Hi mchain,

That is a valid advice. The OP should explicitly do what jeffce proposes. He came up with some questions and I replied to these questions after contacting Jeffce.
The detection might have been a remnant of what was there because of an avast bootscan of previous AVG install remnants and a FP detection. My guess there was right (victim actually had AVG previously installed!), and upon detection the victim might have tried to repair. I would not experiment while a removal routine from the qualified removal expert is under way, so Bob-BH should do likewise. Follow jeffce’s instructions to the dot!, especially while there might be some more serious infestation of the OS…

polonus

Jeffce … TDSSKiller log attached

Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

Microsoft Windows Recovery Console already installed.
Avast disabled
ComboFix downloaded to desktop installed/run
I kept getting msg that ComboFix has detected following scanner to be active: AVG
See log attached … BUT
note that log identified AVG and Lavasoft Adware BOTH had been uninstalled when I opted for AVAST.
Couldn´t remove traces of AVG using several different solutions so I reinstalled AVG 2012 Free, disabled BOTH AVG and Avast and ran ComboFix again.
ComboFix runs up to file extract and Registry update than stops, closes wondow and no further action.

Please advise next step.
tks

It actually looks like ComboFix has run through.

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:

ClearJavaCache::

DDS::
uStart Page = hxxp://www.terra.com.br/portal/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: itau.com.br\bankline
Trusted Zone: itau.com.br\guardiao
Trusted Zone: itau.com.br\www

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"=-
"5985:TCP"=-

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Instructions followed and ComboFix log attached.

Hi Jeff will be a tad busy for today, so I get all the good bits ;D

First how is the computer behaving now ? Any problems at all

PC seems to be performing normally, i.e., no unusual activities, messages, delays, etc.

The ONLY thing that is out of the ordinary is the HTML: Framer-D vuris detected on a Boot-time scan, but not detected on quick or full scans.

What location does the boot scan give the file ?

C:\Documents and Settings\Mami\Local Settings\Application Data\Identities{711E9619-D929-445F-B16F-3E5FCa6B3980}\Microsoft\OutlookExpress\Inbox.dbx|>60Segundos_Bellisimo06_C.eml#62042144|>60Segundos_Bellisimo06_C.pps#1890203406|>Pictures is infected by HTML:Framer-D

OK that is an e-mail or PP that is infected, deletion of the e-mail or removal of the PPS will stop the alerts

Yes … I realize that, but I can’t locate any email in OE that has any attachment similar to “60Segundos_Bellisimo06_C.pps”. I have also run several Search in win explorer using different wildcards and located no file (PowerPoint or otherwise) with a similar name.

Unless you have a better suggestion, I’m tempted to delete ALL sent/received emails msgs in OE to see if that will remove the mysterious email with an “60Segundos_Bellisimo06_C.pps” attachment.

Comments?

Could you clear the deleted e-mails folder

Problem solved!
Located and deleted OE inbox.dbx where virus was located.
Boot-time scan clean … no virus found.
My thanks to all and congrats to Avast for great support staff and quick replies!!

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe