Spawning applications in ProgramData folder...

[Menecairiel]

...and it sets off my AVAST! network shield.

I was hit at the same time by two seperate processes in different folders trying to contact urbangood.info


The first was a string of numbers for a name of an app in my user folder. This didn't change name, it remained the same but set my network shield off about every ten minutes no matter what I was doing.


The second, that hit at the same time and is clearly connected, is changing name. I can see the apps spawning in the programdata folder and changing name to a string of letters. There is one file that stays the same name, (and it is listed as a file not an app, called 'ootlclxrxndzgll'), and everytime there is a change of the time on the date last modified for it, another app is spawned or one disappears, so it definitely seems to be the 'cause' of it. This sets off my network shield too, but it seems to be only when I open up a webpage with this one, and it's a different app with a new name each time that is listed on the avast popup. It is also trying to contact urbangood.info


Now, I ran sophos virus removal tool. It found two threats. One I have no idea if it was related or not, but the other was definitely related. It was called the troj/zbot-cbw and after clean up it succesfully deleted the first app I described, the one that was a string of numbers and remained the same.

However, after clean up, it hasn't got rid of the ones in the programdata folder that is spawning and changing.

The log sophos left over is:

2012-06-22 20:13:33   Could not open C:\hiberfil.sys
2012-06-22 20:14:06   Could not open C:\pagefile.sys
2012-06-22 20:28:57   Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57   Could not open C:\System Volume Information\{dc5226be-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57   Could not open C:\System Volume Information\{dc5226cc-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57   Could not open C:\System Volume Information\{dc522731-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:29:20   >>> Virus 'Troj/Zbot-CBW' found in file C:\Users\Katherine\0.5262248442813692.exe
2012-06-22 21:00:44   >>> Virus 'Mal/ExpJS-AL' found in file C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm
2012-06-22 21:16:38   Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2012-06-22 21:16:38   Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2012-06-22 21:16:43   Could not open C:\Windows\System32\config\RegBack\DEFAULT
2012-06-22 21:16:43   Could not open C:\Windows\System32\config\RegBack\SAM
2012-06-22 21:16:43   Could not open C:\Windows\System32\config\RegBack\SECURITY
2012-06-22 21:16:43   Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2012-06-22 21:16:43   Could not open C:\Windows\System32\config\RegBack\SYSTEM
2012-06-22 21:17:16   Could not open C:\Windows\System32\drivers\sptd.sys
2012-06-22 21:35:57   The following items will be cleaned up:
2012-06-22 21:35:57   Troj/Zbot-CBW
2012-06-22 21:35:57   Mal/ExpJS-AL
2012-06-22 21:36:22   Process "C:\Users\Katherine\0.5262248442813692.exe:pid:00002d7c" belongs to 'Troj/Zbot-CBW'.
2012-06-22 21:36:22   Process "C:\Users\Katherine\0.5262248442813692.exe:pid:00002d7c" has been cleaned up.
2012-06-22 21:36:22   File "C:\Users\Katherine\0.5262248442813692.exe" belongs to 'Troj/Zbot-CBW'.
2012-06-22 21:36:22   File "C:\Users\Katherine\0.5262248442813692.exe" has been cleaned up.
2012-06-22 21:36:22   Removal successful
2012-06-22 21:36:34   File "C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm" belongs to malware 'Mal/ExpJS-AL'.
2012-06-22 21:36:34   File "C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm" has been cleaned up.
2012-06-22 21:36:34   Removal successful

2012-06-22 21:37:56   Scan completed.
2012-06-22 21:37:56   


Any ideas on how I can get rid of this other half of the problem? Is it left over from the clean up? I'm running a kaspersky virus removal tool scan now, but I'm losing hope! I should also say I'm a tech simpleton so I may be slow!

Thanks in advance

[Pondus]

follow this guide and attach  (not copy and paste) logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0


when done a malware remover will be notified and check the logs.........it may take several hours before he arrive

[Menecairiel]

I am downloading OTL and got a notice that "OTL is not commonly downloaded and could harm your computer"....should I take heed to that?

[Pondus]

if avast sandbox should alert then select "run normal"

[essexboy]

If it is IE9 reporting then select run anyway

[Menecairiel]

I allowed it and it is currently running 

The MBAM report is attached. After running it, the files were removed and so far, nothing has spawned and no Avast has gone off. However, the file that kept changing its name is still there so I am doing all the steps just in case.

[essexboy]

I will be going off line in a bit - but I will look first thing tomorrow 

[Menecairiel]

Thank you! And I want to say thank you to everyone for being so helpful! It is strange how it feels like it is the end of the world when something like this happens...

Also, please see attached...everything else Hopefully this will help?

[essexboy]

I see that you have run TDSSKiller, could you post the log

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  DRV - File not found [Kernel | On_Demand | Unknown] -- -- (af1652ev)
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKU\S-1-5-21-593423473-182427553-3595481273-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-593423473-182427553-3595481273-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
  [2012/06/22 22:49:25 | 000,000,052 | ---- | M] () -- C:\ProgramData\ootlclxrxndzgll
  [2010/10/04 14:17:04 | 000,000,000 | -HSD | M] -- C:\Users\Katherine\AppData\Roaming\.#
  @Alternate Data Stream - 1287 bytes -> C:\Program Files\Common Files\System:kjM0wgPfQPoB5RXv5ZYLFd
  @Alternate Data Stream - 1286 bytes -> C:\Users\Katherine\AppData\Local\Temp:w1mZJk8b2rhFVfc09e8LCPo
  @Alternate Data Stream - 1286 bytes -> C:\Users\KATHER~1\AppData\Local\Temp\:w1mZJk8b2rhFVfc09e8LCPo
  @Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:99C301D0
  @Alternate Data Stream - 1231 bytes -> C:\ProgramData\Microsoft:mqbG8FTYwbvW7JfddmiuN98nUe
  @Alternate Data Stream - 1227 bytes -> C:\ProgramData\Microsoft:Y3ZYw9n4PNpvWEeRTP2RU2xsZ
  @Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:AAA14AF9
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Menecairiel]

Thank you. The file was too large to attach so I had to split it between two documents...sorry about that! Part 1 posted here, part 2 posted after this one as it didn't even allow me to do two at one...

Doing the fix now as well

[Menecairiel]

And part 2...

[essexboy]

Once the fix has run and rebooted could you let me know of any problems

[Menecairiel]

It's rebooted and it looks ok.... (I am almost scared to say those words!)

Here is the report from the OTL (well, the one that popped up after I rebooted) Did I mention thank you?

EDIT: Will attach the OTL quick scan log when I have done it...it is in the process of doing so!

[essexboy]

Total Files Cleaned = 1,360.00 mb

Lots of rubbish removed 

Could you now use the computer as normal and let me know if anything appears weird, wrong or just downright hookey 

[Pondus]

Total Files Cleaned = 1,360.00 mb

Lots of rubbish removed 

hmmmm...someone need to install CCleaner....or ATF cleaner