Avast Enhanced Protection Mode?

Problem: I can’t open the Avast! user interface, can’t boot in safe mode, can’t access facebook.
Screencaps: http://tinypic.com/r/2itim3r/7 http://tinypic.com/r/hvwbpt/7

I’m certain this is a virus or malware or something of that sort. My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash. She did, the computer restarted and then the problems began. How do I get rid of this? I’m running Malwarebytes right now to see if it’ll do anything. If not, what steps should I take?

Also, my apologies if this isn’t in the right section. I just need some help.

Yep 'tis an infection

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Cristina [Admin rights]
Mode: Remove – Date : 07/25/2011 13:44:30

Bad processes: 0

Registry Entries: 3
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

OTS Log

http://www.mediafire.com/?lvt1e08tt0ssz5b

I have the same problem…

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan – Date : 07/25/2011 20:00:54

Bad processes: 4
[SVCHOST] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED
[SVCHOST] svchost.exe – c:\windows\update.2\svchost.exe → KILLED
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0-lnk\svchost.exe → KILLED

Registry Entries: 8
[SUSP PATH] HKLM[…]\Run : wxpdrv (C:\WINDOWS\services32.exe) → FOUND
[HJ] HKLM[…]\System : EnableLUA (0) → FOUND
[HJ] HKLM[…]\Security Center : AntiVirusDisableNotify (1) → FOUND
[HJ] HKLM[…]\Security Center : FirewallDisableNotify (1) → FOUND
[HJ] HKLM[…]\Security Center : UpdatesDisableNotify (1) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

Here is my OTS scan
http://www.mediafire.com/?0aol8b5jw16fy3b

I have the same problem!!!
My Rogue Killer report (RKreport.txt) is:

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Hugene [Admin rights]
Mode: Remove – Date : 07/25/2011 14:26:36

Bad processes: 0

Registry Entries: 5
[SUSP PATH] HKCU[…]\Run : cacaoweb (“C:\Users\Hugene\AppData\Roaming\cacaoweb\cacaoweb.exe” -noplayer) → DELETED
[SUSP PATH] HKLM[…]\Run : PLFSetI (C:\Windows\PLFSetI.exe) → DELETED
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

HOSTS File:

Finished : << RKreport[1].txt >>
RKreport[1].txt

My OST link is:

http://www.mediafire.com/?5pcgz8cz3ccm6rs

Thanks

Guys, please don’t hijack the original posters topic, it just confuses the issue when trying to help multiple users in the same topic.

So please create your own new topic, here http://forum.avast.com/index.php?board=4.0 in the viruses and worms forum and click the New topic and post your RogueKiller and OTS logs in your own new topic.

Hello dear fellows, I am new to the forum but have been around 7 years steadily an Avast user, so here’s the situation, I have the same problem with the Facebook thing and Enhanced security so I did everything that was told with the program RougKiller and here is the report, I did it for the seventh time and nothing changes still avast tells that it works under enhanced protection and still the connection to Fb is lost or damaged. :-X ???, Can you just tell me if you know for how long will this hacking if it can be said hacking thing to continue and is avast going to manage with the problem

This is a new variant malware that affects all Antivirus programmes - there is a Norton enhanced mode, a McAfee enhanced mode etc. etc.

Each fix I create will be unique to the system concerned, so each one will need to be in a seperate topic.

But again please do not get a flash player update from anywhere but adobe - period, full stop, never. 'cos you will get infected with the latest and best malware around… Until we find a way to kill it that is, then it will just get updated again

MissTootyJones Here is your fix…

Once this run is complete there will be a zip file in the following location C:_OTS\moved files could you upload that to mediafire and post the sharing link please - I will then forward it to Avast. On completion of this could you also download and install a fresh copy of Avast

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Processes - Safe List]
YY -> svchost.exe -> C:\Windows\update.2\svchost.exe
YY -> svchost.exe -> C:\Windows\update.1\svchost.exe
[Win32 Services - Safe List]
YY -> (srvsysdriver32) srvsysdriver32 [Auto | Stopped] -> C:\Windows\sysdriver32.exe
[Registry - Safe List]
< HOSTS File > ([2011/07/24 22:53:08 | 000,203,160 | -H-- | M] - 100105 lines) -> C:\Windows\SysNative\Drivers\etc\hosts
YN -> Reset Hosts -> 
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "14739484-loader2.exe" -> C:\Windows\TEMP\14739484-loader2.exe ["C:\Windows\TEMP\14739484-loader2.exe"]
YY -> "388915.exe" -> C:\Windows\TEMP\388915.exe ["C:\Windows\TEMP\388915.exe"]
YY -> "707159.exe" -> C:\Windows\TEMP\707159.exe ["C:\Windows\TEMP\707159.exe"]
YY -> "7835015.exe" -> C:\Users\Cristina\AppData\Local\Temp\7835015.exe ["C:\Users\Cristina\AppData\Local\Temp\7835015.exe"]
YY -> "8435151.exe" -> C:\Windows\TEMP\8435151.exe ["C:\Windows\TEMP\8435151.exe"]
YY -> "l1rezerv.exe" -> C:\Windows\l1rezerv.exe ["C:\Windows\l1rezerv.exe"]
YY -> "sysdriver32.exe" -> C:\Windows\sysdriver32.exe ["C:\Windows\sysdriver32.exe" rezerv]
YY -> "sysdriver32_.exe" -> C:\Windows\sysdriver32_.exe ["C:\Windows\sysdriver32_.exe" rezerv]
YY -> "systemup" -> C:\Windows\systemup.exe ["C:\Windows\systemup.exe" stand]
YN -> "tray_ico" -> []
YY -> "tray_ico0" -> C:\Windows\update.tray-7-0\svchost.exe [C:\Windows\update.tray-7-0\svchost.exe]
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
YY -> "wxpdrv" -> C:\Windows\services32.exe [C:\Windows\services32.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY ->  update.5.0 -> C:\Windows\update.5.0
NY ->  update.2 -> C:\Windows\update.2
NY ->  av_ico -> C:\Windows\av_ico
NY ->  update.1 -> C:\Windows\update.1
NY ->  update.tray-7-0-lnk -> C:\Windows\update.tray-7-0-lnk
NY ->  update.tray-7-0 -> C:\Windows\update.tray-7-0
[Files/Folders - Modified Within 30 Days]
NY ->  info1 -> C:\Windows\info1
NY ->  sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY ->  sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY ->  systemup.exe -> C:\Windows\systemup.exe
NY ->  geoiplist.rar -> C:\Windows\geoiplist.rar
NY ->  unrar.exe -> C:\Windows\unrar.exe
NY ->  loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY ->  services32.exe -> C:\Windows\services32.exe
NY ->  geoiplist -> C:\Windows\geoiplist
[Files - No Company Name]
NY ->  systemup.exe -> C:\Windows\systemup.exe
NY ->  l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY ->  geoiplist -> C:\Windows\geoiplist
NY ->  geoiplist.rar -> C:\Windows\geoiplist.rar
NY ->  unrar.exe -> C:\Windows\unrar.exe
NY ->  info1 -> C:\Windows\info1
NY ->  loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY ->  sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY ->  sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY ->  services32.exe -> C:\Windows\services32.exe
[File - Lop Check]
NY ->  com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1 -> C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1
NY ->  com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1 -> C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[Custom Scans]
YY ->  svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.1\svchost.exe
YY ->  svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0\svchost.exe
YY ->  svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0-lnk\svchost.exe
YY ->  svchost.exe : MD5=B29DC60E06AF2B9ED13E6C6935BC3670 -> C:\Windows\update.2\svchost.exe
YY ->  svchost.exe : MD5=DDE08469DED554140851ACFFCB8F4802 -> C:\Windows\update.5.0\svchost.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Thank you so much! Everything’s working fine! Zip file and log below. :]

All Processes Killed
[Processes - Safe List]
Process svchost.exe killed successfully!
C:\Windows\update.2\svchost.exe moved successfully.
No active process named svchost.exe was found!
C:\Windows\update.1\svchost.exe moved successfully.
[Win32 Services - Safe List]
Service srvsysdriver32 stopped successfully!
Service srvsysdriver32 deleted successfully!
C:\Windows\sysdriver32.exe moved successfully.
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14739484-loader2.exe deleted successfully.
C:\Windows\TEMP\14739484-loader2.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\388915.exe deleted successfully.
C:\Windows\TEMP\388915.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\707159.exe deleted successfully.
C:\Windows\TEMP\707159.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7835015.exe deleted successfully.
C:\Users\Cristina\AppData\Local\Temp\7835015.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8435151.exe deleted successfully.
C:\Windows\TEMP\8435151.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe deleted successfully.
C:\Windows\l1rezerv.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe deleted successfully.
File C:\Windows\sysdriver32.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe deleted successfully.
C:\Windows\sysdriver32_.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup deleted successfully.
C:\Windows\systemup.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 deleted successfully.
C:\Windows\update.tray-7-0\svchost.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico1 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico2 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico3 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico4 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv deleted successfully.
C:\Windows\services32.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Windows\update.5.0 folder moved successfully.
C:\Windows\update.2 folder moved successfully.
C:\Windows\av_ico folder moved successfully.
C:\Windows\update.1 folder moved successfully.
C:\Windows\update.tray-7-0-lnk folder moved successfully.
C:\Windows\update.tray-7-0 folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Windows\info1 moved successfully.
File C:\Windows\sysdriver32_.exe not found!
File C:\Windows\sysdriver32.exe not found!
File C:\Windows\systemup.exe not found!
C:\Windows\geoiplist.rar moved successfully.
C:\Windows\unrar.exe moved successfully.
C:\Windows\loader2.exe_ok moved successfully.
File C:\Windows\services32.exe not found!
C:\Windows\geoiplist moved successfully.
[Files - No Company Name]
File C:\Windows\systemup.exe not found!
File C:\Windows\l1rezerv.exe not found!
File C:\Windows\geoiplist not found!
File C:\Windows\geoiplist.rar not found!
File C:\Windows\unrar.exe not found!
File C:\Windows\info1 not found!
File C:\Windows\loader2.exe_ok not found!
File C:\Windows\sysdriver32_.exe not found!
File C:\Windows\sysdriver32.exe not found!
File C:\Windows\services32.exe not found!
[File - Lop Check]
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store#SharedObjects\CelebAlarm.swf folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store#SharedObjects folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1 folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store#SharedObjects folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store#ApplicationUpdater folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1 folder moved successfully.
[Custom Scans]
File/Folder C:\Windows\update.1\svchost.exe not found.
File/Folder C:\Windows\update.tray-7-0\svchost.exe not found.
File/Folder C:\Windows\update.tray-7-0-lnk\svchost.exe not found.
File/Folder C:\Windows\update.2\svchost.exe not found.
File/Folder C:\Windows\update.5.0\svchost.exe not found.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Cristina\Desktop\cmd.bat deleted successfully.
C:\Users\Cristina\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]

User: All Users

User: Cathy

User: Cristina
->Temp folder emptied: 244393232 bytes
->Temporary Internet Files folder emptied: 641423013 bytes
->Java cache emptied: 22912033 bytes
->Google Chrome cache emptied: 168582628 bytes
->Flash cache emptied: 2628534 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 490783749 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 147224 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,498.00 mb

[EMPTYFLASH]

User: All Users

User: Cathy

User: Cristina
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07252011_162321

Files\Folders moved on Reboot…
C:\Users\Cristina\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot…

OK got it - thanks ;D could you modify your post and delete the link please

OK a sweep for orphans next, is Avast working OK ?

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Bugisrb fix here http://forum.avast.com/index.php?topic=82154.new#new

Hugene fix here http://forum.avast.com/index.php?topic=82155.new#new

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7277

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/25/2011 5:11:41 PM
mbam-log-2011-07-25 (17-11-41).txt

Scan type: Quick scan
Objects scanned: 180994
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WXPDRIVERS (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) → Value: ImagePath → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Cristina\downloads\flash-player (1).exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\Users\Cristina\downloads\flash-player.exe (Trojan.Dropper) → Quarantined and deleted successfully.

So am I all set now?

I apologize for interrupting with this OT comment.

@essexboy,

You are probably “copy+past” -ing at least some of your instructions.

If I may, at http://forum.avast.com/index.php?topic=82144.msg671104#msg671104 for example (as with other posts), you wrote (copy+paste):

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is [b]to[/b] large to attach then upload to Mediafire and post the sharing link.

should be “too”, not “to”.

I know that for users where English is the natural language that correction is “almost” unnecessary, but it may not be such for an international forum like this. I also saw other suggestions (so to improve the correct understanding from non-English speakers), but they are more related to the specific writing style.

I just mean to help. Sorry for the OT.

;D ;D ;D ;D ;D thank you for the light relief - rest assured I will amend my canned - fixt ;D

Sorry MissTootyJones I was distracted ;D

Do you have any further problems ? If not I will remove my tools

Hi, Ive the same problem. Only my pc is restarting automatically every 5-10 minutes.

Here’s my RogueKiller:

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: user [Admin rights]
Mode: Remove – Date : 07/26/2011 09:56:25

Bad processes: 0

Registry Entries: 3
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

OTS log:

http://www.mediafire.com/?uho19bcicwmjumc

Here I attach my MBAM log too.

Hopefully you can help me, my pc is too new to format it all.

So here are the results from the Malwarebytes

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7278

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

26.7.2011 г. 07:31:06
mbam-log-2011-07-26 (07-31-06).txt

Scan type: Quick scan
Objects scanned: 164657
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 27

Memory Processes Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) → 1584 → Unloaded process successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) → 1976 → Unloaded process successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) → 1912 → Unloaded process successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) → 2996 → Unloaded process successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) → 3788 → Unloaded process successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) → 3880 → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers (Trojan.Dropper) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srviecheck (Backdoor.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 (Trojan.Dropper) → Value: tray_ico0 → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) → Value: ImagePath → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Windows\rpcminer (Trojan.BCMiner) → Quarantined and deleted successfully.

Files Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\Windows\Temp\1837641.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\Temp\3886134.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\Temp\9013646.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\Angel\downloads\flash-player.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\Windows\services32.exe (Trojan.Dropper) → Quarantined and deleted successfully.
c:\Windows\sysdriver32_.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\systemup.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\l1rezerv.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) → Quarantined and deleted successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) → Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinmineropencl.cl (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_10.cubin (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_11.cubin (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_20.cubin (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\cudart32_32_16.dll (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\curllib.dll (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\libeay32.dll (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\libsasl.dll (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\openldap.dll (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-4way.exe (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-cpu.exe (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-cuda.exe (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-opencl.exe (Trojan.BCMiner) → Quarantined and deleted successfully.
c:\Windows\rpcminer\ssleay32.dll (Trojan.BCMiner) → Quarantined and deleted successfully.

RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: jake [Admin rights]
Mode: Remove – Date : 07/26/2011 15:46:03

Bad processes: 8
[SVCHOST] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED
[SVCHOST] svchost.exe – c:\windows\update.2\svchost.exe → KILLED
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0\svchost.exe → KILLED
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED
[SUSP PATH] sysdriver32_.exe – c:\windows\sysdriver32_.exe → KILLED
[SUSP PATH] l1rezerv.exe – c:\windows\l1rezerv.exe → KILLED
[SUSP PATH] systemup.exe – c:\windows\systemup.exe → KILLED

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[…]

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt