Combofix. For Avast we may need to do a clean install, but we will cross that bridge when we get to it

first appears this (sign 1)

http://i48.tinypic.com/tz6t.jpg

i didn´t do nothing, press no key, the prompt says"Please wai.
Combofix is preparing to run"
then appears this (sign 2)

http://i49.tinypic.com/20obnq.jpg

then I click “OK”, Combofix closes and there´s no log to find anywhere with the name Combofix.txt or "Combofix."something

Excellent that now shows me where to go

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

THEN

Run OTL with the following custom scan … Only one log will be produced this time

BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
regedit.*
/md5stop

Thanks essexboy
Here´s the TDSSKiller report attached.

Do I have to “Run Fix” with this parameters in OTL?

I did that and the log was
[b]
Error: Unable to interpret in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%*.exe> in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret <regedit.*> in the current context!
Error: Unable to interpret in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 03072013_152011[/b]

My apologies I meant press run scan :-[ for OTL

Thank you!

Here´s the otl log

Download regedit.exe from here https://dl.dropbox.com/u/73555776/regedit.exe
Then copy it to C:\windows

Once done then run Combofix again

Running.

A prompt stays in the blue screen, not frozen. I can use the computer meanwhile.

http://i45.tinypic.com/2qx0xf8.jpg

How long is reasonable to wait until that is done or when do I have to abort?

OK it looks like we will have to repair the system prior to removing the malware

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

Then retry combofix

Done.

Windows repair run ok, the Restart got some long delay, but finally got it.

Runned combofix and the result is the same of my last post. Blue screen “Attempting to create a new restore point” goes on an on…

OK lets find out what is wrong with system restore

Download and run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.gif

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Farbar Service Scanner Version: 03-03-2013
Ran by Administrator (administrator) on 08-03-2013 at 13:00:58
Running from “C:\Documents and Settings\Administrator\Desktop\ANTIVIRUS LOGS\logs 3”
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal

Internet Services:

Dnscache Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of Dnscache. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of Dnscache. The value does not exist.
Unable to retrieve ServiceDll of Dnscache. The value does not exist.
Checking LEGACY_Dnscache: ATTENTION!=====> Unable to open LEGACY_Dnscache\0000 registry key. The key does not exist.

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.

Windows Firewall:

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.

Firewall Disabled Policy:

System Restore:

Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.
Checking LEGACY_Srservice: ATTENTION!=====> Unable to open LEGACY_Srservice\0000 registry key. The key does not exist.

sr Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open sr registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open sr registry key. The service key does not exist.
Checking LEGACY_sr: ATTENTION!=====> Unable to open LEGACY_sr\0000 registry key. The key does not exist.

System Restore Disabled Policy:

Security Center:

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

winmgmt Service is not running. Checking service configuration:
The start type of winmgmt service is OK.
The ImagePath of winmgmt service is OK.
The ServiceDll of winmgmt service is OK.

Windows Update:

wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open EventSystem registry key. The service key does not exist.
Checking LEGACY_EventSystem: ATTENTION!=====> Unable to open LEGACY_EventSystem\0000 registry key. The key does not exist.

Windows Autoupdate Disabled Policy:

RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs: “%SystemRoot%\system32\svchost.exe -k rpcss”.

File Check:

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys
[2008-06-20 15:00] - [2008-06-20 15:00] - 0361344 ____A (Microsoft Corporation) ACCF5A9A1FFAA490F33DBA1C632B95E1

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

ATTENTION!=====> C:\WINDOWS\system32\dnsrslvr.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\ipnathlp.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\netman.dll => MD5 is legit

ATTENTION!=====> C:\WINDOWS\system32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\srsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\Drivers\sr.sys FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\wbem\WMIsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\wuauserv.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\qmgr.dll FILE IS MISSING AND SHOULD BE RESTORED.

ATTENTION!=====> C:\WINDOWS\system32\es.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe
[2008-06-20 15:00] - [2008-06-20 15:00] - 0108544 ____A (Microsoft Corporation) 0E776ED5F7CC9F94299E70461B7B8185

Extra List:

aswTdi(8) Gpc(6) IPSec(4) NetBT(5) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

OK I need to create some registry fixes and locate a few system files. Then prepare a package for you