Avast has been flashing up warnings of malware with the name flices.biz/gate.php.

I have no idea if it is related but when logging into my bank account I was redirected to another site and asked for my mobile number. My account is now locked.

On ebay, my computer was not recognised.

On Facebook, I was asked to verify my account by giving my credit card details (!)

I have updated Avast and run scans but nothing comes up

I have run Malwarebytes and still nothing.

I have not idea what is going on or what to do.

Please can someone suggest something?

Many thanks

Well I would go for a check-up made by our qualified removal experts, becayse gate.php could mean Zeusbot, Citadel and maybe you have run into a banking trojan infection of some sort. The latest versions of SpyZeus reconstruct the admin panel, and further differentiate the admin panel files from the Command and Control gate PHP file.
So follow the instructions given up here: http://forum.avast.com/index.php?topic=53253.0
After posting the logs attached one of our qualified malware removal experts will have look, I will inform them to come an monitor your thread.
We’ll sure to sort this out for you, doný worry,

polonus

Many thanks for your reply. I hope I have attached all the correct logs in the correct manner.

I am struggling after a long day of trying to find a solution. It is not possible to access google so am having to use safe mode.

OK lets kill this darned thing

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O4 - HKU\S-1-5-21-3153830845-674630560-2875946465-1005..\Run: [Gafoas] C:\Documents and Settings\Tricia\Application Data\Cyyz\ruvee.exe () [2012/08/14 23:17:09 | 000,489,472 | ---- | C] (Andrew Zhezherun) -- C:\Documents and Settings\Tricia\Application Data\larat.dll [2012/08/14 23:16:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Oqkia [2012/08/14 23:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Zaqu [2012/08/14 23:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Cyyz [2012/07/28 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Viek [2012/07/28 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Iqococ [2012/07/28 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Adqu [2012/08/14 23:15:14 | 000,169,984 | -HS- | M] () -- C:\Documents and Settings\Tricia\Application Data\bspse.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Many thanks!

I had started a reply but PC froze during the Combofix scan (no, I did not touch anything) and I had to switch off. System recovery took ages and then this came up

RUNDLL
Error loading C:Documents and settings\Tricia\Application Data\bspse.dll
The specified module could not be found

Also, TDSSKiller found 17 threats but I could not find a way to copy the report - right clicked, tried to copy and paste - but nothing would work.

It is very late here in wet and windy Scotland so I had better stop for now and look at it all again when I am feeling more alert.

I look forward to more instructions re Combofix.

Many thanks, one again

Hi burnside,

“Haste ye back”,

polonus

Okay - this morning I am still receiving the warning -

RUNDLL
Error loading C:Documents and settings\Tricia\Application Data\bspse.dll
The specified module could not be found

Can you tell me how to fix this?

I have worked out how to copy and paste a TDSSKiller report - should I run the programmme again?

What should I do re ComboFix?

Is the problem fixed? I managed to logon on to something today with no problem but am wary of accessing bank accounts and online client files.

So far, today, no Url:Mal from Avast.

Can anyone enlighten me as to how I managed to aquire the problem - Win32:Zeroot -B? I have fully paid up Avast and Malaware but neither of them flagged up the culprit.

How do I avoid “receiving” this problem again?

Apologies for all the questions and for being such a dunce. Wish I had the time to learn how to do all this for myself and am in awe of you!

BW

The error is most likely generated because there is a registry entry (or other command) trying to register the bspse.dll file. This dll file in that location I would say is highly suspect (plus zero hits on a google search for this file, other than this topic) and has probably been removed, but the orphan registry entry/command is still trying to register it, so you get this error.

Essexboy will be on-line later this afternoon (now 12:20pm in the UK) after work, so until then you have my best guess on why you are getting the error.

Thanks for this suggestion. I think I understand and hope that we can sort it.

Meantime, I have rerun TDSSKiller (now 18 threats) and have attached the report.

Meant to say last night that there was no option to “cure” so just skipped.

That was my fault I missed out the run key for the bad boy

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O4 - HKLM..\Run: [bspse] C:\Documents and Settings\Tricia\Application Data\bspse.dll () O4 - HKCU..\Run: [Gafoas] "C:\Documents and Settings\Tricia\Application Data\Cyyz\ruvee.exe" File not found O4 - HKLM..\Run: [bspse] rundll32.exe "C:\Documents and Settings\Tricia\Application Data\bspse.dll",SwapMultiple File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Please re-run Combofix, from safe mode if necessary

Thank you for coming back to help me. Why is nothing simple? I have rerun OTL and have attached the log.

Then I reran Combofix in safe mode. The first hurdle was

‘Microsoft Windows recovery console not installed. Combofix wants to download/install’

Then

‘failed to download required files. Aborting … Shall continue scanning for malware’

The Autoscan then ran and I left it for over an hour but nothing happened. The whole system froze; even the clock had stopped. So…what am I doing wrong? Do I have a major problem here?

On the plus side - no Avast popups today.

Once again, I will wait for you assistance.

OK lets try a different programme if Combofix is playing hard to get

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

I am sooo pleased that you know what you are doing! This is scary stuff - all the deleting and not knowing what is happening!

I have attatched 3 reports and await your reponse.

I am extremely grateful to you for all this assistance.

Hi burnside,

Yes, essexboy knows what he is doing where malware cleansing is concerned. With him you are in the best of hands,

polonus

OK we will need to move outside of windows now as there is the possibility of a file infector that we need to check out

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

[]Double click Dr Web
[]IMGBurn will open
[*]Burn the ISO to a cd

[]Reboot the infected computer with the CD in the drive
[]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

I have downloaded Dr Web Live CD to my desktop but the files have to be extracted and I cannot find a programme to run. I am stuck and am hoping that someone can help, please.

Edit - the programme is downloaded to my desktop as WinRaR. I extracted the files but none of them made sense (to me).

The file should have downloaded with an ISO extension and not RAR … Did you change it at all ?

It downloaded as an ISO extension, as drweb-livecd-600.iso - WinRAR (evaluation copy). The files are extracted to a folder and in that is another folder called “boot”. No exe files.

I must be doing something wrong.

Just downloading now… It is coming down on my system as an ISO

HI - I have downloaded it twice, takes well over an hour and always arrives as WinRAR