rootkit

Me again… is there anyone that can tell me if I have a problem? Avast keeps telling me I have an infected file. It says hidden root kit SVC:swcustcfg:???
I would be very grateful for some insight to this dilemma. I now have same error on both my computers! I use a sierra wireless 4g device is this perhaps what you term as a false positive?
Thanks Susanne

follow guide and attach logs http://forum.avast.com/index.php?topic=53253.0

ok, I will do that. I saw the links and will plodd through it to my best ability. Thanks so much

what we need is…

AdwCleaner
Malwarebytes
OTL
aswMBR

Here is the ADW cleaner attachments…
Thanks susanne
working on the next bit now.

Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.09.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
susanne :: SUSANNE-PC [administrator]

Protection: Enabled

9/10/2012 9:35:45 PM
mbam-log-2012-10-09 (21-35-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201310
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{04D2B915-19FF-41E9-994D-95DC898BEA43} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{F02C0832-C85C-4B93-8C6F-9DF20121A10D} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{d09094b3-b426-4f16-a6d9-e211fe222127} (PUP.MyWebSearch) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7895609d-c8b4-4cf5-a2c7-28223d0c3d92} (PUP.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Malware report next…

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files\64res.dll (PUP.MyWebSearch) → Quarantined and deleted successfully.
C:\Users\susanne\Local Settings\mwsauto.exe (PUP.MyWebSearch) → Quarantined and deleted successfully.
C:\Users\susanne\Local Settings\Application Data\mwsauto.exe (PUP.MyWebSearch) → Quarantined and deleted successfully.

(end)

OTL attachment

Susanne

There is a interesting set of conclusions when you use the search function here:
http://forum.avast.com/index.php?action=search2

Almost all such instances seem to turn out as false positive…so you should be clean…what you have in Malwarebytes log is just potentially unwanted program [PUP] detection.

though to be on safe side…wait for essexboy’s conclusion.

Enable avast! to detect PUP’s:

Open avast! user interface>>Real time shields>>File system shield>>Expert settings>>sensitivity>>Check the box that says scan for PUP’s>>click ok.

MBR report…

@susannebark
Hello and Wellcome to avast. :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.

There is no need to run tools more than once… :slight_smile:


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Thanks for joining the party magna86. ;D

Goodness… this will take some time. I am now carefully reading through the combofix instructions…

yes… I have clicked on stuff a bit to much in the past, I will try not to be trigger happy. Will disable avast first… Brb…

Ok combo fix is done! Whoo hoo
Susanne

Ps… I enabled Pup’s :wink: (what ever that means)

Enable avast! to detect PUP's:

Open avast! user interface>>Real time shields>>File system shield>>Expert settings>>sensitivity>>Check the box that says scan for PUP’s>>click ok.


No i would not…unless you are absolutely avare of what PUP is this will only lead to confusion
those detected as PUP by Malwarebytes is usually not a problem removing…in this case it was just browser/toolbar crap
avast vill classify a lot more as PUP so i recomend you use avast default settings…PUP scan off

exactely…that is the problem

@susannebark

Step#1
Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Step#2

Open notepad and copy/paste the text present inside the code box below:



ClearJavaCache:: 


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Thank you again… Pup’s turned off.
… waiting patiently… not pressing too many buttons in the mean time :wink:

Thanks… and here is the report from that. Seems no threat was found.

Having a problem with the next step. I have copied TDSSkiller text from its note pad but cant seem to be able to paste it. Where does it exactly go? thanks