I’m new to this forum, but I have been an Avast Internet Security user for years now.
Last week I managed to get my first virus, Win32:downloader-NXD[Trj], also named ms0cgf32.exe.
Avast put it into virus chest, and everything seemed to be normal. Web browser was working, everything was working. I did try to get rid of it using tips and cleans and so on by search on google. After at leats 10 more scans with Avast, Avast cannot find the virus anymore.
But now I have problems with getting into Explorer or any browser. And with a quick CTRL + Alt + DELETE, in process there is a lot of Svchost.exe running, and i guess the virus is still instack within my computer.
When the virus was in the chest, the location was under Temp folder. And of course I cant see any with the name ms0cgf32.exe there, so i guess its hidden under a different name.
I hope someone here can guide me or have any tips to get rid of that sucker
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
When you try to flash up a browser what error do you get ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
“Internet explorer cannot diplay the webpage”. Not an “error”, but this started after i got the virus. Read that the virus create own Ip adresses, so you can’t go online.
New OTL log attached.
Quick question. I logged in as admin, is that the right wayt to do it, or do i need to log in as user? im so noob at this, sorry
No evidence of that as Farbar was able to connect to Google… So lets dive deeper
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
i started the combofix in safe mode as admin. Tried to deactivate Avast, but that did not seem to work 100%.
The scan went nice, and the computer rebooted. I forgot to press F8 at this point cause i was busy, sorry for that. The pc started in normal mode and Combofix window was up. Some programmed opened up as the combofix was running (MBAM and RegClean). The combofix didn’t seemed to be affected.
Then i suddenly got bluescreen and the pc rebooted.
Combofix log is attached, please check it out (Sorry for the norwegian).
Internet is still down, and lots of svchost are up running in process (not in safe mode).
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.
Just did a scan with TDSKiller. No malicious found, could only use “Skip”.
Report attached.
I’m starting to begin thinking the virus is not there, but something is wierd. The first day i lost the net i tried new cables and checked the netgear and card. Everything works. There was a brief second of relief when i suddenly managed to use firefox on monday on 12th attempt, but shut it down and tried start it again with no results.
If its still a virus, this one does not get killed easily.
[]Double click Dr Web
[]IMGBurn will open
[*]Burn the ISO to a cd
[]Reboot the infected computer with the CD in the drive
[]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist
Hello and sorry for late reply. Worked a lot this weeks, so havent been able to check avast forum.
I will test the Dr Web live as soon as possible. Really hope this will help.
I can alsomention that i tried to open World of warcraft, and i got a message i have never seen before. Certenly something wrong going on.
Running DrWeb atm, and it seems like the scan stops 2-3 minutes out in the scan… and the irony is that the scan seems to freezu up at “Avast bla bla /pack017 by Xerox”. Its tood there for 5 mintes now… I hope it continue scan more through the night or do I need to uninstall Avast?
It’s scanning just fine at the moment. I had to uncheck the Avast folders, so it does not scan those folders.
Also ironic that the scan have found to Trojans in the OTL? Trojan.sigurd.
Well, hopefully the scan is done in a few hours because the scan is kinda slow
I will post an OTL log when its all done.
I can’t thank you enough Essexboy for helping me Hopefully we manage to fix it. I will also post the jpeg error when i try log on net based games and programs.