Hi. I’m not sure if this is the place to post this, but if it isn’t I would appreciate information about where to go.

I have an HP computer with XP Media Center, and I’m running Avast free and Malwarebytes Pro.

During the last week, Avast has been blocking a lot of Malicious URLs with ips from ISprime, and Maywarebytes has been blocking Trojans, many from System32\authz32.dll

Yesterday, the ISprime problems stopped, and I thought things were back to normal.

However, when I booted up this morning, the bottom third of the screen looked like a spreadsheet: 10 rows and 10 columns, each with NVSVCPMMWindowClass written in it.

CPU usage was 100%, but I managed to close the NVSVCPMMWindowClass, which were listed in the Applications window of Task Manager.

When Firefox finally opened, none of the opened tabs was listed in the task bar, and when I hovered over the task bar, the arrow became an hourglass, and I was unable to click on any of the icons in my quick-launch toolbar, the system tray, or on the start button.

Rebooting brought up the same situation.

I tried to restore the system to several past points, but all were unsuccessful.

I’ve Googled but can’t find anything that comes close to this problem.

Over the past week, I’ve done repeated scans with Avast and Malwarebytes, but they only find cookies.

As I said, I will be grateful for any help you can offer, or if you can steer me to the proper forum or help site.

Thanks!

Rob

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI

Essexboy will look at the logs when posted…

Help!

I ran the Malwarebytes scan, but when I try to download the OTC file, Avast blocks it with this message:

Infection Details

URL: http://oldtimer.geekstogo.com/OTL.exe
Process: file://C:\Program Files (x86)\Mozilla Fi…
Infection: win32:Rootkit-gen [Rtk]
Warn your friends to avoid this website

What do I do?

Rob

ignore, it is a false positive detection from avast…
OTL is a analysis tool…

Well funny Pondus, because the FP is also found up by DrWeb’s:
Checking: -http://oldtimer.geekstogo.com/OTL.exe
Engine version: 5.0.2.3300
File size: 566.50 KB
File MD5: 6e33d273cb098f6bfe9ab5c57292e57e

-http://oldtimer.geekstogo.com/OTL.exe infected with Trojan.Siggen3.1755
and more detect the packer…and SavedLegacySettings 0x3c00etc.
A whole series of av solutions flag it: http://www.virustotal.com/file-scan/report.html?id=deed2ed5f51ec938dfee9f58300e490cc08a03bf0ae5f90e95fa38277c172c74-1313956813
15 /43 (34.9%) See: http://anubis.iseclab.org/?action=result&task_id=1a2445238971c52c491a2a27eed175e06
See: http://www.threatexpert.com/report.aspx?md5=6e33d273cb098f6bfe9ab5c57292e57e

But as far as I can establish it is the packer, PE_Patch.PECompactm flagged as trojan, but actually it is goodware,

polonus

yep we have seen this before…

i will upload an FP case to Avira… to see what they say

I have uploaded it again as a FP

I have run Malwarebytes and OTL, but I cannot open Malwarebytes to get to the log. Is it ok to run both programs in Safemode tomorrow and post them then? Also, OTL generated only OTL.txt but no Extras.Txt

I have just downloaded it and no alert by the web shield or file system shield or right click scan. So looks like it may have been resolved.

A safe mode run will be OK - The extras is only generated on the first run

The file ‘OTL.exe’ has been determined to be ‘FALSE POSITIVE’.In particular this means that this file is not malicious but a false alarm.Our analysts named the threat TR/Swisyn.bsgf.1.The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.13.154.Detection will be removed from our virus definition file (VDF) with the next updates.

Here are the Malwarebytes and OTL logs. The aswMBR scan seemed to stall after 1 hour and 40 minutes. I’m rerunning it and will post the log when it finishes.

Rob

Only one file got attached. Trying again.

People can fly - must be the new malware company ;D

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL PRC - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\kbdfc32.exe PRC - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\authz32.exe SRV - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\kbdfc32.exe -- (GearSecurity32) IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80 IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80 IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1013\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)" FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch" FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..network.proxy.backup.ftp: "77.125.76.62" FF - prefs.js..network.proxy.backup.ftp_port: 11033 FF - prefs.js..network.proxy.backup.gopher: "77.125.76.62" FF - prefs.js..network.proxy.backup.gopher_port: 11033 FF - prefs.js..network.proxy.backup.socks: "77.125.76.62" FF - prefs.js..network.proxy.backup.socks_port: 11033 FF - prefs.js..network.proxy.backup.ssl: "77.125.76.62" FF - prefs.js..network.proxy.backup.ssl_port: 11033 FF - prefs.js..network.proxy.ftp: "82.29.254.40" FF - prefs.js..network.proxy.ftp_port: 11022 FF - prefs.js..network.proxy.gopher: "82.29.254.40" FF - prefs.js..network.proxy.gopher_port: 11022 FF - prefs.js..network.proxy.http: "82.29.254.40" FF - prefs.js..network.proxy.http_port: 11022 FF - prefs.js..network.proxy.share_proxy_settings: true FF - prefs.js..network.proxy.socks: "82.29.254.40" FF - prefs.js..network.proxy.socks_port: 11022 FF - prefs.js..network.proxy.ssl: "82.29.254.40" FF - prefs.js..network.proxy.ssl_port: 11022 O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - File not found O4 - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007..\Run: [updateMgr] File not found [2011/08/21 16:13:20 | 000,158,208 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\authz32.dll [2011/08/19 10:23:55 | 000,711,680 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\authz32.exe [2011/08/19 10:23:43 | 000,711,680 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\kbdfc32.exe [2011/08/21 16:13:24 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\581566835 [2011/08/21 16:13:20 | 000,158,208 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\authz32.dll [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\kbdfc32.exe [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\authz32.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

The aswMBR scan was successful. Attached in the log.

OK a couple of files there to kill, OTL was not quite strong enough to get them

Download and Install CombofixDownload ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here’s the OTL quick scan.

After closing down AVAST and MALWAREBYES, ComboFix “Warning” stated Adaware and Norton Internet Security 2006 were still active. I closed Adaware, but I have no knowledge of Norton running. It isn’t listed in Control Panel Add or Remove programs, and in Program Files, likewise, no Norton folder. There was a Symantec folder with Web Controls, which I uninstalled.

What do I do now?

Rob

Run Combofix - we will remove the remnants later

After ComboFix rebooted the computer, the msg: “Preparing Log Report. Do not run any programs until ComboFix has finished.” has remained on the monitor for about 30 minutes.

(the Start Up Menu starts Firefox, and after it started, I closed it.)

And now a “Windows - No Disk” message has popped-up:

     "Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c

      Cancel     Try Again   Continue  "

What do I do?

(sent from another computer)