Colexity77 espeak911 37.220.36.44 virus on Win XP Pro SP3

[Turboed72]

I appear to have Colexity77 and Espeak911 virus on my Windows XP Pro Sp3 machine.  I was unable to even
register for this forum on that machine.  It prevented the Verification step from showing the prompt I had to spit back.
I'm also unable to do Windows Update to pickup the latest security patches.

What do I need to do to get rid of this virus?  I see that others have been asked to attach logs from Malware Bytes.  I don't
have that tool.  Is there sone other that I can use to get you the info yo need?

[magna86]

Hi,


Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember ( desktop for example ).
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


--------------------

Download OTL from one of the following links:

• Download link1
  
• Download link2
  

Remember to save it on your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Scan All Users
   
  
• Paste this into Custom Scans/Fixes box at the bottom
  
  

Code: [Select]


netsvcs
drives
%SYSTEMDRIVE%\*.exe
/md5start
services.*
svchost.*
/md5stop
CREATERESTOREPOINT



• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
         
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
             
    
  • Please attach them in this thread.

---------------------



Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool. Select Yes if prompted to download the Avast database.

• Click Scan
   
• Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
  Note: do NOT attempt any Fix yet.
   
• You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
  

[Turboed72]

OK,  I ran the Malware Bytes and nothing was found.  Here is the log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.17.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Chuck :: DELL [administrator]

8/17/2012 5:39:04 PM
mbam-log-2012-08-17 (17-39-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226427
Time elapsed: 22 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


I then downloaded OTL from Link 1, Clicked on all users, pasted your parameters into the box and started the Scan.  It ran for several minutes and then the machine blue screened.

Here is what I copied from the blue screen:

0x000000Ca (0x00000005, 0x8b104d98, 0x00000000, 0x00000000)

Do you want me to go ahead with the aswMBR step???

[Turboed72]

I decided to run the  awrMBR scan anyway.  Attached is the log file.

If you give me some clue as to how to attach either the DAT or zipped DAT file ( neither are allowed file types
for attachments ) I can send that along as well.........

Please let me know what the next step is.....  Turboed72

[Turboed72]

Not sure why the log file I attached is empty but here is another try to send it.

[magna86]

Where is OTL log?

Abaut attachments,you need to save your logs as ANSI.
Please read ANSI part in this topic:
http://forum.avast.com/index.php?topic=53253.0

[Turboed72]

If you read my post it says that OTL resulted in a BLUE SCREEN HALT of my machine

I tried it a second time and SAME RESULT...

Here is what was in the blue screen msg:

Here is what I copied from the blue screen:

0x000000Ca (0x00000005, 0x8b104d98, 0x00000000, 0x00000000)




What is my next step?

[magna86]

Hm...ok.

Step 1.0
This way we will check what cause BSOD.


Download WhoCrashed from here:
http://www.resplendence.com/download/whocrashedSetup.exe

This program will try to verify the analysis, which is the cause of driver error.
Note: This program requires installation.


Double-click to start the installation, and click Next .

• Check I accept the agreement and then the Next .
  The program install to that location, and under that name by the program you offer.
  
• Click Next and in the next window, click Next
  
• Check Create a Desktop Icon and then click Next and then Install .
  
  
  
  After you've installed WhoCrashed program, run it.
  
  Note: If you get message that it look like this:
  
  
  
  Click Download the requested file from the Microsoft site now and wait for the process to
  download additional files and installation is complete.
  
  
  
  
  >> When the program starts, click Analyze .
  When scanning is done,click OK .
  
  
• Right-click on the area of the page with the report and select Select All, .
  
• Right-click on the area of the page with the report and select copy
  
• Open a new Notepad and select past to copy the contents of the logo in the notepad.
  

Now you can close the program.

Please attach here notepad with that logreport.

----------------------------------------------------------




Lets search malware this way...

Step 2.1

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

    * When done, DDS will open two (2) logs:
        1. DDS.txt
        2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.


*********************
Try this one too...
Step 2.2


Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


*********************
Try this one too...


Download AVZ Antiviral Toolkit from the following link:

http://support.kaspersky.com/downloads/utils/avz4.zip

• Extract the archive to a folder.
• Run AVZ [/color] (double click on icon);
  
  
• Click on File > Scripts Standard ;
  
  
• In the window that opens check options 2 and click Execute Selected Scripts;
  
  
• Click Yes ;
  
  
• When scan is finished you will get a note: Script Executed ;
  
  
• Exit the program.

Attach file virusinfo_syscheck.zip contained in folder AVZ \ Log on the forum.

[Turboed72]

Who Crashed ran successfully.  First attachment is the log from that.

----------------------------------------------------------------------------------------------

DDS ran successfully.  Second and third attachment are DDS.txt and Attach.txt respectfully.

----------------------------------------------------------------------------------------------------

TDSKILLER ran successfully.  It found a RootKit and it was cured.  When the system rebooted the AVAST messages
I had been receiving abou averted threats STOPPED completely.  The 4th attachment is the first log from TDS Killer.

I need to open another  message back to you to get the rest of the info.

Thanks  Turboed72.  More to come in next message.

[Turboed72]

Here is the second log from TDSKILLER from after the reboot.  First attachment to this post.

--------------------------------------------------------------------------------------------------

I ran the AVZ Antiviral Toolkit as requested.  It appeared to be successful.

I'm still lost on how to get Zipped files to you.  I read the section you referred me to but I still don't get it.
Sorry I'll reread it again until I hear back from you.

Any help greatfully accepted.

What is my next step???


Thanks  Turboed72

[magna86]

Ok, thinks are more cleary now... 

Multiple Antivirus Programs

You are running more than 1 Antivirus program!


AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}



Running - more than one - antivirus program is not recommended because:[list=1]

• They can conflict with each other.
• Report the other antivirus software as malicious.
• Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
• Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc

I strongly suggest you uninstall one of them.  Which one, is your decision.

I recommended that you remove AVG becouse his protections cannot disable more than 15 minutes and therefore may interfere with my tools.
Then download Uninstaller tool for AV you uninstalled and remove leftowers:
http://singularlabs.com/uninstallers/security-software/

------------------------------------------------


If your malwarebytes have realtime protection, please temporarily disable that.


-------------------------------------------------

• Re-run TDSSKiller.exe and click on Change parametres.
  
• Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Click on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.



***********************


Re-run DDS and attach here fresh DDS.txt log

[Turboed72]

OK.  I removed AVG AV as suggested.  I ran the cleanup for AVG AV.  Both seemed successful

My MalwareBytes does NOT have the license applied to it as yet so it should not be getting in the way.

I do have a license for the real time protection and once I get the machine cleaned up I was thinking about activating the license.

Will Malware Bytes conflict with AVAST antivirus???

I am VERY impressed with the service from AVAST and will be purchasing it for my other machine based on the help you have provided me...




-----------------------------------------------------------------------------------------------------------------------------

I reran TDSKILLER as requested.  It found a series of unsigned items.  The first attachment is the report from that scan.

I was NOT prompted to reboot.

I await my next step from you........

Thanks,  Turboed72

[magna86]

I do have a license for the real time protection and once I get the machine cleaned up I was thinking about activating the license.

Will Malware Bytes conflict with AVAST antivirus???

Yes, you do that. But when we finish cleaning. Malwarebytes is powerfull antimalware softwere so there will be no conflict between them.


------------------------



Please re-run TDSSKiller as before (with change parametres ) and use Delete option for this entry:

utmwmta3 ( UnsignedFile.Multi.Generic )
\Device\Harddisk0\DR0 ( TDSS File System )


*********************


Then try to run Combofix.





> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[Turboed72]

OK I reran the TDSSKiller as requested with the DELETE option.
Rebooted as requested,  Log was created for both before and after the reboot.
Logs for the before boot is attached.  Need to send a secon one separately because the two exceed the 192K limit.

----------------------------------------------------------------------------------

I followed your directions to disable AVAST.  Downloaded the COMBOFIX and started it.  It did it's thing for about 30 seconds or so and then put up a message that it had detected AVG Free AV  2012 and that I needed to disable it. I aborted combofix.
I checked in Control Panel and AVG is not installed.  I reran the Singularlabs tool for AVG several times (says may need to be run more than once).  Window that opens while the tool runs scrolls stuff by and closes the window so fast I am unable to see what happened,

I'm looking for direction from ou on continuing the combofix.

Thanks  Turboed72

I retried Combofix and it STILL says it found the AVG Realtime scanners to be active.  Further says that if I click to
continue results could be unpredictable and/or the machine could be damaged.  I

[Turboed72]

Here is the after boot log from TDSSKiller.