Removing Blackbeard trojan

My girlfriends laptop wasn’t running an updated anti virus. It was a mess. I installed avast! I found:
Win32:Patched-AOD [Trj]
Avast can’t move it or delete it.

with an error message at windows startup:
C:\windows\system32\rpcss.dll

Avast is now constantly blocking threats. All internet browsers are defaulted to “Nationzoom”.

Any help would be much appreciated.

we need Malwarebytes / OTL / aswMBR logs http://forum.avast.com/index.php?topic=53253.0

Hi,

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===================================================

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

attachments

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

after running the scan and the computer restarted, the computer encountered the typical problem of windows not starting. It enters into a repeating loop of the HP logo and the windows logo. I forced shut down and started from last known working config. When windows started, ComboFix generated the log… hopefully it worked as planned.

after running Combofix it is often needed to reboot twice…

Open notepad and copy/paste the text present inside the code box below:

Folder::
c:\users\Mai\AppData\Local\SearchProtect
c:\program files\WhiteSmoke_New_1.2
c:\program files\VideoPlayerV3
c:\program files\Mobogenie

File::
c:\users\Mai\AppData\Roaming\Mozilla\Firefox\Profiles\aeiigypx.default\extensions\{8f02605d-be4e-41ba-bd00-c39a59c46919}

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8f02605d-be4e-41ba-bd00-c39a59c46919}"=-
[-HKEY_CLASSES_ROOT\clsid\{8f02605d-be4e-41ba-bd00-c39a59c46919}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{8f02605d-be4e-41ba-bd00-c39a59c46919}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8f02605d-be4e-41ba-bd00-c39a59c46919}"=-
[-HKEY_CLASSES_ROOT\clsid\{8f02605d-be4e-41ba-bd00-c39a59c46919}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8F02605D-BE4E-41BA-BD00-C39A59C46919}"=-
[-HKEY_CLASSES_ROOT\clsid\{8f02605d-be4e-41ba-bd00-c39a59c46919}]

DDS::
uStart Page = hxxp://search.conduit.com/?ctid=CT3316751&octid=CT3316751&SearchSource=61&CUI=UN42375345939710915&UM=2&UP=&SSPV=
uDefault_Search_URL = hxxp://www.nationzoom.com/web/?type=ds&ts=1386546596&from=tugs&uid=TOSHIBAXMK3252GSX_Z821CJ6STXXZ821CJ6ST&q={searchTerms}
mStart Page = hxxp://www.nationzoom.com/?type=hp&ts=1386546596&from=tugs&uid=TOSHIBAXMK3252GSX_Z821CJ6STXXZ821CJ6ST

Firefox::
FF - ProfilePath - c:\users\Mai\AppData\Roaming\Mozilla\Firefox\Profiles\aeiigypx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3316751&CUI=UN23749398481411110&UM=2&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Conduit Search
FF - ExtSQL: 2013-12-08 19:14; {8f02605d-be4e-41ba-bd00-c39a59c46919}; c:\users\Mai\AppData\Roaming\Mozilla\Firefox\Profiles\aeiigypx.default\extensions\{8f02605d-be4e-41ba-bd00-c39a59c46919}
FF - ExtSQL: 2014-01-09 20:09; ext@VideoPlayerV3beta507.net; c:\program files\VideoPlayerV3\VideoPlayerV3beta507\ff

ClearJavaCache::


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )