A friend running XP Pro with Avast! home free edition got the AV8 rogue virus. I was able to remove the primary files of the virus but there is still the problem with the browser blocking websites with the “Attention! Your webpage request has been cancelled.” message. Malwarebytes can’t find it. Avast! boot scan can’t find it. AdAware won’t start, just gets stuck at the “loading” message. Avast! keeps detecting a malicious site access and blocking it which is probably keeping it from reinfecting completely but I need to get the remnants off so IE will work properly again. Hijack this doesn’t show any processes that can’t be explained by printer software, camera software, etc. I have attached the hijackthis.log file anyway.

I know that I can’t uninstall IE, so what do I do now?

Thanks
Michelle

Malwarebytes can't find it.

I guess it is this one

Remove Antivirus8 or Antivirus 8 (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-antivirus8

Yes, all tools are fully updated. Windows Security had been disabled so I turned it back on and enabled the firewall, just in case this mattered.

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple posts with copy and paste you have to attach the logs
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

svchost.exe is popping up with a malicious URL. A .dll file popped up as malicious so I deleted it but then the svchost popped up again anyway and I still can’t get on the internet.

Here is the OTL.txt is attached.

Okay, using the OLT report I found that there is a files called d3d8caps.data and d3d9caps.dat in the Windows\System32 folder that the web says are a virus called Krunchy Packed another site says it is in the avkill.c family of trojans. I am going to send them to the recycle bin and see if that solves the problem.

why not wait for Essexboy`s advice…

Well, guess I will have to since that didn’t fix it. They are in the recycle bin and I don’t know if they can still do their thing from there or not but the problem is still there. Here is the extras.txt file that I forgot to add last time.

I just need to get this done before Monday and I have much to do otherwise as well. Sorry . . . didn’t mean to be impatient.

Michelle

Essexboy just need some sleep, the he will be back ;D

Yes, I am in the USA so it is only 6:47 pm . . . I forget that other people’s clocks say it is the middle of the night. ;D

I’ll just turn it off and move on to other tasks for now. When I get up tomorrow I will try to fix her machine again.

Thanks everyone.
Michelle

Yes, almost 2a.m. in the UK where essexboy is.

Okay, using the OLT report I found that there is a files called d3d8caps.data and d3d9caps.dat in the Windows\System32 folder that the web says are a virus called Krunchy Packed another site says it is in the avkill.c family of trojans. I am going to send them to the recycle bin and see if that solves the problem.

OK I will need to inspect your drivers and netsvc

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

ComboFix found a rootkit. Here is the log.

Your MBR was infected

\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.

Your sfc file appears corrupt so lets see if we can find a replacement

[*]Double click OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]/md5start
sfcfiles.dll
/md5stop
CREATERESTOREPOINT

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

I can now go to webpages so that is fixed. THANKS!

Do I need to be connected to the internet when I run the OTL as you ask?

Nope no need I will just be doing a search on your system

Okay, here they are (uploading from the previously infected machine! ;D).

OK the MD5 is good for the copy that you have

Looking at that I am a happy bunny

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

.
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u22-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disc check

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

I know how she got infected but I am not sure who messed with the settings to turn off Windows Security Center (and therefor the firewall) disabled Avast! and made other changes that left her system wide open! I certainly didn’t set it that way last time I worked on it! Then she let a novice user on it to do something on the Web and they fell for one of those rogue AV ads installing the AV8 application. When she couldn’t even get to her desktop anymore she finally broght it back to me. She promises not to let anyone else touch her laptop so it should be fine.

I have downloaded the recommended software and will install it and run the machine for a day before I give it back tomorrow. I will instruct her to run the malwarebytes once a week or anytime she suspects foul play and to keep the antispyware app up to date since she has no money to buy the version with the autoupdates. I had already uninstalled AdAware since it was hung and the last few times I have dealth with an infected machine it has been uselessly locked up like that.

Thank you so much for all your help!

Michelle

Our pleasure - keep safe