Everything is blocked

Nothing is working. Windows XP

System restore: Blocked

Control Panel Java: Avast warning: you are opening an application that may be potentially unsafe

FireFox 8.0: Avast warning.....Blocked
Privacy: No "Private Data" section

IE: Blocked....Avast Warning

Unable to open "RUN" CMD.....Avast Warning

Downloaded to Flash

Coored Fix......Blocked

TDSSKiller...Blocked

MBR.....Blocked

Should I still continue with Malware Removal Guide??????

 

Yes, also make sure you disable Avast while you are trying to download and run scans with the anti-malware tools specified in the guide.

You may just want to uninstall it completely and we can reinstall it once you are clean.

And when you say "Blocked" -- Let me know exactly what is happening.

 

Thanks for responding

I was unable to uninstal Avast.....however I was able to disable "all shields"

Regarding "Blocked"......first there was the Avast warning....then I would get a "XP Antivirus 2012" warning saying that GooredFix.exe, etc, is infected with "Trojan-BNK.Win32.Keylogger.gen"

With Avast disabled I just get the "infected with "Trojan-BNK etc"

 

No problem.

Thank you for clarifying. I would like you to try the below:

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Rename RogueKiller.exe to winlogon.com
Double-click winlogon.com to run.
When it opens, press the number "1" and press ENTER.
When it is finished -- Notepad will open with the report and the log is saved to your desktop.
Attach RKreport[1].txt to your next message. (How to attach)
You can now type the number "0" and press ENTER to exit RogueKiller.

 

First task is to check settings.....

I am using FireFox 8.0.......I do not see "Direct connection to the Internet"

The radio button that is checked is: "Use system proxy settings"

Other choices are:

No Proxy

Auto-detect proxy settings for this network

Manual proxy configuration

Automatic proxy configuration URL

I cannot access IE at all....

 

Unable to open "winlogon.com".....I get the "winlogon.com.exe is infected with Trojan-BNK.Win32.Keylogger.gen"

 

You did not rename it properly. You must have view file extensions turned on. Read the following for details: How to view hidden, system files & folders!

 

should be an attachment here

 

Try again. (How to attach)

 

I apologize for my absence.....

Attached is the RKreport

Thanks

 

No problem.

http://img805.imageshack.us/img805/9659/rktigzy.gif Open RogueKiller (winlogon.exe) again
This time select enter Mode 2 - Delete
Attach RKreport[3].txt

Then proceed with these instructions: READ & RUN ME FIRST Malware Removal Guide

 

Good morning, Happy Wednesday.....

 

Morning

That log looks good. You should now be able to run through this: READ & RUN ME FIRST Malware Removal Guide

Remember to attach all of your logs requested from this if you are still having problems.

 

Everything seems to be working.....mglogs.zip to follow

 

Thank you for all of your help.....I hope all is resolved.....Thanks again!!!!

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:
Java(TM) 6 Update 26

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
Lavasoft Kernexplorer
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Tom\Local Settings\Application Data\00sct24kdc8263eyffk45vvsap2pr18dqo5m56e5y47adg
C:\Documents and Settings\All Users\Application Data\00sct24kdc8263eyffk45vvsap2pr18dqo5m56e5y47adg
C:\Documents and Settings\Tom\Templates\00sct24kdc8263eyffk45vvsap2pr18dqo5m56e5y47adg
C:\Documents and Settings\Tom\Desktop\mb.exe.exe
C:\Documents and Settings\Tom\Desktop\Free Games!!.lnk
C:\Documents and Settings\Tom\Desktop\Free Music Downloads.lnk
C:\Documents and Settings\Tom\My Documents\D1DxmwO.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\WINDOWS\$NtUninstallKB12737$
c:\program files\Lavasoft
C:\Documents and Settings\Tom\Local Settings\Application Data\PackageAware
C:\Documents and Settings\All Users\Application Data\{08E30618-5D06-461B-BBD3-4ADFB0810824}
C:\Documents and Settings\Tom\Local Settings\Application Data\Viewpoint
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EB132DB0-A4CA-11DF-9732-0E29E0D72085}"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\VWPT]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.txt on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how your PC is running after you have completed these steps.

 

After you complete the above, also complete these steps:

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:filefind[/COLOR]
i8042prt.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

I'm having trouble with the comboFix......I disabled Avast but when the script started running I got a warning that Avast had blocked something.....I continued and the script started scanning.....after an hour with no movement....I shut down the computer....restarted.....uninstalled Avast and started the script.....got to the scanning prompt and waited almost an hour this time....

Is it possible that I have corrupted something???

Please advise....

 

Why did you install Avast?
It was not in your previous logs and you should not be doing anything other than what is asked of you.

Did you install any other applications, especially security software AFTER attaching MGlogs.zip?

Run this and let me know.

 

Sorry.....I thought it was a good idea at the time....I also installed and then uninstalled....Comodo Personal Firewall......will follow instruction exactly in future.....

I ran your Avast uninstaller successfully....

 

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Repair WMI
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

You will be asked to reboot. Please do so and then continue with the instructions I outlined here -- Starting at creating and using the CFScript.txt with ComboFix.exe

 

auto scan failed....1 hour 10 minutes

 

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run


http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

Good morning.....attached are the 2 logs requested.....

 

Sorry....

 

Morning!

http://img684.imageshack.us/img684/3557/tdsskiller.gif Open TDSSKiller and run another scan as you did before, except this time, I want you to allow TDSSKiller to delete TDSS File System. Skip the other detections.

Code:

09:31:36.0265 2608	\Device\Harddisk0\DR0 ( [B][COLOR="Red"]TDSS File System[/COLOR][/B] ) - skipped by user
09:31:36.0265 2608	\Device\Harddisk0\DR0 ( [B][COLOR="Red"]TDSS File System[/COLOR][/B] ) - User select action: Skip 

Attach the new TDSSKiller log when finished. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\Tom\Local Settings\Application Data\00sct24kdc8263eyffk45vvsap2pr18dqo5m56e5y47adg
C:\Documents and Settings\All Users\Application Data\00sct24kdc8263eyffk45vvsap2pr18dqo5m56e5y47adg
C:\Documents and Settings\Tom\Templates\00sct24kdc8263eyffk45vvsap2pr18dqo5m56e5y47adg
C:\Documents and Settings\Tom\Desktop\mb.exe.exe
C:\Documents and Settings\Tom\Desktop\Free Games!!.lnk
C:\Documents and Settings\Tom\Desktop\Free Music Downloads.lnk
C:\Documents and Settings\Tom\My Documents\D1DxmwO.exe
C:\WINDOWS\$NtUninstallKB12737$
C:\Documents and Settings\All Users\Application Data\{08E30618-5D06-461B-BBD3-4ADFB0810824}
C:\Documents and Settings\Tom\Local Settings\Application Data\Viewpoint
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{EB132DB0-A4CA-11DF-9732-0E29E0D72085}"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\VWPT]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u2-windows-i586.exe

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

The attached file is the only one on my desktop.....msg from manage attachments says that I have already attached this file....

OTL.....I downloaded it and clicked "Run Fix".....said it was working at bottom of screen.....I went out for an hour or so....said it was still working, do not interrupt.....screen was frozen.....shut down computer....when I restarted firefox installed updates.....

 

Perhaps this is the correct log

 

It's not. Remember you have to run the TDLFS check too (in additional parameters).

Basically you need to runn TDSSKiller the exact same way as you did the first time, except you delete the TDSS File System when it's listed this time around.

Edit: I also updated my OTL fix. Please try to run this one after you have deleted the TDSS File System. Remember to attach the new TDSSKiller log too

 

The TDSS system did not come up this time...I did check the parameters

There does not appear to be a new log on my desktop.....the only one there will not attach.....it says that it has already been uploaded......

 

Unsure why it's not showing up now if you have not deleted it.

Anyways, proceed with the OTL fix instructions and let me know how your PC is running afterwards.

 

OTL froze the screen....did not complete.....

I will be out until this evening....

The machine is running perfect.....seems as fast as ever....nothing is acting strange...as far as I can tell...

See you tonight!

 

I edited the script again, please retry it while in Safe Mode. (How to Start your computer in Safe Mode)

 

Finally success.....

 

Perfect

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

Thank you for all of your help.....

Tom

 

You're welcome