Avast Found 2 Infected Files

[magna86]

For Step 3, is that for any and all flash drives I own?

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

--------------------------

Here's the Log I got after running ComboFix.

1. Open notepad and copy/paste the text present inside the code box below:


>>

Code: [Select]

KillAll::

Reboot::

File::
c:\windows\svchost.exe

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


***********************
2.

Re-run Malwarebytes,select "Perform Quick Scan", then click Scan.

• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember ( desktop for example ).
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


******************
3.
Attach here AllScans.txt from MCShield.

[brinojos]

Report from ComboFix, Malware, and MCShield


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Sabrina :: SABRINA-PC [administrator]

8/9/2012 9:19:00 PM
mbam-log-2012-08-09 (21-19-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194660
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 4768 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)



>>> MCShield AllScans.txt <<<



>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:28:16 PM > Drive C: - scan started (OS ~195 GB, NTFS HDD )...



=> The drive is clean.


8/9/2012 10:28:16 PM > Drive D: - scan started (Data ~245 GB, NTFS HDD )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:31:55 PM > Drive G: - scan started (no label ~7595 MB, FAT32 flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:31:55 PM > Drive H: - scan started (XTRA PDN ~1887 MB, FAT32 flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:32:28 PM > Drive G: - scan started (no label ~7595 MB, FAT32 flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:32:29 PM > Drive H: - scan started (XTRA PDN ~1887 MB, FAT32 flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:32:53 PM > Drive F: - scan started (BLACKBERRY2 ~7574 MB, FAT32 flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:33:52 PM > Drive F: - scan started (no label ~1699 MB, FAT flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:34:54 PM > Drive C: - scan started (OS ~195 GB, NTFS HDD )...



=> The drive is clean.


8/9/2012 10:34:54 PM > Drive D: - scan started (Data ~245 GB, NTFS HDD )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:35:09 PM > Drive F: - scan started (no label ~1699 MB, FAT flash drive )...



=> The drive is clean.





>>> MCShield v 2.1.4.13 / DB: 2012.8.6.1 <<<


8/9/2012 10:35:42 PM > Drive F: - scan started (BLACKBERRY2 ~7574 MB, FAT32 flash drive )...



=> The drive is clean.

[magna86]

Multiple Antivirus Programs

You are running more than 1 Antivirus program!


AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}



Running - more than one - antivirus program is not recommended because:[list=1]

• They can conflict with each other.
• Report the other antivirus software as malicious.
• Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
• Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc

I strongly suggest you uninstall one of them.  Which one, is your decision.
*********************************

We have one stubborn malware file...

• Please download BlitzBlank by emsisoft and save it to your desktop.
  
  
• Open Blitzblank.exe by double click on it.
  
  
• Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  
  
• Click the Script tab and copy/paste the following text there:
  
  
  
  

Code: [Select]


DeleteFile:
c:\windows\svchost.exe



• Click Execute Now. Your computer will need to reboot in order to replace the files.
  
• When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\

******************



> Re-run Combofix and attach here fresh Combofix.txt

[brinojos]

Wow, I didn't know I was running 2 antivirus programs. I only recall installing Avast.

[magna86]

Sorry, I forgot about you 

Logs looks good. How is your computer running now?

[brinojos]

It hasn't frozen on me, but I'm still getting the Avast pop-ups every few seconds. Also, when I start my laptop, it usually asks me if I want to start on Safe Mode.

[magna86]

It hasn't frozen on me, but I'm still getting the Avast pop-ups every few seconds. Also, when I start my laptop, it usually asks me if I want to start on Safe Mode.

***********************

Step1


Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

***********************


Step2

Delete current and download fresh Combofix.

Disable your antivirus and re-run Combofix. Attach here fresh Combofix.txt

[brinojos]

Even though I had deleted the Trend antivirus program, it's still there. Also, am I supposed to delete all the programs I had to download to remove the virus?

[magna86]

Multiple Antivirus Programs

You are running more than 1 Antivirus program!


AV: avast! Antivirus
AV: Trend Micro Titanium Internet Security



Running - more than one - antivirus program is not recommended because:[list=1]

• They can conflict with each other.
• Report the other antivirus software as malicious.
• Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
• Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc

I strongly suggest you uninstall one of them. 

http://singularlabs.com/uninstallers/security-software/
Which one, is your decision.

**************************

• Re-run TDSSKiller.exe and click on Change parametres.
  
• Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Click on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.



************************



- avast antivirus needs to be disabled as instructed above!


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[brinojos]

-I deleted Trend Micro antivirus.
-Here is the Log for TDSSKiller and ComboFix

[magna86]

Hi,

Re-run TDSSKiller as you did before (with changes parametres) and use Delete options for this entry

\Device\Harddisk0\DR0 ( TDSS File System )



>> How is your computer running now?

[brinojos]

My computer is running pretty great right now. Thanks so much for the help. I deleted the file you asked me to, but I accidentally clicked the scan button again right after it was done with the first one. I will try attaching the report, but it keeps saying it's too large.

[magna86]

Ok. Tell me, how is your computer running now?

[brinojos]

It's running great, thank you  I thought I was gonna have to spend almost $300 dollars to get it fixed. I haven't had any pop-ups and my computer no longer asks to start in Safe Mode.

[magna86]

I see that I have repeat myself few time ( ) sorry for that, I had a lot of work so... 


We are done here.

It is necessary to uninstall the ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


>> Re run OTL and click on CleanUp! button  ;)