Multiple Viruses on Computer

Hi,

Someone brought me a computer to look at because of a blue screen, and it turned out to be that Avast appears deleted by a virus. In fact, it looks like the computer had a virus explosion on it. I want to just wipe the whole drive and start over, but it looks like the “rescue” data is on the drive itself. I would like to get rid of as much as I can.

I reinstalled Avast and a search showed MBR:SST [RTK] in Avast5\log\unp184347566.tmp.mdmp in All User\Application Data\Alwil Software - I thought I deleted this, but Avast gives me a popup after a while that says it is still there. I also found several trojans, PUPs, [Expl] in Java, Java:Downloader:GR just to name a few.

I am also getting redirects in my browser, and explorer.exe is showing a lot of activity.

I will post the MalwareBytes, OTL, and AdwCleaner logs.

it seems you also have comodo internet security installed…
never install multiple antivirus…

+1 (I also see Avira…!!)

uninstall and run removal tools for all AV you remove

http://singularlabs.com/uninstallers/security-software/

Avast was the only thing that had been installed when I received the computer. I reinstalled it, but then worried that whatever attacked it before might hamper it, so I disabled it and installed Avira. I had forgotten both were still on the computer. As for Comodo, the firewall should be the only thing installed, but not any of their other software.

I tried to run aswMBR, but it will not start. I double-click it, click the Run button, but nothing. I had the same problem with TDSSKiller earlier.

Try it in safe mode.

Hi,

Run avira uninstaller tool. Pondus gave you link to uninstallers.


Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-2691582972-3252704377-3456028871-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2691582972-3252704377-3456028871-1005\..\Toolbar\WebBrowser: (no name) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No CLSID value found.

:files
C:\RECYCLER\S-1-5-18\$0d7942ce64c67b2320410921de700a93
C:\RECYCLER\S-1-5-18\$0d7942ce64c67b2320410921de700a93
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

I uninstalled Avira, but the software I downloaded did not work. The instructions next to the tool said to use it after an normal uninstall. I uninstalled the program, rebooted, then tried the tool and got the message:

This application has failed to start because mfc100.dll was not found. Re-installing the application may fix this problem. On another website, someone suggested downloading MS Visual C++ 2010 SP1 Redistributable Package, but the person getting the message in that case was trying to install Avira.

Should I download the package above, or just go ahead and run OTL? Also, I am getting several messages from Avast about svchost.exe and blocking a harmful site.

Also, I could not get aswMBR to run in safe mode.

I went ahead and installed the Visual C++ package, and it worked and let me use the Avira uninstall tool. OTL got stuck on the CREATERESTOREPOINT of OTL, so I removed that one line and ran the program without it. Combofix also had problems with System Restore, but Combofix updated it and then continued to run. I can go back and run OTL with the CREATERESTOREPOINT line if requested.

Both the OTL and ComboFix logs are attached.

I finally got aswMBR to work.

Hi,

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*]Run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.

[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.


Open notepad and copy/paste the text present inside the code box below:



DDS::
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
DPF: {03DED275-9DA6-450E-8A34-26684B2DDC78} - hxxps://transfer.bokf.com/COM/MOVEitUploadWizard4.5.0.ocx

Folder::
c:\program files\SweetIM

KillAll::

ClearJavaCache:: 


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Here are the TDSSKiller and ComboFix logs.

Logs looks good now. How’s computer running now? Any avast detections?

Avast, Malwarebytes, and SUPERAntiSpyware have all come back clean, but a strange file keeps popping up on my desktop, maybe after the ComboFix scan but I’m not sure. It has the IE icon, but the name is jumbled (uyt87yuyrytrtuerueurrer). I will upload a pic with the icon and the context menu. Clicking Properties in the menu brings up the Internet Properties window of IE. I also noticed that IE had the little popup window that usually shows up after an IE install, where it says something like: When you send information to the Internet, it might be possible for others to see that information. Do you want to continue?

Hi,

Re-run OTL, click on RunScan and attach here fresh OTL.txt log.

I uploaded two logs; one is where the “Scan All Users” box was selected because I wasn’t sure if it should be selected or not.

Hi,
This is TDSSKiller tool?
(Kaspersky Lab ZAO) – C:\Documents and Settings\WW\Desktop\luckycharms.exe

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Otl
IE - HKU\S-1-5-21-2691582972-3252704377-3456028871-1006\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\My Music\npAmazonMP3DownloaderPlugin10171.dll File not found
O3 - HKU\S-1-5-21-2691582972-3252704377-3456028871-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2691582972-3252704377-3456028871-1006\..\Toolbar\WebBrowser: (no name) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No CLSID value found.
O3 - HKU\S-1-5-21-2691582972-3252704377-3456028871-1006\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CLEARALLRESTOREPOINTS]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Re-run OTL and attach here fresh OTL.txt log. How is your computer running now?

I did all the scans/logs again, but they will not look the same as last time because I used the Dell recovery partition. The process seemed to only delete the old data, and I did not see any mention of formatting the drive during the process. Dell offers recovery discs, but I’m not sure they do any more than this.

An Avast scan turned up a Win32 infection in System Volume Information_restore…\RP1\A0000032.exe. I think I have had false positives like this on another computer, but I sent the file to Avast anyway for them to look at. Avast had a boot-time scan possibilities with C:\hiberfil.sys. After this I kept getting errors of some kind like “a file cannot be opened because the share flags are incompatible” and “operation failed because the disk was full.” I don’t really understand the last one because I have more than enough disk space. I did boot-time scan again today and there are no problems.

The Malwarebytes log will show 3 possible infections, but it is nothing as I disabled Security Center messages myself.

SuperAntiSpyware found 16 Malware.Installer-Pkg/Gen, but I am not sure if it is malware. All 16 have to do with the games that came with the computer, and seem to be in two folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Dell Games
C:\Program Files\WildTangent\Apps\Dell Game Console\Downloads\Installers

In the OTL pic in the pinned topic, I noticed the “Extra Registry” is set to none, but by default, mine is set to “Use safelist.” Is that okay?

Here’s the TDSSKiller log

Sorry, I was busy :frowning:

An Avast scan turned up a Win32 infection in System Volume Information\_restore...\RP1\A0000032.exe.
The detection system restore related. No need to panic. :) Just reset ( turn of and then turn on system restore ) http://support.microsoft.com/kb/310405

C:\hiberfil.sys <— windows hibernate related. Leght.

Malwarebytes log will show 3 possible infections, but it is nothing as I disabled Security Center messages myself.
Yap, its Leght detections. MBAM shows only "alerts" because the same settings may be changed by some malware.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:Files
C:\Documents and Settings\DD\Local Settings\Temp\clclean.0001.dir.0002\~df394b.tmp
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:Otl
O3 - HKU\S-1-5-21-2691582972-3252704377-3456028871-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-170-windows-i586.cab (Java Plug-in 1.7.0_09)
O16 - DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-170-windows-i586.cab (Java Plug-in 1.7.0_09)

:commands
[purity]
[CLEARRESTOREPOINTS]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Then go here, allow website to scan your computer for Java. If need, download & install fresh Java.
http://www.java.com/en/

Download AppRemover (~ 6MB) on Desktop .
Run it by double-clicking

Click Next, choose the second option (Clean Up a Failed Uninstall), confirm with Continue, go to Next, wait to be finished, choose if samting be faund from your previus antivirus softwers, scan and remove it by clicking on the Next .

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.fr

How’s your computer running now?

Here is the OTL log, but should the OTL Extra Registry setting be on none or “use safelist”?