I have Avast Internet Security 2012 installed on my Windows Vista laptop but I got seriously infected with Espeak and Colexity virus. I need urgent help to remove the virus. Here are the messages that keep poping up from Avast Alert:

URL: hxxp://37.220.36.44/x/
Process: \.\globalroot\systemroot\svchost.exe
Infection: URL:Mal

URL: hxxp://espeak911.com/x/
Process: \.\globalroot\systemroot\svchost.exe
Infection: URL:Mal

URL: hxxp://colexity777.com/x/
Process: \.\globalroot\systemroot\svchost.exe
Infection: URL:Mal

The virus disabled my internet connection. I repaired it but then it destroyed the internet connection again.

I ran Malwarebytes’ Anti-Malware, OTL, aswMBR, Farbar Service Scanner (FSS). Attached are the log files.

I tried to run adwCleaner but got an error message that said “Unable to open the script file”.

Thank you very much

Sorry the correct Process are

URL: hxxp://37.220.36.44/x/
Process: C:\Windows\System32\svchost.exe
Infection: URL:Mal

URL: hxxp://espeak911.com/x/
Process: C:\Windows\System32\svchost.exe
Infection: URL:Mal

URL: hxxp://colexity777.com/x/
Process: C:\Windows\System32\svchost.exe
Infection: URL:Mal

Hi there whilst I check the rest of your logs

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

your malwarebytes was not updated when you did the scan… signatur date 2012.07.03
always click the update button before you start a scan

I’m using the free trial version of malwarebytes. It won’t update when I tried to update it. Do I need to purchase the Pro version in order to update it? thanks for your help

Do I need to purchase the Pro version in order to update it?

I ran the tdskiller. It found 1 virus. It automatically check the Cure option, I hit continue then reboot my computer. After my computer restarted, I check for the report but the report is gone. It look like the report is replaced everytime tdskiller is run. Here is the report I ran the second time. thank you

I found the report for the first time I ran tdskiller in my C drive. What else do I need to do? thank you

What else do I need to do?

Re-run TDSSKiller with the same parameters, when you get this element select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Then

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

essexboy,

Here are the reports for TDSSKiller, Combofix, and FSS. In the FSS report, it look like there is a problem with the file C:\Windows\system32\ipnathlp.dll.

Also, my Windows Defender is not working. I got this error message when I start Windows Defender "Application failed to initialize: 0x800106ba. A problem caused this program’s service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually.

Thanks for your help

The start type for defender is wrong

Windows Defender: ============== WinDefend Service is not running. Checking service configuration: The start type of WinDefend service is set to Demand. The default start type is Auto. The ImagePath of WinDefend service is OK. The ServiceDll of WinDefend service is OK.

Go Start > Run
Type in services.msc
Locate windows defender
Right click and select properties
Set the start type to Auto
Start the service

Does it work now ?

OK, Windows Defender is working now. Is there a problem with the file C:\Windows\system32\ipnathlp.dll in the FSS log?

What else do I need to do?
Thank you

No nothing wrong with the file, it is legitimate… FSS was just highlighting for me to look at

How is the computer running now any problems ?

My computer got stuck at the log off screen when I restart it. I pressed the power button down to shut it off.

Internet Explorer and Firefox will not start if I run it in Sandbox.

TDSKiller flagged the 5 files in the attached image as moderate risk. Will it be OK if I delete these files?

I re-run MBAM and aswMBR. Can you take a look to see if there are any problem please?

Thank you

Here is the log for OTL as well. thank you

Do not delete those files… They are only noted due to being unsigned but are legitimate… Removal will break your system

aswMBR and MBAM look good

When you start IE, FF in sandbox what error do you get

I do not get any error when I start Internet Explorer or Firefox in Sandbox. Avast pop up a window saying it started them in sanbox. I waited like 20 minutes but IE or FF never come up. I looked in the Process in the Task Manager, I do see firefoxe.exe and iexplorer.exe running but they do not showed up in the Applications window.

Chrome and Safari did work when I started them in Sandbox but I have to wait like 5 minutes for the windows to show up.

Could you run a repair of Avast please

I reinstalled Avast and Firefox. Firefox and IE still couldn’t start in Sandbox. Chrome start up but froze if run in Sandbox. Safari work fine in Sandbox.

But the major problem is my computer crashed 4 times today. I was using the computer normally then it crashed. When it restart it asked me if I want to start up normally or in safe mode. The message said Your computer was shut down to prevent damage to the computer. Bad_Pool_Caller.

Is there a way to check why my computer keep crashing? Seem my computer is real unstable. Thank you