OK today I managed to kill one of these it took three runs but I did it

First I will need you to delete the current copy of OTL and download the latest version then after the combofix run do a scan with OTL selecting all users

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit:: C:\Windows\System32\drivers\b2892b92cea0254.sys

File::
C:\Windows\System32\drivers\b2892b92cea0254.sys

Driver::
b2892b92cea0254

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

I’ve tried to uninstall OTL but it didnt show in my list so have just deleted it from my desktop - how do i download the new version? Can you send me a link please if poss? Thanks

Here you go http://oldtimer.geekstogo.com/OTL.exe

Thankee Craig, the standard link will download the lates version

Ok i have attached the combofix log and the OTL log i ran after doing the combofix - it seemed to go ok the combofix ran all stages, then it said “system file is infected”, did nothing for 10 mins and then automatically rebooted… Did the OTL scan and here we are! LEt me know what to do next

OK lets go for the second knockout

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe|c:\windows\system32\services.exe

MIA::
c:\windows\system32\qmgr.dll

File::
C:\windows\System32\Drivers\b2892b92cea0254.sys
c:\windows\system32\drivers\bvljyyp.sys

Folder::
c:\users\Amy\AppData\Roaming\Ocaxc

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\services\b2892b92cea0254]

Driver::
pmns
b2892b92cea0254

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Ok second combofix completed here’s the log… Ps i don’t know if you can tell but i was wondering what might have let this virus in? I don’t know if i actually have a firewall, and i have always had Avast antivirus so i’m not sure what happened

At the moment as I have only seen four like this over the last few years I have been unable to determine the dropper. How is the computer now ?

We need to find a file that is missing

Run OTL and copy the following into the custom scan box then press run scan

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
qmgr.*
/md5stop
CREATERESTOREPOINT

I’m running that scan now - have just tried logging into my online banking and it didnt give me that weird message asking for all my personal details and card details… Which would suggest the virus is gone?? Will post you the log from this OTL scan

Here’s the log

This should be the last run, could you check windows updates please

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\drivers\b2892b92cea0254.sys 

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_7f85b69413231233\qmgr.dll|c:\windows\system32\qmgr.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

Driver::
b2892b92cea0254

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

here’s the log

OK how is it running now ? Do windows updates work, any further problems ?

I’m not sure how check if windows updates work? Was thinking i might run an antivirus check through avast now and see if it throws anything up. Do the logs suggest the virus is gone? It seems ok but to be honest the virus wasn’t stopping me doing much i could still use the net etc…

Ok i just went into Avast and it says “UNSECURED” with a “fix now” button… should i uninstall it and download it starting from fresh? Very worried something else is going to get in now and want to get my antivirus all set up properly - can you assist me with this?

Ps THANK YOU! you’ve been amazing i really appreciate the help you’ve given me

First we will try an Avast repair
Go to control panel > Programmes and features
Select Avast and then select repair

https://dl.dropbox.com/u/73555776/Avast%20repair.JPG

For windows updates
Go Start > All programs and select windows updates

Ok i did the Avast repair, rebooted but still saying unsecured and getting a big red cross.
also noticing my internet is a bit iffy , keeps saying cannot display webpage on google or any other sites, seems to be ok when i dont have Avast running??

Windows updates big red cross saying cannot check for updates, service not running… Something’s still not right here i’m guessing!

OK could you run Combofix again and let it uppdate if it requires

MAJOR problem! I ran combo fix… it did its usual up to stage 50 and then seemed to try and reboot… Nothing happened for 15 mins so i switched off. I now can’t switch it back on atall! It’s definately plugged into the power, i’ve been trying to switch it back on for ages now nothings happening??

it’s come back on now… how weird!!