Hello, this is my second time in forums, sorry if I put this post in the wrong place.

Yesterday my computer was (probably) infected by a virus. Avast was continuously showing popups of web shield from different files from Windows\system32 (msiexec.exe, msdtc.exe, ctfmom.exe, presentationhost.exe, avastsvc.exe…) trying to redirect to http:/xmlka.com/… or something similar. The computer collapsed and took a lot of time doing everything. A lot of programs started in “hidden mode” and I couldn´t stop them. This includes Skype, notepad, and more than 10 tasks at a time. Avast was active during all this time but, suddenly, windows informed me that “no antivirus was running”!, and a second later Avast was running againg. Iexplorer history of the day showed a lot of strange pages I didn’t visit. Avast was saying “everything is ok”, but I didn’t believe a word of it…It seemed like someone took control of my computer. I shut down the wifi connection and the situation calmed, but whenever I connected again the “virus” started again…

I run a “smart scan” (Avast), found some things, I’m not sure if it could clean but the problems remain. Today, I run adwcleaner and found something, but I think it missed the big one, too. Attached the report. After this I run Malware bytes and found more serious things, I think. I did something wrong and the txt report was empty but I could save 2 .xlm files, saved as txt and attached. I run again (probably shouldn’t) and everything was clean (I attach the second report plus a “history of the day”).

I also run FRST and aswMBR.exe, cannot attach the reports (max 4 files), I’ll try it later.

I hope everything is fine in the computer now (so it seems), but I am not sure. I would like to confirm it (if confirmation of cleanliness is possible in such a case).

Does anybody can help me?

Thank you in advance!

Hello, this is my second time in forums, sorry if I put this post in the wrong place.

I also run FRST and aswMBR.exe, cannot attach the reports (max 4 files), I'll try it later.

This is very easy, thank you Pondus!

Now you wait for Essexboy …he should be online soon

Hi before we proceed I would like to check out the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Done! only one medium threat…

The message exceeds 20000 characters, attached .txt file…

22:15:19.0821 0x111c TDSS rootkit removing tool 3.0.0.44 Jan 22 2015 08:27:04
22:15:27.0868 0x111c ============================================================
22:15:27.0868 0x111c Current date / time: 2015/03/19 22:15:27.0868
22:15:27.0868 0x111c SystemInfo:
22:15:27.0868 0x111c
22:15:27.0868 0x111c OS Version: 6.0.6002 ServicePack: 2.0
22:15:27.0868 0x111c Product type: Workstation
22:15:27.0868 0x111c ComputerName: PILIYWILLY1
22:15:27.0868 0x111c UserName: Pili y Willy
22:15:27.0868 0x111c Windows directory: C:\Windows
22:15:27.0868 0x111c System windows directory: C:\Windows
22:15:27.0868 0x111c Processor architecture: Intel x86
22:15:27.0868 0x111c Number of processors: 2
22:15:27.0868 0x111c Page size: 0x1000
22:15:27.0868 0x111c Boot type: Normal boot
22:15:27.0868 0x111c ============================================================
22:15:32.0371 0x111c KLMD registered as C:\Windows\system32\drivers\86427475.sys
22:15:33.0283 0x111c System UUID: {8EF3A429-2C0E-1D2F-A917-402BF1101C01}
22:15:35.0199 0x111c Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 ( 111.79 Gb ), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000050
22:15:35.0214 0x111c ============================================================
22:15:35.0214 0x111c \Device\Harddisk0\DR0:
22:15:35.0230 0x111c MBR partitions:
22:15:35.0230 0x111c \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x6FCA000
22:15:35.0230 0x111c \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x72B8800, BlocksNum 0x6CDB800
22:15:35.0230 0x111c ============================================================
22:15:35.0346 0x111c C: ↔ \Device\Harddisk0\DR0\Partition1
22:15:35.0408 0x111c E: ↔ \Device\Harddisk0\DR0\Partition2
22:15:35.0408 0x111c ============================================================
22:15:35.0408 0x111c Initialize success
22:15:35.0408 0x111c ============================================================
22:16:01.0114 0x0f30 ============================================================
22:16:01.0114 0x0f30 Scan started
22:16:01.0114 0x0f30 Mode: Manual; SigCheck; TDLFS;
22:16:01.0114 0x0f30 ============================================================
22:16:01.0114 0x0f30 KSN ping started
22:16:04.0687 0x0f30 KSN ping finished: true
22:16:07.0273 0x0f30 ================ Scan system memory ========================
22:16:07.0273 0x0f30 System memory - ok
22:16:07.0273 0x0f30 ================ Scan services =============================
22:16:07.0631 0x0f30 [ 82B296AE1892FE3DBEE00C9CF92F8AC7, 54B22BA63E1DA616B546992141B0C3117BA057283B8F60CB9BECE203661FEBF3 ] ACPI C:\Windows\system32\drivers\acpi.sys
22:16:07.0834 0x0f30 ACPI - ok

[…, see attached file]

22:17:24.0271 0x0f30 WindowsWelcomeCenter - ok
22:17:24.0333 0x0f30 [ FE578E5A539C7B1CF68A87D96FC46BA1, 9EAEA357E611F00166F1B0264714A1370B54192702F43F4BE91CCAE3ED097B7F ] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
22:17:24.0411 0x0f30 TOSCDSPD - detected UnsignedFile.Multi.Generic ( 1 )
22:17:24.0676 0x0f30 Detect skipped due to KSN trusted
22:17:24.0676 0x0f30 TOSCDSPD - ok
22:17:24.0676 0x0f30 Waiting for KSN requests completion. In queue: 106
22:17:25.0831 0x0f30 AV detected via SS2: avast! Antivirus, C:\Program Files\Alwil Software\Avast5\VisthAux.exe ( 10.2.2214.845 ), 0x41000 ( enabled : updated )
22:17:25.0877 0x0f30 Win FW state via NFP2: enabled
22:17:26.0205 0x0f30 ============================================================
22:17:26.0205 0x0f30 Scan finished
22:17:26.0205 0x0f30 ============================================================
22:17:26.0205 0x0138 Detected object count: 1
22:17:26.0205 0x0138 Actual detected object count: 1
22:19:39.0784 0x0138 FNETURPX ( UnsignedFile.Multi.Generic ) - skipped by user
22:19:39.0784 0x0138 FNETURPX ( UnsignedFile.Multi.Generic ) - User select action: Skip

Thank you, could you let me know what problems you are having after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-03-18 21:47 - 2015-03-19 14:44 - 00000000 ___HD () C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C} 2015-03-18 21:47 - 2015-03-18 21:47 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage CustomCLSID: HKU\S-1-5-21-3125687505-42030154-949934000-1000_Classes\CLSID\{F7117AE6-81F2-45B8-96EE-56F6FD357A48}\InprocServer32 -> C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}\neth.dll No File EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Actually, the computer is running fast and smooth. No strange active tasks. Everything seems ok. I’m usually cautious, but I feel happy.

Here goes the fixlog.txt

OK if you can use it as normal and if all is well tomorrow I will tidy up

Thank you, Essexboy! I was totally lost and now I see the ligth, amazing community here. Thanks everybody again.