I have a virus posing as Avast Enhanced Security Protection. I followed the instructions posted here. I only got 1 log file as a result of running OTL, rather than 2 as the instructions say to expect. I am attaching that file plus posting the link to the jpg screenshot of diskmgmt.msc. I tried absolutely everything including going into the registry myself but all those Avast folders are locked and cannot be deleted. The aswclear5 program will not run either, and in safe mode that file is completely invisible. Thanks in advance because I work on the net and can’t risk work until I can get my anti virus up and running.

URL for screenshot: http://www.mediafire.com/?x7lbscc6xeeaf83

Since the mediafire is for a file share and you are trying to post an image it isn’t really the best tool for the job.

Since your image is only 45KB, just attach it to a post in the same way you did for the OTL.txt file. As I have now done with it.

For screenshots too large to attach you should use an image hosting service rather than a file sharing service. That way you can post the URL to the image so it is embedded in the post. But attachment is the easiest option, that way you don’t have to upload it and people don’t have to download it to see it.

I will try again to attach the file, but it would not let me before. I located a second txt file called extras and am attaching that. Thanks.

why did you not continue to post in the first topic you started ?

anyway, have you tried running Malwarebytes, as it will usually remove this ?
http://www.im-infected.com/rogue/avast-enhanced-protection-mode.html

Yes, I did run Malwarebytes and it picked up 2 infections and I removed them and rebooted, with no result. I did not amend my first post because it would not let me add the attachments saying they were too big. Then when I altered them and attempted to add them, my original post was not showing up on the forum page. I still do not see my original post. Hence I changed the subject wording and posted the complete information.

did you update Malwarebytes before you scanned ?

I still do not see my original post.

Yes, I updated Malwarebytes before I scanned, as I always do. And I can see that post you linkted to, the subject of which says “Cannot make the post I need to for help”…but not the one it refers to, my original attempt to post my logs and screenshot.

I updated MWB again just now, ran quick scan and found again 1 infection. Here are the results from both scans, yesterday’s and today’s.

Scan results 12-26-2011
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe (Security.Hijack) → Quarantined and deleted successfully.

Scan results 12-27-2011
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

I just ran spyware doctor. Of course it will not do any fixes unless I purchase it, however this may be of value. It found this virus:
rootkit.tdss.v3

Could this be related to the Enhanced Security Protection worm on my Avast?

Yes rootkits can be associated with these infections to hide the other elements.

The rootkit should be found following the instructions (and using the tools) on this page, http://forum.avast.com/index.php?topic=53253.0. I though you had already visited this page as you had started with the OTL logs, but there are two other tools to help with the analysis, aswMBR.exe and farbar service scanner.

If you can also download and run those as per the instructions page, hopefully essexboy will be able to get back on to the forums. At this time he may also be with his family and not as freely available.

Thank you I will do that. I am assuming that it is not safe for me to be on the net until this is removed? Or do I have virus protection despite the so called enhanced Security protection mode?

Well as far as I’m aware this could also be a downloader also so could try to download more malware, but this (malware removal) isn’t an area I’m qualified to advise on.

It may be able to disable your AV…and i would not do any banking before Essexboy has cleaned it

Here is log file resulting from running aswmbr.

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-27 16:04:24

16:04:24.078 OS Version: Windows 5.1.2600 Service Pack 3
16:04:24.078 Number of processors: 2 586 0x170A
16:04:24.078 ComputerName: PRISS UserName:
16:04:24.718 Initialize success
16:04:25.125 AVAST engine defs: 11122200
16:04:37.265 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
16:04:37.265 Disk 0 Vendor: ST9250315AS 0002SDM1 Size: 238475MB BusType: 3
16:04:39.296 Disk 0 MBR read successfully
16:04:39.312 Disk 0 MBR scan
16:04:40.031 Disk 0 Windows XP default MBR code
16:04:40.046 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 49999 MB offset 63
16:04:40.796 Disk 0 Partition - 00 0F Extended LBA 188465 MB offset 102398310
16:04:40.812 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 188465 MB offset 102398373
16:04:40.828 Disk 0 scanning sectors +488376000
16:04:41.390 Disk 0 scanning C:\WINDOWS\system32\drivers
16:05:01.046 Service scanning
16:05:01.296 Service ASUSProcObsrv E:\I386\AsProcOb.sys LOCKED 21
16:05:01.421 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys LOCKED 32
16:05:01.968 Modules scanning
16:05:09.218 Disk 0 trace - called modules:
16:05:09.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
16:05:09.265 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8acf3ab8]
16:05:09.281 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → \Device\0000007d[0x8acf53b8]
16:05:09.296 5 ACPI.sys[b9e54620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8ad44d98]
16:05:09.781 AVAST engine scan C:\WINDOWS
16:05:16.234 AVAST engine scan C:\WINDOWS\system32
16:07:02.437 AVAST engine scan C:\WINDOWS\system32\drivers
16:07:16.390 AVAST engine scan C:\Documents and Settings\Carolyn Blake
16:17:32.234 AVAST engine scan C:\Documents and Settings\All Users
16:22:00.031 Scan finished successfully
16:28:45.156 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Carolyn Blake\Desktop\MBR.dat”
16:28:45.171 The log file has been saved successfully to “C:\Documents and Settings\Carolyn Blake\Desktop\aswMBR.txt”

aswMBR does not do TDL3 but, I know a programme that does

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {C8748F11-F4AD-47AF-AB50-C7DF5792096B} - No CLSID value found. O2 - BHO: (no name) - {CBB66A7C-D257-4A02-A8D5-6C9355F91308} - C:\Program Files\OnlyWireToolbar\onlywiretoolbar.dll (http://www.plugins-soft.com) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4C350B19-6CA1-4569-B14C-296D8D65300C} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

Having difficulty posting with the requested files. I will try again. Here is the otl file and I will try to post the tdsskiller next. I do not mean to double post, but I got a message saying I am tho I was not able to post a reply the first time. Sorry if it is coming through twice but not seeing it on my screen if it did.

here is the tdsskiller log file.

OK it isn’t TDL3 however, I have some suspicions about your Kbd system file

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I am unable to disable Avast. The instructions in the click here are exactly what I did, right click and disable. It says “7 shields inactive” but when I run ComboFix I get a message saying that Avast is running. I am becoming alarmed that all is lost. I cannot disable or turn of in the Task manager either, getting the “unable to terminate process” warning.

Accept the warning from combofix but do not allow Avast to quarantine or sandbox any files for the duration of the run