Hello to everybody, I’m new here and I’m looking for help.

First of all, sorry, my English is disaster.

Last night I used Avast! AV to scan my comuter and it found a infected ROOTKIT file on

C:/winodows/windows32/drivers/fylwqx.sys

Since Avast! found it i have a “blue screen” and I can’t access to my User profile on Windows Vista.

Avast was not able to delete the infected file as well some others AV programs (AVIRA, SPYBOOT, AVG…). I have tried to remove the rootkit file manually but without success.

Now, I’m useing SAFE MODE with networking. But even in SAFE MODE, blue screen comes up frequently.

What do you think I should do?

Thank you!

Hi CUPIC, welcome to the forum

I am sorry to hear you have so much problems. The best I can do for you is to pm essexboy. He is in charge of the “viruses and worms” section, and the most qualified person here to help you.

http://forum.avast.com/index.php?topic=53253.0

So please be patient, and wait for him to help you

Greetz, Red.

Hi this can be run from safe mode

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
c:\system volume information|_REGISTRY_MACHINE_SOFTWARE;true;true;true /FP
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs please

Thank you very much for your help!

I did exactly as you said and here there are two files OLT.txt and EXTRAS.txt

When you have extra time, please check it and see if there is some suspicious services.

Thanks again!

Best regards!

It looks like the infection came from a USB drive. Once combofix starts running allow it to boot back to normal mode if possible.

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
DRV - [2010.07.12 04:34:02 | 000,054,112 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\S-1-5-21-4190731207-121853071-4191398483-1000..\Run: [futur] File not found
O33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}\Shell\AutoRun\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
O33 - MountPoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}\Shell\open\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
O33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\AutoRun\command - "" = fooool.exe
O33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\explore\Command - "" = fooool.exe
O33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\open\Command - "" = fooool.exe
O33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\AutoRun\command - "" = D:\LANCE/srasli.exe
O33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\explore\command - "" = D:\LANCE/srasli.exe
O33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\open\command - "" = D:\LANCE/srasli.exe
O33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\AutoRun\command - "" = fooool.exe
O33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\explore\Command - "" = fooool.exe
O33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\open\Command - "" = fooool.exe
[2010.10.23 04:13:24 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\AVG10
[2011.01.22 20:34:38 | 000,000,000 | ---- | M] ()(C:\Windows\System32\?????) -- C:\Windows\System32\?????
[2011.01.22 20:20:18 | 000,000,000 | ---- | C] ()(C:\Windows\System32\?????) -- C:\Windows\System32\?????

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

First of all, thank you for your help.

I did everyting as you said: I run OTL scaner but it stop working processing one file:

PROCESSING… PROO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

And it lasts for hours …

Thank you for help!

Should I format my disc?

CUPIC,

Hold off on formatting until Essexboy gives you further instruction. He has other tools he can use to help you. He usually comes on the forum late UK time. Thank you.

OK, I’m very patient and thankful!

Continue straight to the combofix run now please

Thank you!

I downloaded a Combofix and run it, although the program is reported that I should download a newer version of it. I have not done so.

The file that caused the problems now no longer exists!

That was the fylwqx.sys file in system32/drivers. And now I can access to my User prfile, normally.

But, I noticed one very strange service in startup on my msconfig, called ,futur" It did not exist before.

Should I turn off that service?

The LOG combofix file is attached.

THANK YOU SO MUCH!

Hi you must let combofix update - otherwise it cannot do its job properly. You have been using some infected USB drives, they need to be vaccinated using Panda USB Vaccine http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File:: c:\users\User\AppData\Local\Temp\DZE.exe

Driver::
DZE
fylwqx

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{377dff67-a9de-11dd-bac3-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{39106cf0-ab35-11dd-9726-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{52b58a6f-ada5-11dd-bbed-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{cba4564c-d7e6-11dd-8f78-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{dc5d4ae4-dd57-11dd-a1db-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{edb5e675-24ee-11e0-808a-da2f9059bcb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{f4da3995-caf2-11dd-b7aa-001b383f358f}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

I did everything as you said.

There is 2 files.

Thank you!

That looks good now, what are your current problems ?

When I logged to my Windows normally, after I scaned my commputer with ComboFix, Spybot S@D ask me if i want to allow some changes.

Message was>

“DISABLE CMD”

What to do?

thank you!

To be honest… Remove Spybot and get winpatrol and MBAM to cover your security

Allow it

Thank you very much!

I will install that MBAM, whatever it is!

THANKS!

Here you go do this run and attach the log to see if I missed any waifs and strays

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

OK. I’ll do it right now, it is already downloading the program.

But I still have one process or service in MSCONFIG’s startup tab, called FUTUR. It has an “unknown” manufacturer and exe file of that service is at:

C:\Users\User\AppData\Roaming\Microsoft\zihooqu.exe

And it looks very malignant for me.

This service did not exist before few days.

I will post the report of The Malwarebytes when it finishs.

Thanks

CUPIC i noticed in one of your logs that you still have MSE on your system, even though it is disabled it is not recommended to have two or more av’s on a system at one time.
Actually you also have some symantic/norton stuff still on there to, you can find removal tools here
http://uninstallers.blogspot.com/ scroll down the list to 23b and 26a,remember to delet the program’s though add remove program’s first then run the tool for each with reboot’s inbetween,If you have deleted norton previously then just run the tool anyway to get rid of leftovers, when done finally clean your system with ccleaner.
And dont forget to follow the rest of essexboy’s advice

@ craigb,

I believe this is an empty entry in the last ComboFix, but it would be best for Essexboy to take a look at this.