AVG Anti-Spyware - repeated backdoor notification

Hey there - Try this: http://www.majorgeeks.com/Pocket_KillBox_d4709.html

Just run the file, navigate to the offending item and select delete on reboot. See if that gets it.

 

You have some more to do since you had a lot of infections. There will be a long fix given below.

Also you had a serious infection that ComboFix removed. You need to take the below warning seriously.

Now let's continue with your malware cleaning!


Download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

Now we need to stop and remove a couple of malware services.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to RtoAutos
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
  • Prints Spoolers Services
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the
  program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste ProtectsStore into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below Services (if you do not find them or get any errors, just continue):
  • PssInsv
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix
  some other items.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Policies\Explorer\Run: [{C0E0534A-095A-1033-0517-040624030001}] "C:\Program Files\Common Files\{C0E0534A-095A-1033-0517-040624030001}\Update.exe" te-110-12-0000213
O20 - AppInit_DLLs:

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

Driver::ahciov
bbuizu
ProtectsStore
ylookuwd
PssInsv
 
File::
C:\WINDOWS\system32\drivers\ahciov.sys
c:\windows\system32\ahciov.dll
C:\WINDOWS\system32\ahciov.KEY
C:\WINDOWS\system32\px.ext
C:\WINDOWS\system32\0005e52a.inc
C:\Program Files\NetMeeting\smss.exe
C:\PROGRAM FILES\SYSTEM\SVCHOSTKEY.DLL
C:\Program Files\Common Files\{C0E0534A-095A-1033-0517-040624030001}\Update.exe
C:\PROGRAM FILES\SYSTEM\SVCHOSTKEY.DLL
Folder::
C:\Program Files\System
C:\Program Files\Common Files\{C0E0534A-095A-1033-0517-040624030001}
C:\WINDOWS\uzkz
 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"bbuizu"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"{C0E0534A-095A-1033-0517-040624030001}"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Please don't quote procedures when it is not required. It clutters up the thread and makes it take longer to load pages.

Just redownload combofix from here: combofix.exe save it on your Desktop.

 

You forgot to attach the log from FindAWF. Please attach it. It is c:\awf.txt

Your other logs are all clean. Are you still having problems?