Rootkit virus

[AussieKev]

Hi everyone my name is AussieKev and this is my first post on this forum.
I find Avast a great detection and protection program.
I don't know a lot about computers and that is probable why I am on this forum to get some help.

This is the situation.
Each time I turn on my computer a message comes up from Avast that I have a virus - Its name apparently is - SVC:swcustcfg>SVG:swcustcfg>???The message says it is a dangerous Rootkit virus and it should be deleted immediately. I do this by clicking on OK then another box comes up and tells me that Avast wants to re boot my computer and clean all the files (i guess to get rid of the virus) I immediately click OK and the computer turns off and back on and Avast goes through all the files before I can log into windows.

Great but the message comes up and tells me to do the same again and so on. I then tell it no to rebooting and get on with using the computer. But guess what it all happens again when I switch my computer on the next time.

Is there any way to rid this virus and how do I do it.
I apoligize is my terminology is not right but please help.

  :'(
Thanks

[Pondus]

follow this guide and attach all logs
http://forum.avast.com/index.php?topic=53253.0


lower left corner > additional options > attach

[AussieKev]

Hi Pondus,
I have never spoken with a Norwegian before so I am pleased that you can help.
I downloaded the malware software and have scanned the computer. Attached is the log.
When I restarted the computer the Rootkit warning still comes up.
Please advise if possible how to rectify.

Thanks very much.
Hope you have a great Christmas in Norway.
AussieKev

[Pondus]

could you please attach the rest of the logs
OTL.txt /Extra.txt and aswMBR.txt

[AussieKev]

Hi Pondus,
Attached are the logs you have requested.
They are in two posts as apparently they are too big to post as one.
OTL logs first
Thanks
AussieKev

[AussieKev]

Hi Pondus,

Here is another file. This is MBR.
Thanks
AussieKev

[Pondus]

super.... check back for essexboy verdict

seems he is busy preparing for christmas, so he may not enter the forum today   

[AussieKev]

Hi Pondus,

I have finally reduced the size of the screen shot.

Thanks for the reply I will check back later.

Happy Christmas to you and I hope the new year is good to you.
Thanks
AussieKev

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  IE - HKU\S-1-5-21-1942655802-165071968-358964189-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm103YYAU&fl=0&ptb=so_wEhNHkoV47ci_W57SFw&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
  O33 - MountPoints2\{028e61a4-d2cb-11dd-99f4-001731faba9a}\Shell - "" = AutoRun
  O33 - MountPoints2\{028e61a4-d2cb-11dd-99f4-001731faba9a}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{028e61a4-d2cb-11dd-99f4-001731faba9a}\Shell\AutoRun\command - "" = J:\DPFMate.exe
  O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell - "" = AutoRun
  O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{17568133-c702-11db-9a12-001485db0f8e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{44fcca9a-9b5d-11de-be1b-0022b0641ecd}\Shell - "" = AutoRun
  O33 - MountPoints2\{44fcca9a-9b5d-11de-be1b-0022b0641ecd}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{44fcca9a-9b5d-11de-be1b-0022b0641ecd}\Shell\AutoRun\command - "" = J:\AutoRun.exe
  O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell - "" = AutoRun
  O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{6f8bb9e3-51ff-11db-98fb-001485db0f8e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell - "" = AutoRun
  O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\1\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\2\Command - "" = .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{85032672-165c-11dc-9ac5-001485db0f8e}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe
  O33 - MountPoints2\{9050e88e-8792-11dc-9b9a-001485db0f8e}\Shell - "" = AutoRun
  O33 - MountPoints2\{9050e88e-8792-11dc-9b9a-001485db0f8e}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{9050e88e-8792-11dc-9b9a-001485db0f8e}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
  O33 - MountPoints2\{9676cb98-1d31-11df-beca-0022b0641ecd}\Shell - "" = AutoRun
  O33 - MountPoints2\{9676cb98-1d31-11df-beca-0022b0641ecd}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{9676cb98-1d31-11df-beca-0022b0641ecd}\Shell\AutoRun\command - "" = E:\WIN\setup.exe
  O33 - MountPoints2\{b6159948-2928-11e1-81fd-0022b0641ecd}\Shell - "" = AutoRun
  O33 - MountPoints2\{b6159948-2928-11e1-81fd-0022b0641ecd}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{b6159948-2928-11e1-81fd-0022b0641ecd}\Shell\AutoRun\command - "" = E:\WIN\setup.exe
  O33 - MountPoints2\{cf2c2a83-e739-11da-b20a-806d6172696f}\Shell - "" = AutoRun
  O33 - MountPoints2\{cf2c2a83-e739-11da-b20a-806d6172696f}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{cf2c2a83-e739-11da-b20a-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN


Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[AussieKev]

Hi Essexboy,

I have run the OTL and will post the log but with the combo fix it started okay and had to download from microsoft and a box cam up and said someting about the fix should take upto 10 mions to do unless the computer is badly effected it could take double the time. The box had a dash under the wording flashing which said it was doing its thing but after two and a half hours nothing happened so the combofix didn't complete its scan.
Please advise what to do now.

Thanks
AussieKev

[essexboy]

Coulod you try Combofix from safe mode please, if that fails I will use a different approach

[AussieKev]

Hi Essexboy,

I did as you requested and started computer in safemode but unfortunately Combofix did not work again.

I guess it is back to the drawing board, but I am sure you have it covered.

Thanks again for the help.

AussieKev

[essexboy]

OK time for the AVP analysis

Upload the zip file to megaupload - link at the bottom

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 

 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post 
 

Megaupload

[AussieKev]

Hi Essexboy,

A couple of questions-
1/ "Upload the zip file to megaupload - link at the bottom" Please advise if I have to register on megaupload and once registered what do I do with the program. I don't understand your step about uploading zip file etc. Do I do it first or do I do it at the end.

2/"Download AVPTool from Here to your desktop" Once again do I register to download program and then I guess I would run the virus scan after I have registered and downloaded the program.

Sorry I don't understand all what you say as I am a complete novice at this IT stuff. I admire your knowledge and skills with computers. Thanks for being patient and helping me I am sure it is not easy when you are many miles away and you have to deal with someone who doesn't really know what he is doing.
By the way is all these programs safe or do I run risks of people getting into my computer and any info stored there.

Thanks again for guiding me through.

AussieKev

[Pondus]

By the way is all these programs safe or do I run risks of people getting into my computer and any info stored there

yes they are all safe.... And Essexboy is a trained and certified malware remover and Teacher over at Geeks to go forum


you register to download the Kaspersky AVP tool


when you have run AVP it will create a zip file that you upload so essexboy can get it

see all the text belonging to the last two pictures