Rootkit virus

Hi everyone my name is AussieKev and this is my first post on this forum.
I find Avast a great detection and protection program.
I don’t know a lot about computers and that is probable why I am on this forum to get some help.

This is the situation.
Each time I turn on my computer a message comes up from Avast that I have a virus - Its name apparently is - [glow=red,2,300]SVC:swcustcfg>???[/glow]SVG:swcustcfg>???The message says it is a dangerous Rootkit virus and it should be deleted immediately. I do this by clicking on OK then another box comes up and tells me that Avast wants to re boot my computer and clean all the files (i guess to get rid of the virus) I immediately click OK and the computer turns off and back on and Avast goes through all the files before I can log into windows.

Great but the message comes up and tells me to do the same again and so on. I then tell it no to rebooting and get on with using the computer. But guess what it all happens again when I switch my computer on the next time.

Is there any way to rid this virus and how do I do it.
I apoligize is my terminology is not right but please help.

:-[ :cry:
Thanks

follow this guide and attach all logs
http://forum.avast.com/index.php?topic=53253.0

lower left corner > additional options > attach

Hi Pondus,
I have never spoken with a Norwegian before so I am pleased that you can help.
I downloaded the malware software and have scanned the computer. Attached is the log.
When I restarted the computer the Rootkit warning still comes up.
Please advise if possible how to rectify.

Thanks very much.
Hope you have a great Christmas in Norway.
AussieKev

could you please attach the rest of the logs
OTL.txt /Extra.txt and aswMBR.txt

Hi Pondus,
Attached are the logs you have requested.
They are in two posts as apparently they are too big to post as one.
OTL logs first
Thanks
AussieKev

Hi Pondus,

Here is another file. This is MBR.
Thanks
AussieKev

super… check back for essexboy verdict

seems he is busy preparing for christmas, so he may not enter the forum today :wink:

Hi Pondus,

I have finally reduced the size of the screen shot.

Thanks for the reply I will check back later.

Happy Christmas to you and I hope the new year is good to you.
Thanks
AussieKev

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-1942655802-165071968-358964189-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm103YYAU&fl=0&ptb=so_wEhNHkoV47ci_W57SFw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms} O33 - MountPoints2\{028e61a4-d2cb-11dd-99f4-001731faba9a}\Shell - "" = AutoRun O33 - MountPoints2\{028e61a4-d2cb-11dd-99f4-001731faba9a}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{028e61a4-d2cb-11dd-99f4-001731faba9a}\Shell\AutoRun\command - "" = J:\DPFMate.exe O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell - "" = AutoRun O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{44fcca9a-9b5d-11de-be1b-0022b0641ecd}\Shell - "" = AutoRun O33 - MountPoints2\{44fcca9a-9b5d-11de-be1b-0022b0641ecd}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{44fcca9a-9b5d-11de-be1b-0022b0641ecd}\Shell\AutoRun\command - "" = J:\AutoRun.exe O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell - "" = AutoRun O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell - "" = AutoRun O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe O33 - MountPoints2\{9050e88e-8792-11dc-9b9a-001485db0f8e}\Shell - "" = AutoRun O33 - MountPoints2\{9050e88e-8792-11dc-9b9a-001485db0f8e}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{9050e88e-8792-11dc-9b9a-001485db0f8e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a O33 - MountPoints2\{9676cb98-1d31-11df-beca-0022b0641ecd}\Shell - "" = AutoRun O33 - MountPoints2\{9676cb98-1d31-11df-beca-0022b0641ecd}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{9676cb98-1d31-11df-beca-0022b0641ecd}\Shell\AutoRun\command - "" = E:\WIN\setup.exe O33 - MountPoints2\{b6159948-2928-11e1-81fd-0022b0641ecd}\Shell - "" = AutoRun O33 - MountPoints2\{b6159948-2928-11e1-81fd-0022b0641ecd}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{b6159948-2928-11e1-81fd-0022b0641ecd}\Shell\AutoRun\command - "" = E:\WIN\setup.exe O33 - MountPoints2\{cf2c2a83-e739-11da-b20a-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{cf2c2a83-e739-11da-b20a-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{cf2c2a83-e739-11da-b20a-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi Essexboy,

I have run the OTL and will post the log but with the combo fix it started okay and had to download from microsoft and a box cam up and said someting about the fix should take upto 10 mions to do unless the computer is badly effected it could take double the time. The box had a dash under the wording flashing which said it was doing its thing but after two and a half hours nothing happened so the combofix didn’t complete its scan.
Please advise what to do now.

Thanks
AussieKev

Coulod you try Combofix from safe mode please, if that fails I will use a different approach

Hi Essexboy,

I did as you requested and started computer in safemode but unfortunately Combofix did not work again.

I guess it is back to the drawing board, but I am sure you have it covered.

Thanks again for the help.

AussieKev

OK time for the AVP analysis

Upload the zip file to megaupload - link at the bottom

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Megaupload

Hi Essexboy,

A couple of questions-
1/ “Upload the zip file to megaupload - link at the bottom” Please advise if I have to register on megaupload and once registered what do I do with the program. I don’t understand your step about uploading zip file etc. Do I do it first or do I do it at the end.

2/“Download AVPTool from Here to your desktop” Once again do I register to download program and then I guess I would run the virus scan after I have registered and downloaded the program.

Sorry I don’t understand all what you say as I am a complete novice at this IT stuff. I admire your knowledge and skills with computers. Thanks for being patient and helping me I am sure it is not easy when you are many miles away and you have to deal with someone who doesn’t really know what he is doing.
By the way is all these programs safe or do I run risks of people getting into my computer and any info stored there.

Thanks again for guiding me through.

AussieKev

By the way is all these programs safe or do I run risks of people getting into my computer and any info stored there
yes they are all safe.... And Essexboy is a trained and certified malware remover and Teacher over at Geeks to go forum

you register to download the Kaspersky AVP tool

when you have run AVP it will create a zip file that you upload so essexboy can get it

see all the text belonging to the last two pictures

Hi Essexboy or Pondus,

Okay I have done as you requested in the posts and here are the results.

At the end of the scan(after a couple of hours) The scan said there were no threats therefore there was no report and the save button wasn’t operating.

I continued and started the gathering system information and clicked on box Start Gathering system information it started gatering information and at 76% completed it stopped gathering information and the box appeared that says Start gathering system information. I tried again to gather the information but it only got to 76% again.

Therefore I don’t have any reports to send so please advise if I do it all again or what happens from here. The computer seems very slow now.
This is starting to seem serious?

Thanks again for your time.

AussieKev

Yep what Pondus said… I have been travelling today and just returned

Hi Essexboy,

I have run the virus removal tool but no threats were found so could not generate report. I have gathered the other analyis as reuested and uploaded it successfully to Megaupload but do not know how to attach the zip file as the additional options will not accept zip files.
Please advise how to send the zip file to you.

AussieKev

why not also upload the zip to megaupload :wink:

but you need to post the download links here so essexboy can get the files…

Hi Pondus,
Not sure what you mean but I will copy the files to this post if possible.

avptool_sysinfo.zip 34.4 KB www.megaupload.com/?d=XGEDT2K7

avptool_sysinfo.zip

Please advise if this is correct

AussieKev