I scanned my computer using Avast, Malwarebytes and SuperAntiSpyware, deleting all malware found.
The problem is not yet solved. Avast pops up same message every 5 minutes.
Generally during this time, essexboy, the malware removal expert is not available. You may have to wait a for few hours. I will notify him that you are waiting here.
Please post the log of MBAM in your next post.
In the mean time, since you have already run MBAM, SAS, I would ask you to run this 2:
Download fix for hosts file and run it. Follow the on screen instructions.
Flush your temp files of all browsers and windows by using TFC- (You have to restart the system)
nmb, thank you for your advice.
Microsoft Safety Scanner found a Trojan.
It was removed. But Avast still keeps on warning every 5 minutes.
I also attached the picture of warning message along with MSS result.
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "C:\Program Files\Free Video Zilla\FVZilla.exe" -> []
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{5067A26B-1337-4436-8AFE-EE169C2DA79F}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{77BF5300-1474-4EC7-9980-D32B190E9B07}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{7F9DB11C-E358-4ca6-A83D-ACC663939424}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{898EA8C8-E7FF-479B-8935-AEC46303B9E5}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}" [HKLM] -> [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{2562d029-f8c0-11dd-84a2-001ec908e8c1}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2562d029-f8c0-11dd-84a2-001ec908e8c1}\Shell\AutoRun\command ->
YN -> \{2562d029-f8c0-11dd-84a2-001ec908e8c1}\Shell\AutoRun\command\\"" -> [C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn]
YN -> \{9004f9e8-c740-11dd-95b3-001ec908e8c1}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9004f9e8-c740-11dd-95b3-001ec908e8c1}\Shell\AutoRun\command ->
YN -> \{9004f9e8-c740-11dd-95b3-001ec908e8c1}\Shell\AutoRun\command\\"" -> [C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn]
YN -> \{bcdf3896-e610-11dd-846e-001ec908e8c1}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bcdf3896-e610-11dd-846e-001ec908e8c1}\Shell\AutoRun\command ->
YN -> \{bcdf3896-e610-11dd-846e-001ec908e8c1}\Shell\AutoRun\command\\"" -> [C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn]
[Registry - Additional Scans - Safe List]
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs
YN -> yeoirec ->
YN -> hqkjk ->
YN -> gwwhv ->
YN -> xaaqwfx ->
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > ->
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
Can’t start with safemode or last known…either.
After choosing safemode, process stops and show the message:
Click enter to continue loading spts.sys
And then reboot.
[*]Download OTLPEStd.exe to your desktop
[*]Download the attached scan.txt to a USB drive
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Double click the Custom scans and fixes box
[*]In the dialogue locate the scan.txt you have on the USB
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.
I don’t have blank cd or second laptop now. It’s almost 3 am here.
I have only windows and driver CDs and some programs.
I will go to laboratory first thing in the morning.
Thank you so much for your help.
To polonus
My laptop was infected yesterday. After opening webpage the alert popped up.
I thought it come with ads banner or something so I closed all pages and tried scanning my computer.
One further thought - when you boot the computer do you get the option to go to windoews or the recovery console ? As combofix should have installed that - if so when you get up I will work through the recovery console
This may be a new variant of TDL 4 so I will need to do some research on that. The scan text will locate a copy of the file for me so I can then do a replacement
I run reatogo but can’t use OTL tool.
It said target is not window 2000 or later. And I can’t open C: or back up or even search. System pop up message drive c is not formatted.
I think I should format because I need to use my laptop for research ASAP. I will try back up files before formatting. If I could manage to get Combofix.txt, I will post it later.
Thank you so much for helping me so far. I hope I could get combofix.txt and got to know what happened.