Hello, I need some help.
Installed Avast Internet security recently and it reports on computer startup that it has found rootkit virus swcustcfg. Electing to delete fails and Avast reports it again on startup. Looking in this forum I found the procedure to attach the necessary ( I hope) log files. 3 in this post 2 to follow.
Cheers
Next 2 attach.
malware removers are notified…check back later today
Hi and welcome,
Please download DDS from either of these links
and save it to your desktop.
[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.
Please attach the contents of the following in your next reply:
DDS.txt
Attach.txt
http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg
Please download TDSSKiller
[*]Double click TDSSKiller.exe
[*]Press Start Scan
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[]Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct items.
[]Attach the log in your next reply
[*]A copy of the log will be saved automatically to the root of the drive (typically C:)
Hello jeffce,
Thank you for attending. Files attached as req.
It seems that the file that Avast Internet Security is picking up a false positive with swcustcfg.
Please read through these instructions to familarize yourself with what to expect when this tool runs
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.
Thanks jeffce,
combofix. txt attached
Before we continue, do you use this computer to access work or school by chance?
Yes Citrix Remote Desktop access.
Hi,
Thanks for letting me know about the proxy settings.
I see that you have PCTools firewall Plus on your system as well as running Avast Internet Security (which has a firewall). I would recommend that you uninstall PC Tools Firewall Plus.
Once you get that done, let me know how your system is running.
Yes jeffce, I realised I had 2 firewalls running when I was disabling stuff for the previous step, so I left PC tools disabled. It is now totally removed as you suggested.
Start up and shut down times have improved and Avast still reports about swcustcfg presence.
I’m not sure what you mean about the proxy settings unless they were in one of the log files. Is/was Citrix part of the problem?
Hi,
I am speaking with a colleague about your system. I will return as quickly as I can. 
Hi,
Apologies for taking so long…
The popup you are getting from Avast, could you post a screenshot of it? The entry that is being detected, I believe, is a False Positive and we will just need to move the file to your Exclusions list.
How is your system running otherwise?
Appears to be running OK, less delays opening progs etc. I’ll get you that screen shot next post.
Screen shot
Download the GMER Rootkit Scanner unzip to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
https://dl.dropbox.com/u/73555776/GMER_Open.JPG
Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt”
[*]Save it where you can easily find it, such as your desktop.
Attach the contents of GMER.txt in your next reply.
Thanks jeffce,
File attached
Hi,
Good job!
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Reg
[-HKLM\SYSTEM\CurrentControlSet\Services\swcustcfg]
[-HKLM\SYSTEM\ControlSet003\Services\swcustcfg]
[-HKLM\SOFTWARE\Classes\CLSID\{FDB4A846-6A04-87BE-E5AB-393EDD021FC0}\lbzctmzg@]
[-HKLM\SOFTWARE\Classes\CLSID\{FDB4A846-6A04-87BE-E5AB-393EDD021FC0}\urOqffuVocnJ@]
:Commands
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Post the new logs made by OTL and let me know if you are still receiving the warnings. If you are, please just go ahead and add it to your Exclusions list in Avast.
Still getting the warning.
Added to exclusions list.
Log file attached.
Next time that it pops up get a screen shot of it so I can see what you are seeing now.