Much grief after upgrading! - SOLVED

[gshantz]

I've been so far around the block, I should have kept notes.    I upgraded from the free version and quickly found I could not access You Tube videos - no Flash Player. I temporarily disabled Avast, but it didn't help. Up to this point, the latest version of Flash Player had been working fine on my Win XP 64. I've read much about the compatibility issues of flash working with 64 bit OSs, but in spite of it, mine was working OK.

I tried reinstalling Flash, both current and older version to no avail. I could restore to a week prior, and it worked fine again. But there were some things I wanted to keep, so restored to the current date. I tried to find any type of settings in Avast that would help, but found nothing. I started looking over the forum and found little, except a sticky explaining how to download and run 3 utilities. I wrote a question asking for help and it got lost or scrapped, because it never showed. This was last night, and tonight I started following the instructions on the sticky page. I ran Malwarebytes' Anti-Malware, and it found some stuff, then tried to run OTL after a reboot. LOCKUP! I tried this 3 times with the same problem. Booted into safe mode and looked for any clues, but found none. At this point, any time I booted normally, it would open the normal main screen, but nothing worked. The only way out was to hard boot into safe mode and restore to last night.

I'm kinda at my witts end. Don't want to restore all the way back to the upgrade, but so far things don't look too good for Avast.

Any help or suggestions would be appreciated. I really need Flash Player.

I've attached the file from Anti-ZMalware program.

[SafeSurf]

I'm glad you attached the MBAM log...it explains a lot.  I highly suggest you turn ON Avast and keep it on, and run a Full Scan.  If it finds anything, put it into the Virus Chest and when done run a Boot time scan.

Please report back by giving a screen shot if possible on anything that goes into the Virus Chest [exact name and location of the file(s)].

After doing this, please check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining the OTL logs (save them as ANSI), and aswMBR log.  Post the logs as an attachment (Additional Options > Attach > Post). 

After posting your attachments in your next log, one of our malware removal experts will be along to assist you.

In the meantime, do not go online, disable this machine from any network if it is on one, do not share any portable media with another machine, and try to not use it except to follow the directions I have given above.  Based on the malware in the MBAM log and the problems you are still having, I suspect you have additional malware that needs to be removed.

Feel free to ask questions.  Thank you.

[gshantz]

Well Safesurf,
I ran the full scan and found a few things that didn't look too good. That didn't take too long, and I'll attach a Word doc for the results, but when I ran the "boot time scan", it took me 2 days because I started it before going to bed. When I came back 20 hours later, it presented a choice as to where and how to deal with the files. I watched it run for quite awhile and saw some questionable items being found, but left it run over night. In the morning it had rebooted to Windows XP 64 and I re-ran the Malware-bytes utility. (After the 1st run, and trying to run OTL, because the computer was unusable, I was forced to restore it to just prior, loosing any gains from Malware-bytes run.) It looked like the same stuff that was found the 1st time. After telling it to fix all entries, it wanted to reboot which I did, then went to work today.

When I came home this evening, the computer had booted "normally", but I had NO control other than being able to move the cursor. I did a hard restart, and went into safe mode to disable Malware-bytes from starting, then rebooted again and got to this page so I could question the safety of Malware-bytes on win XP 64. Especially the use of OTL, as it shut me down before.

I'll stop right here till I get a response.
Thanks

[gshantz]

After making the last post, I was checking on some things and discovered that an addon in MSIE 8 for Flash Player was turned off. Changing this solved my Flash Player problem wonderfully.    However if there are any other things lurking on my system, I would be grateful for any continued help. At least the problem had nothing to do with Avast. However, I'm troubled at the issue of not being able to run OTL and the kinks in the cleanup process you recommended. So I'd like to hear from you again when you get time.

Thanks,
Gerald

[SafeSurf]

So you are not able to create an OTL log?  How about an aswMBR log?  You do have malware that needs to be cleaned up.  I'm going to refer you to one of our malware removal specialists to assist you further.  In the meantime, do not make any further changes to your machine, disconnect it from a network if it is on one, try not to use it, and do not sync anything with it.

Let me know if you have any questions.

Essexboy has been notified.

[essexboy]

Hi there first we will try OTL without any custom scan, just press the quick scan button ... Does that work ?

If not could you try the same from safe mode and let me know the result

[gshantz]

Let's try this again.    
Thanks for helping me.  OTL ran fine this time. It took me awhile to browse through the results and I saw numerous things I wondered about. Like SearchScopes under IE. I'm very wary of things like Google search and IE addons. I use Start Page to prevent Google/CIA from seeing what I research. I recently DL'd Google Earth and now it keeps trying to access something, giving me an error repeatedly. I've noticed the name Babylon popping up perniciously and can't find how to get rid of it. (searched the registy) Also when opening either web browser, they open to an AVG search page instead of my default or home page. No idea where it came from. I hope you know where to look in all that info, but appreciate your time.

I'll copy this text before trying to resend this time.   

[gshantz]

Here's the other file from the OTL scan.

[essexboy]

AVG, Babylon and iLivid come bundled so always be careful when you install programmes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&q={searchTerms}
  IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm003YYus&ptnrS=XPxdm003YYus&si=CLGuntL1zq4CFeMbQgodVE54-w&ptb=BE4DA973-13F8-42BB-9CC0-6CD87A1FAD4E&psa=&ind=2012030423&st=sb&n=77ed25d7&searchfor={searchTerms}
  IE - HKCU\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=102&systemid=406&q={searchTerms}
  IE - HKCU\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm003YYus&ptnrS=XPxdm003YYus&si=CLGuntL1zq4CFeMbQgodVE54-w&ptb=BE4DA973-13F8-42BB-9CC0-6CD87A1FAD4E&psa=&ind=2012030423&st=sb&n=77ed25d7&searchfor={searchTerms}
  FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
  FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
  FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: File not found
  [2012/06/17 22:02:59 | 000,003,749 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
  [2011/12/30 15:37:21 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
  [2012/06/08 12:33:36 | 000,000,000 | ---D | M] (WhiteSmoke US Community Toolbar) -- C:\Documents and Settings\Geralds.GERALD-64\Application Data\Mozilla\Firefox\Profiles\lsfyxzox.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O2 - BHO: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
  O2 - BHO: (no name) - {5AB7104A-B71F-49AD-9154-F7F8806AE848} - No CLSID value found.
  O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
  O2 - BHO: (no name) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - No CLSID value found.
  O2 - BHO: (no name) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - No CLSID value found.
  O2 - BHO: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
  O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
  O3:64bit: - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\system32\browseui.dll File not found
  O3:64bit: - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll File not found
  O3:64bit: - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - %SystemRoot%\system32\browseui.dll File not found
  O3:64bit: - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - %SystemRoot%\system32\SHELL32.dll File not found
  O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} Reg Error: Value error. (SpinTop DRM Control)
  O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} Reg Error: Value error. (ArmHelper Control)
  O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  [2012/06/23 00:23:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Geralds.GERALD-64\Local Settings\Application Data\Ilivid Player
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[gshantz]

To copy the custom fix data, I'm guessing you mean what's in the grey box with lots of text. (The text in the screen shot can't be copied.) It looks like text from the file I sent you.
Thanks.

[essexboy]

That is correct the script in the grey box..  I think I will remove it from my explanatory screenshot as I see that it can be confusing

[essexboy]

Updated the screenshot it should be more understandable now

[gshantz]

OK. program ran fine. Needed to reboot to finish fixing. On reboot, it clearly was finishing up some things and left a txt message of files removed etc.  Some comments I noted were that a reboot again was necessary to complete.

Question is, should I reboot again before rerunning OTL?
MY gut says yes, but things have gone too well to screw up now.

Oh yes, I noticed one of the files removed was the host file. Will that be restored, or do I need to salvage parts of it?

Thanks.

[gshantz]

AFter a long wait, I went ahead and rebooted, then reran OTL. I noticed a lot of "file not found" places, but don't know how all that works out. I am under pressure to get some things done, and don't want to mess things up, but might go ahead and run the combofix.

I've attached the OTL.txt file.

[gshantz]

Oooops!  ComboFix won't run on Win XP 64. Only on 32 bit. Now what?