Hello everyone.

I’m posting here because I have no idea where else to post, or what else to try, and I hope you can offer me assistance.

I have Windows XP, service pack 3 build 2600.

It all started a number of days ago, and if I recall correctly it was August 13th-14th. Not entirely sure when. I was browsing around, and I had many tabs open. Avast suddenly blocked some URL it said was infected with malware. I freaked out, and decided to check for updates to both my antivirus which is obviously Avast, and to my firewall which is Comodo. Sure enough there were updates. I installed these updates, and when it asked to restart my system I did. However; when it booted up it got to my desktop screen, and froze completely. I thought nothing of it at first and restarted again. It froze again. I started up once more; it restarted itself. I began freaking out. I’ve tried Combofix, SUPERantispyware, Malwarebytes, a scan disk, and a boot time scan with Avast. All of which were in safe mode as it was the only thing that would work. None of this worked, but suddenly I decided to try something. I uninstalled Avast in safe mode and tried starting up normally. It started up. I then reinstalled Avast, but every time I start up I have to uninstall it in safe mode and reinstall it when I’m on in regular mode.

When I turn off the restart when encountering system error option I get a BSOD. I didn’t write the BSOD down, but I could always try going and getting it if it’s needed, but some times it goes by really fast, and then proceeds to ask if I wish to try to boot up normally or in safe mode. I do remember it started with 0x0000008E last time I saw it.

Now, when I boot up regularly (after uninstalling Avast, of course.)I proceed to install Avast again. When I install Avast, and I’m online it starts blocking svchost.exe in C:/WINDOWS/system32 from connecting to all sorts of things. Here are the following things it’s blocked so far:
IP addresses it’s tried to connect to are below.
69.169.92.53
66.230.138.163
178.162.172.37
Sites it’s tried to connect to are below.
peckt.com
taxact2006.com

After I used Malwarebytes my computer wouldn’t boot up normally even without Avast off. I tried a system restore, but it still was restarting. I used Combofix, and it booted up without Avast on my computer. It’s still restarting every time Avast is on my computer though. I ran Svchost Analyzer from Neuber and it had three warnings. There are three svchost.exe files it had a problem with. All of which won’t show their location. Under the File area in the program it says “Access is denied, Run program as Administrator!” Just so you know, I AM the administrator account on this computer. It also says under group “No Microsoft file.” Under services it says 0. It detected appmgmts.dll missing. I replaced it, and it’s finally finding it. It’s still detecting the three svchost.exe files though.

I don’t know what to do. I’ve had viruses before, but this one is unlike anything I’ve had. In the past Avast got rid of everything I’ve got infected with, but scanning doesn’t seem to get rid of this. I don’t have the results on the boot time scan anymore as I had to reinstall Avast. I do remember it came up with something called Renosa, and Alureon-FZ. It also found some things in Java. I put them into the chest.

I’m also getting pop ups saying that generic host services has encountered an error and needs to close.

Does anyone know how I can get rid of this… thing I have?

If you need anymore information from me let me know.

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the logs Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI if the logs are to big, upload to http://www.mediafire.com/ and post the download link here

Essexboy will look at the logs when he arrive here later today…

Alright, I finished with the Malwarebytes scan, but Avast keeps asking me when I try to open OTL.exe if I want to run it in sandbox mode as it’s potentially dangerous. It didn’t do this with Malwarebytes. Is it alright to run it still? Sorry, I just want to make sure it’s safe. Avast has never asked me to do that.

Infected by Alureon?
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Download
Run
Scan
On completion of the scan click [Save log], save it to your desktop and post in your next reply
In your next post you should include OTS and aswMBR log.

Hi Mentholic

You have the Combofix log?
It is located at C: \ Combofix.txt

but Avast keeps asking me when I try to open OTL.exe if I want to run it in sandbox mode as it's potentially dangerous

Sorry for the late reply. I was going to try to post everything last night, but it was getting to be 4:00 AM where I live, and I decided to go to sleep. Plus I had to wait for Media Fire to finish with maintenance tonight.

I had to run OTL in safe mode. I tried running it in normal mode, but my computer kept restarting randomly. I tried uninstalling Avast, because that’s what I’ve had to do since I got this virus or whatever it is, but now it’s restarting regardless. I hope this is alright. The extras.txt never popped up. I ran it twice to see if it would, but it didn’t. As for aswMBR; will it work in safe mode? If I could get my computer to stop restarting all the time I’d gladly run OTL in normal mode.

I included the Combofix log as requested by Argus.

Malwarebytes log
http://www.mediafire.com/?owbhmfw2awvo4zn

OTL log (The extras.txt wouldn’t pop up. I searched for it but it wasn’t anywhere to be found.)
http://www.mediafire.com/?g1op1wrz4tf3fcy

Combofix log
http://www.mediafire.com/?5q6nmh1scy0h9uh

Open notepad and copy/paste the text present inside the code box below:

Snapshot::

File::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\HY.exe
c:\windows\system32\drivers\nfwhjacm.sys

Folder::
c:\program files\Ask.com

Driver::
HY
iecgp

Registry::
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

RegLock::
[HKEY_USERS\S-1-5-21-796845957-1035525444-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,ef,53,47,aa,89,5b,47,91,a7,7c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,16,ef,53,47,aa,89,5b,47,91,a7,7c,\

Save this as CFScript to desktop.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Download and install the program MCShield

Plug a USB flash memory and Wait, let it scan the MCS

Copy/paste the contents of the log in your next reply

Alright, I’m able to boot up normally for now. I managed to run OTL in normal mode too. If requested I’ll upload that, but extras.txt didn’t pop up.

I did the Combofix scan.
I had to add it as an attachment; it was too many characters to copy and paste in my post, and I didn’t want to upset anyone by double posting. I used the script you gave me, Argus.

As for the USB flash memory; I don’t have one. I could ask someone I know that might have one.

Also, svchost.exe is trying to connect to oraclereview.com, sme365.com/search.php and usedjetskis.net now, but Avast blocks it.

I ran the aswMBR scan that Left123 asked me to run. I attached the log.

COMODO Internet Security > Is it just a firewall installed?

Yes, it’s just the firewall installed.

I have to be consultation, will continue throughout the day

Please also download MBRCheck to your desktop

http://ad13.geekstogo.com/MBRCheck.exe

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some information that will contain either the below line if no problem is found:
    Done! Press ENTER to exit...
Or you will see more information like below if a problem is found:
    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Here’s the log it created.

What version of Avast you have?

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\XDva347.sys
c:\windows\TEMP\drv1.tmp

Driver::
XDva347

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NTProcDrv]

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>

Firefox::
FF - ProfilePath - c:\documents and settings\Ally\Application Data\Mozilla\Firefox\Profiles\oj6zsqx0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=CDS&o=16188&locale=en_US&apn_uid=33D52B6B-B9BA-4EBA-9AF0-E0D154FA832C&apn_ptnrs=QP&apn_sauid=9E9DF2BC-4CB6-4385-9416-9738EAEBDCD8&apn_dtid=YYYYYYYYUS&q=

Save this as CFScript to desktop.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Download TDSSKiller on the Desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

When you download the program do the following:

Deactivate/turn off your protective software.

Close running programs.

Run program. Press the button Start scan.
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
If malicious objects be found, make sure that you choose “Cure”

http://support.kaspersky.com/images/support_new/2663-2-eng.png

and click Continue, and then click Reboot Now.

Okaci me the contents of a log from the following location:
C: \TDSSKiller_version_DD.MM.GG_HH.MM.SS.txt

note:
(DD-day, MM-month, year-GG, HH-hour, MM minutes, SS seconds; date and time the log is made)

Just looking at Mentholic’s aswMBR log and although it doesn’t say the avast version, the virus database is positively ancient (6 weeks old).

00:15:42.171 AVAST engine defs: 11070401

So I don’t know if that would impact on the number of suspicious files found.

Hahaha 6 cases I work at the same time

What version of Avast you have?

This is not for him ;D sorry

Firefox is my full tabs

I used the Combofix script, and the TDSS program you gave me, Argus.

As for the Avast database being old, would having to uninstall it in safe mode every time I want to get into normal mode effect that? I’ve been having to do that ever since I got this virus or whatever it is on my system.

I uploaded the TDSS log to MediaFire. I downloaded the attachment to make sure it looked alright, and it was all over the place, and looked weird, so I decided to upload it to MediaFire in hopes to make it readable. Hope that’s alright.

TDSS Log:
http://www.mediafire.com/?7eatuvo2sap4oyv

Update:
Since I’ve done the above scans, I reinstalled Avast, and told it to update the database, and then restarted my computer. So far, there hasn’t been a crash or any BSODs. My computer seems to be running better, and svchost.exe hasn’t tried to connect to anything yet. I’m hoping this helped. If there’s anything else you’d like me to run, or try I’ll gladly do it.

LockedFile.Multi.Generic(sptd) - User select action: Skip > DaemonTools

Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure > Rootkit

It seems that everything is OK. It is necessary to uninstall Combofix.

Start > Run - copy the following

ComboFix /Uninstall

enter

cheers