Goreedfix error

Every time I run goreedfix it gets up to checking for warehouse, I get this error message 'goreedfix has encounted a problem and needs to close' with a choice of debug and close buttons. I always click debug. Is this a problem with goreedfix or am I still infected with something?

I also have a settings.dat file on my desktop and an .av$ extension file in avira temp sub-directory, left by malware. Can I delete these now?

I cleared my restore points and ran auslogics registry cleaner day after using combofix.

mbam, sas, and rrepeal don't show anything.

 

Rootrepeal log showing nothing.

 

I have never used Lavasoft Ad-Watch Live! Anti-Virus.

IObit Security 360 is not an antivirus. It is anti-malware, anti-adware, anti-spyware. It is listed in downloads under 'anti-spyware' not 'antivirus'.

I thought Panda was like Immunet, which is compatible with existing AV software. I've now uninstalled Panda and reinstalled Immunet 3.0 cloud only.

Much improvement in speed.

I think I might have a new infection.

This came up on Avira hidden objects search:

The process is not visible.

c:\docume~1\owner\locals~1\temp\casetup32.exe

 

I ran stinger with the repair box checked, and it deleted some files. I hope these aren't false positives, because I don't know how to get the files back.

C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\nircmd.exe is infected with the FakeAlert!fakealert-REP virus !!!
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\nircmd.exe has been deleted.
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\pev.exe is infected with the Artemis!3C33B26F2F7F virus !!!
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\pev.exe has been deleted.
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\procs\explorer.exe is infected with the Artemis!3C33B26F2F7F virus !!!
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\procs\explorer.exe has been deleted.
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\procs\iexplore.exe is infected with the Artemis!3C33B26F2F7F virus !!!
C:\Documents and Settings\Owner\Local Settings\temp\RarSFX0\procs\iexplore.exe has been deleted.
C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe is infected with the FakeAlert!fakealert-REP virus !!!
C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe has been deleted.

 

Yes. I do think still have something.

Before using combofix my AVs, Immunet and Avira, were quarantining files like crazy.

Now I'm getting the odd Immunet threat warning again. Just a couple of files at a time. Same files as before.

Also installed Emsisoft Anti-Malware on 30 day trial.

I get all these "Anti-Malware has detected a connection attempt to the suspicious host" messages for these sites
CDN.GIGYA.COM
PASTEBIN.COM
WWW.ABESTWEB.COM
CHITIKA.COM
IB.ADNXS.COM
API.TOPTENREVIEWS.COM
LINKS.INDUSTRYBRAINS.COM

I ran Trend Micro Housecall after cleaning temp files, and at startup it came up with a message about a tmp file acting like a threat.
It tried to quarantine it, but Emsisoft AM quarantined the file first.

After scanning with Immunet I got a message that iptray.exe was trying to access the internet invisibly. I allowed it thinking it might be a necessary cloud process. I don't think it was, because when I tried to start an Avira scan afterwards the window only half-opened, it seemed to stall. So I rebooted, and Avira worked fine.

 

I am only using 1 full antivirus application. The others are online scanners, AM, or AS.

I downloaded a new copy of MGtools.exe to run for logs.
MBAM never detects anything.

I ran rootrepeal again and got 3 Allocation size mismatches.

And those files I thought Immunet was quarantining.
I've 8 listed as 'Quarantine Failed'.

 

I can't get logs off Immunet. It's the online cloud. An example of quarantine failed message:

Event Type: Quarantine Failed Detection Name: W32. Hupigon
file path c:\Documents and Setting\all Users\Application data\Avira\Antivir\Desktop\temp\Avguard-4e20249a\00000001-9B520213.av$

I can't find any of the files mentioned.

Before using combofix I saw 4 .av$ in my Avscan folder. I uploaded 1 at Virscan.org, and found it was zipped archive of over 7100 files. Looked at my Avscan folder, no files. Moved to the Avguard folder on their own. Then no .av$ files to be found. After running Combofix I found 1 .av$ file, only 4000 bytes, in the Avguard folder.

I was on the Immunet website before and my mouse pointer would not move. I had to reboot to get my 'mouse' back.

I have to click 'turn off' twice to get the computer to shutdown. First one closes some system tray items. Second one to turn off.

 

I allowed a process I thought was a program update, with which, the monitor abruptly went black, then the computer rebooted itself. Came on again, no system tray icons, so I turned it off at the power switch. Next time I started it, had an error message 'The system has recovered from a serious error, a log of this error has been created.

I've never detected anything running an actual scan. All my 'quarantined files' came from monitoring real time protection.


"This does not mean online scanners. It is only referring to full antivirus applications"
To me this means I can have as many online antivirus scanners as I like, with my single installed antivirus.

Immunet 3.0 Free using Real-time, Cloud-based Detection, is an online scanner. Off-line ClamAV engine is turned off.

Avira is licensed until October.
IoBit 360 had already been uninstalled.
Uninstalled Emsisoft Anti-Malware, and ThreatFire.

No perfomance improvement.

 

I didn't say I was having performance issues.
Do performance issues stop RKill from running properly?
I can't get RKill to run in either mode. Normal mode , 1st try, came up with approx 20 lines of
"the process cannot access the file because it is in use by another process" then
"This application has requested the runtime to terminate it in an unusual way"
other tries get "sed.exe can't read documents and settings\owner\local settings\temp\rks1 on directory
In safe mode 3x 'Error installation failed' messages, then runs but gets closed early by Windows message 'stay working in safe mode' yes, no options.

I have 6 Rarsfx temp folders that don't go when I run cleaners. 10 of the files in subdirectories of these are Locked to the Windows API.

 

Rkill ran. 4 days 13 hours til clock restart. 8 hours 15 minutes til clock stopped. Blank log.
Then an Immunet scan took 3 days. Only 12 more of these hupigons in system restore. Interesting file extensions of .exe, .com, .scr, .pif.
Deleted those Rarsfx temps. Both Auslogics Reg Cleaner and CCleaner deleted the HKCU\software\WinRaR SFX registry entry.
Haven't shown up again.

Immunet started up again quarantining 6000 W32.Hupigons and W32.Worm in less then 20 minutes. All .AV$ extensions.
.AV$ - character in extension probable malware.
.AV$ - behaviour observed when I noticed them on the computer before combofix. Files that move folders on their own and then go invisible are not normal files.

Immunet kept exiting the system tray. Uninstalled it to clear quarantine. Cannot login to Immunet Cloud on reinstall. Think those .AV$ files don't want me using the one scanner that can detect them.
So I had to get Panda instead. Uninstalled Avira.

Before rebooting after Immunet got all those files, I had lots of invisible registry entries on an Avira rootkit scan. After reboot nothing detected. Lost log on Avira uninstall.

I always get 5 SSDT RootRepeal, Status: Hooked by "<unknown>". NtCreateKey, NtLoadKey, NtOpenProcess, NtReplaceKey, NtSetSystemInformation.

I hadn't had an infection since 2008 until March this year. I wouldn't have known if I hadn't uploaded a HJT log through an internet analyser. It kept telling me that it didn't detect my Windows firewall and to turn it on. Went into Windows Security Centre, Firewall showing green on light.
2 weeks later detected 1 Win32.Palevo with S&D. Spent the next month after something intent on disabling Avira. DrWebCureLT detected a Bat.Hosts.41 in system restore and chodefix.bat, tool.killproc3 in process.exe.
Clean for 2 weeks, then this one.

 

Had problems installing KAV. Stalled on 'installing utilities'. Had to restart computer. Next try got these messages.
Kaspersky Anti-Virus 2011 Setup
The setup wizard could not install Kaspersky Anti-Virus 2011. It is possible your computer is infected. Click yes below to download a special tool, which will scan your computer and eliminate all infections, so that you can proceed with the software installation. Do you want to download and scan your computer for viruses with AVPtool?
Kaspersky Anti-Virus 2011 Setup
The setup wizard could not install the AVPtool utility automatically. It is possible your computer is infected. Please, download the AVPtool manually from http://support.kaspersky.com/viruses/avptool2010
Downloaded AVPtool, ran it, then installed KAV. Didn't have time to scan then. Couldn't restart KAV next time and had to remove it, re-run AVPtool, and reinstall it.
Full scan detected Detected: UDSangerousObject.Multi.Generic C:\system volume information\_restore{e5aa9390-469d-4bf0-bda9-7f86e4b6a4b7}\rp20\a0030251.exe
T he same type of file that Immunet was detecting as W32.Hupigon.
KAV runs normally now.
In AVPtool log a lot of system drivers were Packed: PE_Patch, which seem to have been separated. e.g. acpi.sys/PE_Patch and acpi.sys.

Eset Online Scanner got 2 applications.
C:\System Volume Information\_restore{E5AA9390-469D-4BF0-BDA9-7F86E4B6A4B7}\RP20\A0030228.exe Win32/PrcView application cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\mchInjDrv.sys Win32/MCH application cleaned by deleting - quarantined

A couple of times my modem icon came on with 'acquiring network address'. Not seen this before.

W32.Hupigons. I get pages of them when I google in Firefox. Just listed a few.
Backdoor/W32.Hupigon
W32.Hupigon.fb
W32.Hupigon Trojan Virus
W32/Hupigon.worm!0f3b7efd769c

 

Is ATF-Cleaner.exe usually Packed: UPX? I get an option to unblock file under properties, but seems to work without unblocking.
When uploaded at Virscan.org, 1 scanner, JiangMin, always detects it as a Backdoor/IRCNite.wt. Uploaded it to Threat Expert. Memory Modifications
There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 331,776 bytes

Comodo Cloud Scanner detected C:\Program Files\Common Files\Motive\ McciThunk16.dll as a suspicious file. Uploaded it to Threat Expert. Memory Modifications
There was a new memory page created in the address space of the system process(es):
Process Name Process Filename Allocated Size
ntvdm.exe %System%\ntvdm.exe 12,288 bytes

Rootrepeal was Packed: PE_Patch.PECompact, Packed: PecBundle on AVPTool scan. 3 Scanners at VirScan.org detected it.
Authentium as W32/Heuristic-210!Eldorado (Heuristic)
ClamAV as PUA.Packed.PECompact-1
F-Prot as Possible W32/Heuristic-210!Eldorado (not disinfectable) Uploaded it to Threat Expert. Memory Modifications
There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 1,798,144 bytes

What's this?
Packed: UPX C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pxfx05vj.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

 

Another infected system file.
Ran Combofix. Infected copy of c:\windows\system32\userinit.exe was found and disinfected

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\517A.tmp --> c:\windows\system32\517A.tmp [?]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\517A.tmp"
3 LOCKED REGISTRY KEYS

Rootrepeal drivers scan - invisible driver PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7B4E000 Size: 7872 File Visible: No Signed: - Status: -

OTL Win32 Services (SafeList) SRV - File not found [Disabled | Stopped] -- -- (HidServ)

Since March I've been getting infected every month. Started with a Win32.Palevo. Spybot - Search & Destroy