I don’t have any programs except avast (free edition) so I can’t post logs yet like I others have done.
I am less than a novice so any assistance in step by step would really be appreciated.vast keeps popping up with the 8000000.@ Trojan and yetanotherstreet.com/x/ (glabalsystemroot, svchost,exe) and inthecrapagain malware.

The pop ups got worse after it scanned the PC before startup.

I believe I was infected from the flash installer that wasn’t the real thing.

So far I have only unistalled avast and re-installed. Now it won’t even update correctly.

Thanks in advance for assisting me in ridding this nastiness.

Uninstalling Avast was a mistake as they are genuine infections that Avast was holding in check

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

Essexboy thanks so much! I tried to post the logs but it seems each one is over tthe character limit. Is tehre a way for me to attach them?

Attachment instructions here http://forum.avast.com/index.php?topic=53253.0

I apologize for my obvious ineptness, so thanks for assisting and being patient.

I have attached the logs.

Not a problem every one must learn at some stage

Ok it looks like you have two for the price of one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)" FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?babsrc=HP_ss&affID=100842&mntrId=707f3dfa000000000000000000000000" FF - prefs.js..keyword.URL: "http://search.babylon.com/?babsrc=adbartrp&affID=100842&mntrId=707f3dfa000000000000000000000000&q=" [2012/03/22 18:24:36 | 000,000,000 | ---D | M] (ShopToWin15) -- C:\Users\SD\AppData\Roaming\Mozilla\Firefox\Profiles\mv0k3ima.default\extensions\{4ac80c6c-0a1b-4b3a-ad7e-8a6d8f5e6928} [2011/10/29 13:30:00 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\SD\AppData\Roaming\Mozilla\Firefox\Profiles\mv0k3ima.default\extensions\ffxtlbr@babylon.com [2011/10/29 13:28:58 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKU\S-1-5-21-2107614648-1780357811-3228383531-1002\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found. O3 - HKU\S-1-5-21-2107614648-1780357811-3228383531-1002\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present [2012/01/31 19:55:44 | 000,000,000 | ---D | M] -- C:\Users\SD\AppData\Roaming\Babylon

:Files
C:\Windows\SysWOW64\config\systemprofile\AppData\Local{0969aa29-2304-1fd3-a04a-6e12edee7bcd}
C:\Windows\System32\config\systemprofile\AppData\Local{0969aa29-2304-1fd3-a04a-6e12edee7bcd}
C:\Windows\Installer{0969aa29-2304-1fd3-a04a-6e12edee7bcd}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
sc create BITS binpath= “c:\windows\system32\svchost.exe -k netsvcs” start= delayed-auto /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the last log you requested.

Continue with the fixes now as that confirmed the infection

OTL Log Attached

TDSS Log

12:08:18.0012 3720 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
12:08:18.0043 3720 ============================================================
12:08:18.0043 3720 Current date / time: 2012/08/05 12:08:18.0043
12:08:18.0043 3720 SystemInfo:
12:08:18.0043 3720
12:08:18.0043 3720 OS Version: 6.1.7600 ServicePack: 0.0
12:08:18.0043 3720 Product type: Workstation
12:08:18.0043 3720 ComputerName: MININT-4F38PMO
12:08:18.0043 3720 UserName: SD
12:08:18.0043 3720 Windows directory: C:\Windows
12:08:18.0043 3720 System windows directory: C:\Windows
12:08:18.0043 3720 Running under WOW64
12:08:18.0043 3720 Processor architecture: Intel x64
12:08:18.0043 3720 Number of processors: 4
12:08:18.0043 3720 Page size: 0x1000
12:08:18.0043 3720 Boot type: Normal boot
12:08:18.0043 3720 ============================================================
12:08:19.0150 3720 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
12:08:19.0150 3720 ============================================================
12:08:19.0150 3720 \Device\Harddisk0\DR0:
12:08:19.0150 3720 MBR partitions:
12:08:19.0150 3720 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x48CFE800
12:08:19.0150 3720 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x48CFF000, BlocksNum 0x1B58800
12:08:19.0150 3720 ============================================================
12:08:19.0182 3720 C: ↔ \Device\Harddisk0\DR0\Partition0
12:08:19.0244 3720 D: ↔ \Device\Harddisk0\DR0\Partition1
12:08:19.0244 3720 ============================================================
12:08:19.0244 3720 Initialize success
12:08:19.0244 3720 ============================================================

I am trying to finish the last part (combo) but I read the instructions on how to disable avast (right click icon andf disable shields) but combo is still telling me it is running. What to do?

just ignore and run…

you may need to reboot twice after running combofix…

Here is the attached combofix log

I turned the shields back on and so far not a single pop up. Things seem to be running smoothly. Thank you for all your guidance!!

Thank you for all your guidance!!

Could you re-run TDSSKiller please as it did not complete

For some reeason the log is too big to cut and paste, here is the last of it

13:45:22.0373 1280 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
13:45:22.0419 1280 WcsPlugInService - ok
13:45:22.0466 1280 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
13:45:22.0482 1280 Wd - ok
13:45:22.0529 1280 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
13:45:22.0575 1280 Wdf01000 - ok
13:45:22.0607 1280 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
13:45:22.0653 1280 WdiServiceHost - ok
13:45:22.0669 1280 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
13:45:22.0700 1280 WdiSystemHost - ok
13:45:22.0763 1280 WebClient (733006127f235be7c35354ebee7b9a7b) C:\Windows\System32\webclnt.dll
13:45:22.0794 1280 WebClient - ok
13:45:22.0825 1280 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
13:45:22.0934 1280 Wecsvc - ok
13:45:22.0950 1280 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
13:45:23.0059 1280 wercplsupport - ok
13:45:23.0106 1280 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
13:45:23.0199 1280 WerSvc - ok
13:45:23.0277 1280 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
13:45:23.0387 1280 WfpLwf - ok
13:45:23.0402 1280 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
13:45:23.0433 1280 WIMMount - ok
13:45:23.0527 1280 WinDefend - ok
13:45:23.0527 1280 WinHttpAutoProxySvc - ok
13:45:23.0636 1280 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
13:45:23.0745 1280 Winmgmt - ok
13:45:23.0839 1280 WinRM (41fbb751936b387f9179e7f03a74fe29) C:\Windows\system32\WsmSvc.dll
13:45:24.0011 1280 WinRM - ok
13:45:24.0198 1280 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
13:45:24.0245 1280 WinUsb - ok
13:45:24.0291 1280 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
13:45:24.0385 1280 Wlansvc - ok
13:45:24.0416 1280 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
13:45:24.0447 1280 WmiAcpi - ok
13:45:24.0510 1280 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
13:45:24.0557 1280 wmiApSrv - ok
13:45:24.0635 1280 WMPNetworkSvc - ok
13:45:24.0666 1280 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
13:45:24.0697 1280 WPCSvc - ok
13:45:24.0713 1280 WPDBusEnum (2e57ddf2880a7e52e76f41c7e96d327b) C:\Windows\system32\wpdbusenum.dll
13:45:24.0775 1280 WPDBusEnum - ok
13:45:24.0791 1280 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
13:45:24.0900 1280 ws2ifsl - ok
13:45:24.0931 1280 wscsvc (8f9f3969933c02da96eb0f84576db43e) C:\Windows\system32\wscsvc.dll
13:45:24.0993 1280 wscsvc - ok
13:45:24.0993 1280 WSearch - ok
13:45:25.0103 1280 wuauserv (38340204a2d0228f1e87740fc5e554a7) C:\Windows\system32\wuaueng.dll
13:45:25.0274 1280 wuauserv - ok
13:45:25.0430 1280 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
13:45:25.0555 1280 WudfPf - ok
13:45:25.0586 1280 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
13:45:25.0695 1280 WUDFRd - ok
13:45:25.0727 1280 wudfsvc (b551d6637aa0e132c18ac6e504f7b79b) C:\Windows\System32\WUDFSvc.dll
13:45:25.0851 1280 wudfsvc - ok
13:45:25.0867 1280 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
13:45:25.0945 1280 WwanSvc - ok
13:45:26.0007 1280 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
13:45:26.0273 1280 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
13:45:26.0273 1280 \Device\Harddisk0\DR0 - detected TDSS File System (1)
13:45:26.0288 1280 Boot (0x1200) (e7cb5ff6d2f813ae44e8b42edc3e6708) \Device\Harddisk0\DR0\Partition0
13:45:26.0288 1280 \Device\Harddisk0\DR0\Partition0 - ok
13:45:26.0304 1280 Boot (0x1200) (b9efbd968edfbe98313801d37875a212) \Device\Harddisk0\DR0\Partition1
13:45:26.0304 1280 \Device\Harddisk0\DR0\Partition1 - ok
13:45:26.0304 1280 ============================================================
13:45:26.0304 1280 Scan finished
13:45:26.0304 1280 ============================================================
13:45:26.0319 4780 Detected object count: 1
13:45:26.0319 4780 Actual detected object count: 1
13:45:33.0714 4780 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
13:45:33.0729 4780 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Could you re-run TDSSKiller please and when the following appears select delete:

\Device\Harddisk0\DR0 ( TDSS File System )

How is the computer now any problems

I deleted the last error from TDSS and is immediately triggered an avast popup indicating Malware. It said it moved it to the avast virus chest. The PC is alot quicker (like it used to be) and seems fine.

Avast caught it as TDSSKiller was moving it

Any problems before I remove my tools ?

None. A giant thanks to you and a thanks for being so fabulous at what you do!!!

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe