New to Avast Forum malware assistance needed

I am a novice administrator for my office computer and I use Avast. I recently had a malware infection on my computer. A trojan horse appears on my computer. A fake window titled “Windows XP Restore” pops up and the program runs a scan which then identifies a number of infected programs. The malware then pushes me to purchase a module to fix the problem. The problem is that I’m not able to identify the malware and remove it.

The error message that I’m getting says:

“The system has detected a problem with one or more installed IDE / SATA hard disks”

Any advice on how I can fix my computer?

This is a fake security alert and you should check out this link for removal instructions. Whilst this isn’t the exact name, it is close and there are variations on a theme, so give this a try.

http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery

When done post the contents of the MBAM log.

I ran rkill on my local using a flash drive. Here is the rkill log message:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 06/21/2011 at 12:03:30.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 06/21/2011 at 12:04:16.

Running rkill is only the pre-emptive strike in the bleepingcomputer removal instructions.

The idea being to kill those processes which could otherwise prevent the scan and or cleaning by MBAM.

I just downloaded TDSSKiller. I ran a scan and no malware was detected. I’m now downloading Malwarebytes.

Hi there could you check your files and folders - are they missing, is your start menu intact ?

If you could let me know what stage you are at I may be able to assist

I just finished running Malwarebytes and Unhide.exe. Malwarebytes detected one problem and I removed it. When I ran Unhide.exe, my desktop icons came back, but the program folder on the Window’s start menu shows that all of the program files are empty.

I should say that when I finished Unhide.exe, I received a warning that my security may have prevented some program files from being unhidden. The warning suggested that I disable my security and then rerun Unhide.exe.

Should I do this? If so, how would I go about disabling Avast security while I rerun Unhide.exe?

js

Just disable the shields for 10 minutes by right clicking the orange blob

Also run this programme

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 6 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

In my experience there is always something remaining that the automated tools fail to locate/recognise

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

I just ran RogueKiller. Here is the log file. I’m now running OTS.

RogueKiller V5.2.3 [06/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: James Salt [Admin rights]
Mode: Shortcuts HJfix – Date : 06/22/2011 13:28:53

Bad processes: 1
[SUSP PATH] stsystra.exe – c:\windows\stsystra.exe → KILLED

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 92 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 86 / Fail 0
Backup: [FOUND] Success 100 / Fail 0

Drives:
[C:] \Device\HarddiskVolume2 – 0x3 → Restored
[D:] \Device\Harddisk1\DP(1)0-0+6 – 0x2 → Restored
[E:] \Device\CdRom0 – 0x5 → Skipped

Finished : << RKreport[1].txt >>
RKreport[1].txt

And here is the OTS report. (Note to EssexBoy: regarding your OTS instructions, there wasn’t a check box that says 64 bit.)

Here is the link to the OTS report:
http://www.mediafire.com/download.php?unq9dde9gh4vnu5

Are you still missing any files/folders ?

If so they may be in these locations :
[b]C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp
C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp\1
C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp\2
C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp\4

[/b]Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-36251927-1638785509-880291012-1004\] > -> HKEY_USERS\S-1-5-21-36251927-1638785509-880291012-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "PRghsOiVNM" -> [C:\Documents and Settings\All Users\Application Data\PRghsOiVNM.exe]
[Files/Folders - Modified Within 30 Days]
NY ->  ~15720228r -> C:\Documents and Settings\All Users\Application Data\~15720228r
NY ->  ~15720228 -> C:\Documents and Settings\All Users\Application Data\~15720228
NY ->  15720228 -> C:\Documents and Settings\All Users\Application Data\15720228
[Files - No Company Name]
NY ->  ~15720228r -> C:\Documents and Settings\All Users\Application Data\~15720228r
NY ->  ~15720228 -> C:\Documents and Settings\All Users\Application Data\~15720228
NY ->  15720228 -> C:\Documents and Settings\All Users\Application Data\15720228
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Essex Boy, I’m having a difficult time removing malware from a computer in our office. I’ve tried working with the Avast support ticket system but we still have not been able to solve the problem. Would you be willing to advise me?

If you need help, start a new topic…and not inside one that is almost a year old

follow the guide here
http://forum.avast.com/index.php?topic=53253.0