Is there anything that can be done by Avast? I’m using the Avast SafeZone browser. The rest of my computer has been taken over by this gd “file recovery” scam. I was able to get Malwarebytes to scan but it can’t install updates and is not able to detect the trojan.

Malwarebytes did find two files, they were removed but the problem remains.

Downloaded new MWB in Avast SafeZone and it seemed to install. Most recent update was 7/6/2012.

My MWB Log:

      Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 912070605

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/19/2012 12:34:05 AM
mbam-log-2012-07-19 (00-34-05).txt

Scan type: Quick scan
Objects scanned: 225728
Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

follow this guide and attach (not copy and paste) logs from OTL and aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done a malware remover will be notified

OBS: the log is from a old version of Malwarebytes
always click the update button before you start a scan…
Malwarebytes release about 10 updates a day

Pondus,

Thank you for helping out.

                   The log is attached.  I'm still using the Avast SafeZone desktop which is a great feature but functions are limited.

While I check the OTL log

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Can’t download Rogue Killer. Certain pages will not load in SafeZone browser and this (not the RK site, the download url) is one of them. I was able to download it last night and ran the scan but it froze about half way through.
I’ll keep trying.

Nope lets see if we can clear the way with OTL, after OTL reboots then retry Roguekiller

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:processes killallprocesses

:OTL
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-861567501-616249376-682003330-1004..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKU\S-1-5-21-861567501-616249376-682003330-1004…\Run: [XkuFknwTA9e8fy] Reg Error: Value error. File not found
O4 - HKLM…\RunOnce: [InnoSetupRegFile.0000000001] Reg Error: Value error. File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2012/07/18 21:01:31 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\Ken\Start Menu\Programs\Startup\AutorunsDisabled [2012/05/23 09:18:36 | 000,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O36 - AppCertDlls: ctfmopen - (C:\WINDOWS\system32\fcnet1.dll) - File not found
[2012/07/18 21:07:02 | 000,250,880 | -H-- | C] (KLS) – C:\Documents and Settings\All Users\Application Data\XkuFknwTA9e8fy.exe
[2012/07/18 20:50:53 | 000,342,528 | -H-- | C] (KLS) – C:\Documents and Settings\All Users\Application Data\jMKcDoHSJxHTokD.exe
[2012/07/15 23:59:20 | 000,000,000 | -H-D | C] – C:\619ae3113afb17ab17c6
[2012/07/15 12:28:21 | 000,000,000 | -H-D | C] – C:\5e5a6e416fc1c98f99352183898e23
[2012/07/19 00:06:31 | 000,711,240 | ---- | M] () – C:\WINDOWS\is-27NKP.exe
[2012/07/19 00:06:31 | 000,010,550 | ---- | M] () – C:\WINDOWS\is-27NKP.msg
[2012/07/19 00:06:31 | 000,000,451 | ---- | M] () – C:\WINDOWS\is-27NKP.lst
[2012/07/18 21:18:24 | 000,000,368 | -H-- | M] () – C:\Documents and Settings\All Users\Application Data\XkuFknwTA9e8fy
[2012/07/18 21:18:08 | 000,000,096 | -H-- | M] () – C:\Documents and Settings\All Users\Application Data-XkuFknwTA9e8fyr
[2012/07/18 21:18:08 | 000,000,096 | -H-- | M] () – C:\Documents and Settings\All Users\Application Data-XkuFknwTA9e8fy
[2012/07/18 21:07:15 | 000,000,855 | -H-- | M] () – C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
[2012/07/18 21:07:15 | 000,000,837 | -H-- | M] () – C:\Documents and Settings\Ken\Desktop\File_Recovery.lnk
[2012/07/18 21:07:02 | 000,250,880 | -H-- | M] (KLS) – C:\Documents and Settings\All Users\Application Data\XkuFknwTA9e8fy.exe
[2012/07/18 20:46:48 | 000,342,528 | -H-- | M] (KLS) – C:\Documents and Settings\All Users\Application Data\jMKcDoHSJxHTokD.exe
[2012/07/18 21:07:16 | 000,000,096 | -H-- | C] () – C:\Documents and Settings\All Users\Application Data-XkuFknwTA9e8fyr
[2012/07/18 21:07:16 | 000,000,096 | -H-- | C] () – C:\Documents and Settings\All Users\Application Data-XkuFknwTA9e8fy
[2012/07/18 21:07:15 | 000,000,855 | -H-- | C] () – C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
[2012/07/18 21:07:15 | 000,000,837 | -H-- | C] () – C:\Documents and Settings\Ken\Desktop\File_Recovery.lnk
[2012/07/18 21:07:06 | 000,000,368 | -H-- | C] () – C:\Documents and Settings\All Users\Application Data\XkuFknwTA9e8fy

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

Will try RK again

I think that crippled it I will need to do some more killing once Roguekiller has finished

Still can’t download RK. Is there any chance the problem is on their end? All download sites w/RK refer back to same url.

Click the Globe under my Avatar, I have just uploaded a copy of Roguekiller there

RK crashed again in the same place. Right at the start of “Searching for Hijacks”.

Also there were no separate .txt reports.

Quite a few files were found on the initial scan. They got deleted.

During the Scan initiated by me, there were about 4 “Errors” as opposed to “Found”.

Will the “Report” button give me a Log readout?

I am going to try it again.

Yes select report meanwhile I will revisit the last OTL log and do some more cleaning

I really want to get the desktop back before I use a stronger tool

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll File not found O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll File not found O4 - HKLM..\Run: [jMKcDoHSJxHTokD.exe] Reg Error: Value error. File not found O4 - HKCU..\Run: [XkuFknwTA9e8fy] Reg Error: Value error. File not found O4 - HKLM..\RunOnce: [InnoSetupRegFile.0000000001] Reg Error: Value error. File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O24 - Desktop Components:0 () - [2012/05/13 11:51:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon [2011/01/01 02:35:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Ken\Application Data\PriceGong

:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 “%AllUsersProfile%\Start Menu” /H /I /S /Y /C
xcopy %Temp%\smtmp\2 “%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch” /H /I /S /Y /C
xcopy %Temp%\smtmp\3 “%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar” /H /I /S /Y /C
xcopy %Temp%\smtmp\4 “%AllUsersProfile%\Desktop” /H /I /S /Y /C
C:\Program Files\Search Toolbar

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

My last post was incorrect.

The files were “Found” during the first scan (by me).

The crash came when I hit “Delete”. 4 “Errors” and then stopped when it got to “Searching for *** Hijacks”

Will see if I can get a report from the scan.

Could you just run the Hijacks fix for now and see if that completes

The OTL log

Sometimes I can use the SafeZone browsrer sometimes I can’t (black screen)
When I can’t I have to reboot. It’s driving me nuts.

Found 2 other RK logs. Will attach.

OK lets get the bigger boy on to it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

OK. the problem- How do I get CF out of Avast SafeZone and onto my Desktop. Can only get online through SafeZone. There is no “Save As” in the ComboFix setup. When I download, does CF go anywhere other than SafeZone?
I am able to access Explorer by My Computer from the Desktop (which looks like a battle zone). Where else might Combo-fix be downloaded to?