Much grief after upgrading! - SOLVED

I’ve been so far around the block, I should have kept notes. >:( I upgraded from the free version and quickly found I could not access You Tube videos - no Flash Player. I temporarily disabled Avast, but it didn’t help. Up to this point, the latest version of Flash Player had been working fine on my Win XP 64. I’ve read much about the compatibility issues of flash working with 64 bit OSs, but in spite of it, mine was working OK.

I tried reinstalling Flash, both current and older version to no avail. I could restore to a week prior, and it worked fine again. But there were some things I wanted to keep, so restored to the current date. I tried to find any type of settings in Avast that would help, but found nothing. I started looking over the forum and found little, except a sticky explaining how to download and run 3 utilities. I wrote a question asking for help and it got lost or scrapped, because it never showed. This was last night, and tonight I started following the instructions on the sticky page. I ran Malwarebytes’ Anti-Malware, and it found some stuff, then tried to run OTL after a reboot. LOCKUP! I tried this 3 times with the same problem. Booted into safe mode and looked for any clues, but found none. At this point, any time I booted normally, it would open the normal main screen, but nothing worked. The only way out was to hard boot into safe mode and restore to last night.

I’m kinda at my witts end. Don’t want to restore all the way back to the upgrade, but so far things don’t look too good for Avast.

Any help or suggestions would be appreciated. I really need Flash Player.

I’ve attached the file from Anti-ZMalware program.

I’m glad you attached the MBAM log…it explains a lot. I highly suggest you turn ON Avast and keep it on, and run a Full Scan. If it finds anything, put it into the Virus Chest and when done run a Boot time scan.

Please report back by giving a screen shot if possible on anything that goes into the Virus Chest [exact name and location of the file(s)].

After doing this, please check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining the OTL logs (save them as ANSI), and aswMBR log. Post the logs as an attachment (Additional Options > Attach > Post).

After posting your attachments in your next log, one of our malware removal experts will be along to assist you.

In the meantime, do not go online, disable this machine from any network if it is on one, do not share any portable media with another machine, and try to not use it except to follow the directions I have given above. Based on the malware in the MBAM log and the problems you are still having, I suspect you have additional malware that needs to be removed.

Feel free to ask questions. Thank you.

Well Safesurf,
I ran the full scan and found a few things that didn’t look too good. That didn’t take too long, and I’ll attach a Word doc for the results, but when I ran the “boot time scan”, it took me 2 days because I started it before going to bed. When I came back 20 hours later, it presented a choice as to where and how to deal with the files. I watched it run for quite awhile and saw some questionable items being found, but left it run over night. In the morning it had rebooted to Windows XP 64 and I re-ran the Malware-bytes utility. (After the 1st run, and trying to run OTL, because the computer was unusable, I was forced to restore it to just prior, loosing any gains from Malware-bytes run.) It looked like the same stuff that was found the 1st time. After telling it to fix all entries, it wanted to reboot which I did, then went to work today.

When I came home this evening, the computer had booted “normally”, but I had NO control other than being able to move the cursor. I did a hard restart, and went into safe mode to disable Malware-bytes from starting, then rebooted again and got to this page so I could question the safety of Malware-bytes on win XP 64. Especially the use of OTL, as it shut me down before.

I’ll stop right here till I get a response.
Thanks

After making the last post, I was checking on some things and discovered that an addon in MSIE 8 for Flash Player was turned off. Changing this solved my Flash Player problem wonderfully. :-[ However if there are any other things lurking on my system, I would be grateful for any continued help. At least the problem had nothing to do with Avast. However, I’m troubled at the issue of not being able to run OTL and the kinks in the cleanup process you recommended. So I’d like to hear from you again when you get time.

Thanks,
Gerald

So you are not able to create an OTL log? How about an aswMBR log? You do have malware that needs to be cleaned up. I’m going to refer you to one of our malware removal specialists to assist you further. In the meantime, do not make any further changes to your machine, disconnect it from a network if it is on one, try not to use it, and do not sync anything with it.

Let me know if you have any questions.

Essexboy has been notified.

Hi there first we will try OTL without any custom scan, just press the quick scan button … Does that work ?

If not could you try the same from safe mode and let me know the result

Let’s try this again. :cry:
Thanks for helping me. OTL ran fine this time. It took me awhile to browse through the results and I saw numerous things I wondered about. Like SearchScopes under IE. I’m very wary of things like Google search and IE addons. I use Start Page to prevent Google/CIA from seeing what I research. I recently DL’d Google Earth and now it keeps trying to access something, giving me an error repeatedly. I’ve noticed the name Babylon popping up perniciously and can’t find how to get rid of it. (searched the registy) Also when opening either web browser, they open to an AVG search page instead of my default or home page. No idea where it came from. I hope you know where to look in all that info, but appreciate your time.

I’ll copy this text before trying to resend this time. :slight_smile:

Here’s the other file from the OTL scan.

AVG, Babylon and iLivid come bundled so always be careful when you install programmes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&q={searchTerms} IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm003YYus&ptnrS=XPxdm003YYus&si=CLGuntL1zq4CFeMbQgodVE54-w&ptb=BE4DA973-13F8-42BB-9CC0-6CD87A1FAD4E&psa=&ind=2012030423&st=sb&n=77ed25d7&searchfor={searchTerms} IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&q={searchTerms} IE - HKCU\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm003YYus&ptnrS=XPxdm003YYus&si=CLGuntL1zq4CFeMbQgodVE54-w&ptb=BE4DA973-13F8-42BB-9CC0-6CD87A1FAD4E&psa=&ind=2012030423&st=sb&n=77ed25d7&searchfor={searchTerms} FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found [2012/06/17 22:02:59 | 000,003,749 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml [2011/12/30 15:37:21 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml [2012/06/08 12:33:36 | 000,000,000 | ---D | M] (WhiteSmoke US Community Toolbar) -- C:\Documents and Settings\Geralds.GERALD-64\Application Data\Mozilla\Firefox\Profiles\lsfyxzox.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef} O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found. O2 - BHO: (no name) - {5AB7104A-B71F-49AD-9154-F7F8806AE848} - No CLSID value found. O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No CLSID value found. O2 - BHO: (no name) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - No CLSID value found. O2 - BHO: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found. O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found. O3:64bit: - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\system32\browseui.dll File not found O3:64bit: - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll File not found O3:64bit: - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\system32\browseui.dll File not found O3:64bit: - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll File not found O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} Reg Error: Value error. (SpinTop DRM Control) O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} Reg Error: Value error. (ArmHelper Control) O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) [2012/06/23 00:23:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geralds.GERALD-64\Local Settings\Application Data\Ilivid Player

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

To copy the custom fix data, I’m guessing you mean what’s in the grey box with lots of text. (The text in the screen shot can’t be copied.) It looks like text from the file I sent you.
Thanks.

That is correct the script in the grey box… I think I will remove it from my explanatory screenshot as I see that it can be confusing

Updated the screenshot it should be more understandable now

OK. program ran fine. Needed to reboot to finish fixing. On reboot, it clearly was finishing up some things and left a txt message of files removed etc. Some comments I noted were that a reboot again was necessary to complete.

Question is, should I reboot again before rerunning OTL?
MY gut says yes, but things have gone too well to screw up now.

Oh yes, I noticed one of the files removed was the host file. Will that be restored, or do I need to salvage parts of it?

Thanks.

AFter a long wait, I went ahead and rebooted, then reran OTL. I noticed a lot of “file not found” places, but don’t know how all that works out. I am under pressure to get some things done, and don’t want to mess things up, but might go ahead and run the combofix.

I’ve attached the OTL.txt file.

Oooops! ComboFix won’t run on Win XP 64. Only on 32 bit. Now what?

Oops my apologies I saw the 64 bit and then promptly ignored that it was XP

How is the computer now ? If the problems are still apparent I will use a compatible programme

The irony is that what I thought was an Avast problem, wasn’t. In the process of testing for SafeSurf, he felt that there were indeed other problems and passed me over to you. The few uglies like unwelcome web pages and search pages are gone. Otherwise, things seem pretty normal and OK. I find that as long as things are normal, I don’t notice much. Only when the unexpected happens.

I had to restore my Hosts file which got stripped. That’s OK because it had gotten cluttered with much junk.

Thanks again for the help. I won’t forget your expertise and what you were able to do. Amazing!
GShantz

I missed a few Google entries so if you wish I will remove them now as part of the clear up

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=adbartrp&affID=101067&mntrId=3443063a000000000000001d7d072706&q=" [2012/06/23 00:23:57 | 000,000,000 | ---D | M] (TelevisionFanatic) -- C:\Documents and Settings\Geralds.GERALD-64\Application Data\Mozilla\Firefox\Profiles\lsfyxzox.default\extensions\64ffxtbr@TelevisionFanatic(2).com IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7ADBR_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. O8:64bit: - Extra context menu item: &Search - http://tbedits.televisionfanatic.com/one-toolbaredits/menusearch.jhtml?s=100000415&p=XPxdm003YYus&si=CLGuntL1zq4CFeMbQgodVE54-w&a=BE4DA973-13F8-42BB-9CC0-6CD87A1FAD4E&n=2012030423 File not found O8 - Extra context menu item: &Search - http://tbedits.televisionfanatic.com/one-toolbaredits/menusearch.jhtml?s=100000415&p=XPxdm003YYus&si=CLGuntL1zq4CFeMbQgodVE54-w&a=BE4DA973-13F8-42BB-9CC0-6CD87A1FAD4E&n=2012030423 File not found

:Commands
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

@ gshantz,

If you feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.

Feel free to come back any time you need help, to learn something new, or just to ask questions. We are here 24/7 for your convenience.

Should your issue or any problems related to your current problem reoccur, continue with your current thread and we will help you (and delete the “Resolved” in the title in this case). Thank you for letting us assist you. :slight_smile:

The reason for my delay in changing the status of this thread, is I have unexplained issues that seem to persist. At the time of EssexBoy’s last post, I had followed all instruction to the letter. These issues are hard to put one’s finger on, but still quite annoying. The most common is the use of MSIE 8 - it often locks up in the middle of something (like accessing a page) and one time the whole system could not be booted normally. At that time, I booted to safe mode and ran Malware-bytes, which found a half dozen items - all different from what we found before. Since then I’ve run Full scans with both Malware-bytes and Avast, but found nothing.

I also seem to have lost my ability to burn DVDs within the last few months, but don’t see how this could be related. It may be hardware failure, but there are 2 drives and neither one works - I should say they burn, but are too error prone to use. I will see if I can find something to test the hardware 1st.