Hi, i am using vista-32 and i used to use Avira free antivirus, but yesterday it stop working so i try fix it and update it but still the real time protection didn’t work. so i uninstall it and re-install it again but its also didn’t work. so then i tried to use another antivirus so i installed avast free. but also the shields don’t work and this time i can’t even make update.

I suppose this means that my computer is infected.

So now, what should i do?

attached is a HJT log file, i don’t know what is HJT but i found a lot of ppl ask for it and use it to identify the problem so i used it may it help.

Thanks.

follow guide: http://forum.avast.com/index.php?topic=53253.0

attach all logs here…

Monitoring - did Avira give any alerts ?

Its not activeted the small icon on the buttom right has an X on it but i can’t do a scan or anything plus i found that i can’t even connect to an acount every time i connect it tell me success but its not actualy connected !!!

here is the logs
the aswMBR didn’t work but i attached the log anyway

Thanks

Thank you for posting your logs. Essexboy will continue to assist you with your malware removal when he comes on the forum, which is usually late UK time zone.

In the meantime, please do not make any changes to your machine since posting these logs. Do not sync anything to the machine and try not to use it. If you are on a network, disconnect this machine from the network. I do see problems in your logs that Essexboy needs to work on with you. Thank you.

OK I am not sure if OTL is strong enough to kill this but lets give it a whirl

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL SRV - File not found [Unknown (-1) | Running] -- -- (syshost32) DRV - File not found [Kernel | Boot | Stopped] -- -- (lhldjq) DRV - File not found [Unknown (-1) | Unknown (-1) | Unknown] -- -- (syshost32) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKU\S-1-5-21-451692780-2006726030-4535673-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\AuTopLay\coMmaND - "" = ubqjor.pif O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\AutoRun\command - "" = ubqjor.pif O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\eXploRe\cOmmanD - "" = ubqjor.pif O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\oPen\cOmMAnd - "" = ubqjor.pif

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

i didn’t found combofix log file. there is c:\combofix file but its not .txt its like the computer icon on desktop when i double click it it show me the hard disk drives.

also the windows defender stoped working after reboot from combofix i reboot again as adviced but the problem didn’t get solved
i still didn’t try to enable the avast shields.

Aye OTL lacked the oomph to kill the main driver…

So lets try a different tack… Delete the current copy of Combofix from your desktop
Download a fresh copy but prior to saving rename as Gotcha and try again… Meanwhile I will look for a stronger tool. I think maybe Avenger next

just to be clear you want me to download a fresh combofix but rename before save and call it “Gotcha”?

Yes please

the same thing happend, but i noticed that the computer didn’t restart normaly; the blue screen appeared for a second and then the computer restar

1. Please download The Avenger by Swandog46 to your Desktop.

[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Drivers to delete:
syshost32

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

https://dl.dropbox.com/u/73555776/Avenger%20icon.GIF

[*]Accept the disclaimer

https://dl.dropbox.com/u/73555776/Avenger%20disclaim.GIF

[*] Right click on the window under Input script here:, and select Paste.

https://dl.dropbox.com/u/73555776/Avenger%20run.GIF

[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute

[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log

attached is the log of fresh OTL quick scan with no code added
and the avenger log is :

Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com

Platform: Windows Vista

---

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

---

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver “syshost32” deleted successfully.

Completed script processing.

---

Finished! Terminate.

OK that killed it ;D

Could you now retry Combofix please

sorry my friend the same result.
i downloaded new combofix and saved it with name combofix2 and after restart the C: drive contain a combpfix2 icon but its like the “computer” shortcut ???

OK lets run the analysis only part of AVP, you will need to upload the zip file to a file sharing site for me to collect

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://dl.dropbox.com/u/73555776/kas%20manual.JPG

On completion click the link to locate the zip file to upload and attach to your next post

http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG

faild to install
error code :-2147024894
!!!

Time for the big boy

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

[]Double click Dr Web
[]IMGBurn will open
[*]Burn the ISO to a cd

[]Reboot the infected computer with the CD in the drive
[]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

My CD Drive is broken, i will need to buy a new one. this will take a few days from me. can i do the burning on other computer?