Hi, I’m an avast user and I’m here because I recently seem to have contracted several viruses, and I’d like some advice on how to identify and remove them. I run Windows XP SP3, and I have avast v.5.0.594 with virus definition version 100911-1.

This happened on September 11th, 2010. I was browsing through a couple websites that I visit very frequently, when I suddenly got 3 alerts from avast saying that it had blocked some malicious actions. Immediately afterward, It moved 41 files to the virus chest. Most of the files moved to the chest were .sys files from C:\Windows\system32\drivers, and they were labeled Win32:Bubnix-J[Rtk]. The rest were Labeled VBS: Malware-gen, and included a few .tmp files, such as ~TM11.tmp and ~TM1F.tmp, from C:\WINDOWS\TEMP, and 3 of the same file: fjhdyfhsn.bat, from C:\WINDOWS\system32. I ran a full system scan with avast, and it turned up nothing after that. I then ran a boot-time scan, and that found nothing. However, as soon as I opened Firefox again (the only web browser I use), I got several more alerts from avast and several more files were moved to the virus chest.

My computer began to act strangely. It ran much slower, it hangs for several minutes after startup so that I can’t see the task bar or bring up the task manager, the cpu was unusually busy (about 50%), and the computer stopped recognizing my USB flash drive. I downloaded, installed and updated several more security programs (avast was originally the only one I had on the computer) and disconnected my computer from the internet.

Malwarebytes’ Anti-Malware found a file called avdrn.dat (C:\Documents and Settings*My User Name*\Application Data\avdrn.dat) and marked it as Malware.Trace before deleting it. I have not seen it since.

After that, a suspicious application appeared in my Startup folder called monmvr32.exe, and that process apppeared in the task manager. Avira Anti-virus detected that it contained something called “TR/PSW.LdPinch.apky” and deleted it. I have not seen it since then.

After that, I ran Ad-Aware. As soon as the program started, it said that it had detected a malicious process and would scan it in background mode. It detected something called Win32.Backdoor.Papras/A, which I understand is a Trojan? In any case, I did whatever Ad-Aware’s “recommended” action was, but when I scanned again, the same item was detected again. Ad-Aware said that it was associated with C:\WINDOWS\system32\bootpart.dll. I have refrained from deleting, quarantining, etc. that file as I don’t know what it is or does.

This is where I am now. My computer is disconnected from the internet, and I’m avoiding using the computer for anything but scans. I’m not sure how I would’ve gotten a Trojan, since I haven’t opened any e-mails recently, followed any suspicious links, or gone to any new websites. Whatever the cause, I would greatly appreciate some advice on how to proceed.

Avira Anti-virus detected that it contained something called "TR/PSW.LdPinch.apky" and deleted it.

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Okay, I’ve attached the first MBAM scan log and the two OTL logs. Let me know if I didn’t send the right ones.

Also, yes, I have both avast and Avira installed. I originally only had avast, but after all these infections, I installed Avira as well.

Oh, there’s one more thing I forgot to mention in my original post. I’m not sure how the avast virus chest works exactly, so maybe it’s normal, but I noticed that many of the files that avast moved to the chest, such as the .sys files in the system32\drivers folder, are still visible.

Both OTL logs are empty could you re-attach them please

Also, yes, I have both avast and Avira installed. I originally only had avast, but after all these infections, I installed Avira as well.

why you should never run more than one AV ( see reply from quietman7 )
http://www.bleepingcomputer.com/forums/index.php?s=49db784baecf17e7b189c833aafb624d&showtopic=260844&view=findpost&p=1441638

Why Shouldn’t I Install More Than One Antivirus Program At A Time?
http://www.security-faqs.com/why-shouldnt-i-install-more-than-one-antivirus-program-at-a-time.html

Okay, trying to upload the OTL logs again, sorry about that. If it doesn’t work, I must have made a mistake generating them from OTL.

Also, I understand what you’re saying about having more than one anti-virus program at a time. However, I don’t think it’s causing false positives, as my computer is still behaving very strangely and when avast first detected all those infected files, it was the only anti-virus I had on running on my computer at the time. However, if you think it will improve the situation at all, I’ll remove Avira.

If I shouldn’t have more than one anti-virus program at a time, does that include anti-spyware/malware programs too? Can I have one anti-virus, one anti-malware, and one anti-spyware program installed together on my computer at the same time?

Bootpart.dll is a legitimate file name however, it should not be within the appcert part of your registry and hence is malware. Could you let me know what problems you are experiencing

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O36 - AppCertDlls: dosxuery - (C:\WINDOWS\system32\bootpart.dll) - C:\WINDOWS\System32\bootpart.dll File not found [2010/09/11 19:35:28 | 000,000,024 | ---- | M] () -- C:\Documents and Settings\Cameron\Application Data\apiqfw.dat [2010/09/12 00:35:53 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\apiqfw.dat [2010/09/11 23:02:10 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\apiqfw.dat [2010/09/11 19:35:22 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\Cameron\Application Data\apiqfw.dat

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Can I have one anti-virus, one anti-malware, and one anti-spyware program installed together on my computer at the same time?

Thanks for your prompt replies, guys. I followed your instructions essexboy, and here’s the log.

Also, the problems are much the same as in my original post. My computer is running slower; it lags for several minutes after I start it up and log in, so that I cannot use the task bar or the task manager; and my computer doesn’t seem to recognize my USB flash drive anymore.

OK lets have a looksee at the drivers next

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Got the ComboFix log right here.

OK lets now go for a tidy up and see if that resolves some of the problems - but I notice that Avira has some drivers and services running. Once all these steps are completed let me know if there is an improvement

Looking at that I am a happy bunny

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

Hi, thanks for all your help, essexboy. Sorry to have to respond so soon again, but the “cleanup” process is already running into some problems. I copied and pasted that command into OTL and clicked run fix like you said, and right before the computer was supposed to reboot, avast popped up claiming that it had found rootkits in 3 files in the directory C:\WINDOWS\system32…specifically, Pen_Tablet.exe (twice) and Pen_TabletUser.exe. I do in fact have a Wacom tablet that I use frequently installed and hooked up to my computer. Avast says my options are to either delete or ignore. I haven’t chosen either, and the computer is waiting for me to make a decision before rebooting. What would you advise?

That may be a false positive - select ignore initially

Then File Scanner
There are some files I need you to upload for checking

[]Make sure to use Internet Explorer for this
[]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path into the “Suspicious files to scan” box on the top of the page:

[*]

C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Pen_TabletUser.exe

[*]Click on the Upload button
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

Uploaded the files to VirScan, doesn’t look like they found anything on either file. I guess I’ll continue with the cleanup process.

VirSCAN.org Scanned Report :
Scanned time : 2010/09/14 17:47:37 (EDT)
Scanner results: Scanners did not find malware!
File Name : Pen_Tablet.exe
File Size : 4497704 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 099aee120cac4a43ce307a828998392f
SHA1 : 38a01fcaea9b48599389caaac51cd55f43708507
Online report : http://virscan.org/report/f41b31f4765e0bfdbd621ff7552db8ba.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.19 20100914220251 2010-09-14 8.85 -
AhnLab V3 2010.09.13.01 2010.09.13 2010-09-13 1.41 -
AntiVir 8.2.4.52 7.10.11.163 2010-09-14 0.28 -
Antiy 2.0.18 20100914.5155144 2010-09-14 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201009141714 2010-09-14 5.02 -
AVAST! 4.7.4 100914-1 2010-09-14 0.29 -
AVG 8.5.850 271.1.1/3135 2010-09-15 0.38 -
BitDefender 7.90123.6380140 7.33880 2010-09-15 4.58 -
ClamAV 0.96.1 11910 2010-09-14 0.70 -
Comodo 4.0 6076 2010-09-14 1.25 -
CP Secure 1.3.0.5 2010.09.15 2010-09-15 0.67 -
Dr.Web 5.0.2.3300 2010.09.15 2010-09-15 9.32 -
F-Prot 4.4.4.56 20100914 2010-09-14 4.78 -
F-Secure 7.02.73807 2010.09.14.15 2010-09-14 0.24 -
Fortinet 4.1.143 12.351 2010-09-14 0.42 -
GData 21.837/21.332 20100914 2010-09-14 7.51 -
ViRobot 20100914 2010.09.14 2010-09-14 0.36 -
Ikarus T3.1.32.15.0 2010.09.14.76728 2010-09-14 11.66 -
JiangMin 13.0.900 2010.08.30 2010-08-30 1.30 -
Kaspersky 5.5.10 2010.09.14 2010-09-14 0.14 -
KingSoft 2009.2.5.15 2010.9.14.18 2010-09-14 0.66 -
McAfee 5400.1158 6106 2010-09-14 18.45 -
Microsoft 1.6103 2010.09.14 2010-09-14 5.83 -
Norman 6.06.05 6.06.00 2010-09-14 8.01 -
Panda 9.05.01 2010.09.14 2010-09-14 2.29 -
Trend Micro 9.120-1004 7.462.13 2010-09-14 0.11 -
Quick Heal 11.00 2010.09.14 2010-09-14 3.33 -
Rising 20.0 22.65.01.04 2010-09-14 2.16 -
Sophos 3.11.2 4.57 2010-09-15 4.01 -
Sunbelt 3.9.2447.2 6876 2010-09-14 12.06 -
Symantec 1.3.0.24 20100914.016 2010-09-14 0.25 -
nProtect 20100914.01 9109121 2010-09-14 9.31 -
The Hacker 6.7.0.0 v00017 2010-09-13 0.41 -
VBA32 3.12.14.0 20100913.0838 2010-09-13 4.92 -
VirusBuster 4.5.11.10 10.128.2/2046600 2010-09-15 6.23 -

VirSCAN.org Scanned Report :
Scanned time : 2010/09/14 17:52:24 (EDT)
Scanner results: Scanners did not find malware!
File Name : Pen_TabletUser.exe
File Size : 1823528 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d503c638cdcc18537db28b4c56c82988
SHA1 : f91a9358c2a043ee679f057db80369d8f2635403
Online report : http://virscan.org/report/8800baafe2c3b97ee877cb2078fafead.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.19 20100914220251 2010-09-14 7.01 -
AhnLab V3 2010.09.13.01 2010.09.13 2010-09-13 1.35 -
AntiVir 8.2.4.52 7.10.11.163 2010-09-14 0.27 -
Antiy 2.0.18 20100914.5155144 2010-09-14 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201009141714 2010-09-14 4.99 -
AVAST! 4.7.4 100914-1 2010-09-14 0.12 -
AVG 8.5.850 271.1.1/3135 2010-09-15 0.28 -
BitDefender 7.90123.6380140 7.33880 2010-09-15 4.51 -
ClamAV 0.96.1 11910 2010-09-14 0.32 -
Comodo 4.0 6076 2010-09-14 1.23 -
CP Secure 1.3.0.5 2010.09.15 2010-09-15 0.48 -
Dr.Web 5.0.2.3300 2010.09.15 2010-09-15 9.68 -
F-Prot 4.4.4.56 20100914 2010-09-14 4.78 -
F-Secure 7.02.73807 2010.09.14.15 2010-09-14 0.22 -
Fortinet 4.1.143 12.351 2010-09-14 0.38 -
GData 21.837/21.332 20100914 2010-09-14 7.40 -
ViRobot 20100914 2010.09.14 2010-09-14 0.36 -
Ikarus T3.1.32.15.0 2010.09.14.76728 2010-09-14 9.04 -
JiangMin 13.0.900 2010.08.30 2010-08-30 1.37 -
Kaspersky 5.5.10 2010.09.14 2010-09-14 0.14 -
KingSoft 2009.2.5.15 2010.9.14.18 2010-09-14 0.70 -
McAfee 5400.1158 6106 2010-09-14 18.37 -
Microsoft 1.6103 2010.09.14 2010-09-14 5.60 -
Norman 6.06.05 6.06.00 2010-09-14 8.64 -
Panda 9.05.01 2010.09.14 2010-09-14 2.18 -
Trend Micro 9.120-1004 7.462.13 2010-09-14 0.04 -
Quick Heal 11.00 2010.09.14 2010-09-14 2.59 -
Rising 20.0 22.65.01.04 2010-09-14 1.68 -
Sophos 3.11.2 4.57 2010-09-15 4.00 -
Sunbelt 3.9.2447.2 6876 2010-09-14 13.39 -
Symantec 1.3.0.24 20100914.016 2010-09-14 0.08 -
nProtect 20100914.01 9109121 2010-09-14 9.57 -
The Hacker 6.7.0.0 v00017 2010-09-13 0.49 -
VBA32 3.12.14.0 20100913.0838 2010-09-13 4.44 -
VirusBuster 4.5.11.10 10.128.2/2046600 2010-09-15 4.36 -

Hi again. You told me to tell you if I still have any problems, so here I am. I’m having the same problems as before, although I’m a little more confident that the computer is clean.

I ran both avast and Avira, neither found any infections (I then removed Avira). Malwarebytes’ found 4 files that it labeled “Security.Hijack”. It claims to have successfully quarantined and removed them, and a re-scan found nothing. I’ve attached the MBAM log in case you’re interested in taking a look. Ad-Aware and SuperAntiSpyware found a lot of cookies, but that’s all (I’ve since removed Ad-Aware).

I followed your cleanup instructions, removing all the programs and defragmenting and such. However, the problems I’ve mentioned previously are still here. I can’t use my flash drive in this computer now (and I know it’s not a problem with the flash drive, as it works fine in other computers), and the computer hangs at startup. The Windows theme that plays when you log on to an account is delayed by at least 4 or 5 minutes, and during that time, I can’t use the task bar, the task manager, or do much of anything.

Obviously, I’m not the expert here, but could the .sys files that avast moved to the virus chest be causing this? If avast is preventing those from running, maybe that could be causing some errors.

Run MBAM again and delete the IFEO registry files - unless you have already done so

Does windows see your flash drive ?

Go to control panel > Device manager and let me know if there are any yellow exclamation marks

Yes, when I inserted the flash drive, the USB Mass Storage Device listing under the Universal Serial Bus Controllers list has an exclamation mark next to it. It says under Properties that “Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged”.

The same message and exclamation marks appear next to Microsoft Kernel Acoustic Echo Canceller, Microsoft Kernel Audio Splitter, Microsoft Kernel DRM Audio Descrambler, and Microsoft Kernel GS Wavetable Synthesizer under Sound, video and game controllers.

Also, I believe that MBAM deleted those IFEO registry files, but how can I make sure? I don’t know where they’re located on the computer.

Just run MBAM again and then delete them if they are there

Just checking on the drivers, I believe it is just a matter of uninstalling them, rebooting and then letting windows re-install I will check though

@ Essexboy,

The OP is now having additional problems and opened a new thread: http://forum.avast.com/index.php?topic=64176.0. I redirected him to return here for your instructions.