Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

In process… stand by!

Here you go. Severe thunderstorm so I’m logging off for a few.

On completion of this let me know what your problems are

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:56020 FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 56020 O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. F3 - HKCU WinNT: Load - (C:\Users\Owner\AppData\Local\Temp\csrss.exe) - File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Quick memory scan with Avast shows that it is still active after running the fix.

Here is the log from after the reboot… and here is the quick-scan log.

Nothing is apparent on the log, what is it that avast is still alerting on ?

Download and Install CombofixDownload ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I run Avast’s memory scan and it shows I have two instances of this virus… one in a SCVhost file and one in explorer.exe.

I am still getting redirected ever time I visit a new site.

This is the screen-grab… and in a revolting turn of events I see it has now infected Firefox.exe.

Running combofix now.

And here is ComboFix’s log file.

Even if we don’t get this fixed… find yourself in the Elmwood-Hertel neighborhood of Buffalo NY I owe you a couple of beers. Flying Bison Microbrew… not the mass-market swill.

OK, it is a bit late for essexboy, a little after 1am in the UK so he won’t be back on-line until later this evening.

Whilst combofix has made some deletions, the log will still need to be analysed by someone more qualified than I. Did it ask for a reboot after it finished ?

Unfortunately it is also reporting some unknown elements when doing an MBR rootkit check and also a possible TDL3 rootkit. These would probably need to have other tools to check for and deal with those. Two that essexboy would likely use when looking for rootkits avasts aswMBR and TDSSKiller.


[quote="essexboy"]
Download [url=http://public.avast.com/~gmerek/aswMBR.exe]aswMBR.exe[/url] ( 1.8MB ) to your desktop. 

Double click the aswMBR.exe to run it 

Click the "Scan" button to start scan 

http://public.avast.com/~gmerek/aswMBR1.png
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply 

http://public.avast.com/~gmerek/aswMBR2.png
[/quote]

It’s after eight here I’m going to log for the night and check back after work tomorrow.

WOOT got another piece of the puzzle. After a few beers and a quick nap I decided to run Microsoft Malicious Software Removal Tool.

It found Trojan:DOS/Alureon:A… an MBR bug.

Given that my copy of Avast won’t update… I think that’s because of the virus… It might not recognize “Alureon:A” and instead reports something else?

Or maybe I have more than one bug.

Either way… more information to help the troubleshooting process.

Follow Davids instructions - I think I will now add aswMBR to the start instructions

Wow, you’re on the forums early today essexboy ???

Aye decided to take a few days off from work - and now the sun has gone and it is raining

Beautiful here (Oxfordshire) at the moment ;D

Ah 'tis Cornish sunshine you can measure it by the bucket ;D

Program crashed. Twice.

However there were two red highlighted lines… going to run it a third time and get a screen-grab.

EDIT HERE IS THE SCREEN GRAB

It keeps crashing on one compressed file… so I deleted said file. Running it again now.

Got through a scan.

Here is the log.

If you use the Alt+Prt Scr keys together it just copies the active window not the full-screen image. Keeps the file size small and only shows what is relevant.