Root kit or virus?

[Brian Bunney]

Is there a less tedious way to post logs?

[Brian Bunney]

I'm sorry. How do I attach the file. I only see options for attaching image file, hyperlink or FTP.

[essexboy]

There are instructions here about a third the way down http://forum.avast.com/index.php?topic=53253.0

[Brian Bunney]

Sorry; don't know how I missed that.

Files are attached here:

[essexboy]

Nothing major showing there, but I will check deeper

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE:64bit: - HKLM\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDyDtDyDyC0CtDtDtDtDzz0E0EtD0AtN0D0Tzu0CtBzzzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=489756232
IE - HKLM\..\URLSearchHook: {d5f7c10d-2f86-4e99-90da-25f8b0400992} - C:\Program Files (x86)\Mapit_1\prxtbMapi.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
IE - HKLM\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDyDtDyDyC0CtDtDtDtDzz0E0EtD0AtN0D0Tzu0CtBzzzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=489756232
IE - HKU\S-1-5-21-2136029548-1328334061-613265227-1001\..\URLSearchHook: {d5f7c10d-2f86-4e99-90da-25f8b0400992} - C:\Program Files (x86)\Mapit_1\prxtbMapi.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-2136029548-1328334061-613265227-1001\..\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDyDtDyDyC0CtDtDtDtDzz0E0EtD0AtN0D0Tzu0CtBzzzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=489756232
O2:64bit: - BHO: (no name) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - No CLSID value found.
O2:64bit: - BHO: (no name) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - No CLSID value found.
O2 - BHO: (no name) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - No CLSID value found.
O3 - HKU\S-1-5-21-2136029548-1328334061-613265227-1001\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Brian Bunney]

The log from the OTL Quick Scan is attached.

No apparent change in behavior of computer except that a disk check ran at bootup.

I will now dl ComboFix and run it.

[Brian Bunney]

Log from ComboFix.exe is attached.

No improvement to PC. In fact, Internet Explorer loads but does not bring up any webpages.

[essexboy]

I am still seeing no apparent malware.  We can try a windows repair tool next followed by uninstalling / reinstalling Avast 

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished


THEN

Lets reinstall Avast

Download Uninstall Utility to your Desktop.
Download the correct version of Avast 
http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe
http://files.avast.com/iavs5x/avast_pro_antivirus_setup.exe
http://files.avast.com/iavs5x/avast_internet_security_setup.exe
http://files.avast.com/iavs5x/avast_premier_antivirus_setup.exe
Disconnect from the net
Uninstall Avast via control panel

• Run aswClear
• It will offer to reboot to safe mode .. Accept that

• Once it has rebooted to safe mode
• In the Select Product to Uninstall dropdown choose the version of Avast that is on your system.
  
• Press Uninstall
  
• Once complete reboot your system to Normal Mode
  
• Reinstall Avast

----------

[Brian Bunney]

Have run Windows Repair.

Ran aswClear.

Reinstalled Avast.

Ran Quick Scan, Full Scan and Boot time scan; no obvious virus.

I still cannot read CDs or see USB devices.

[essexboy]

Could you run the relevant MS fixit on this page http://support.microsoft.com/kb/330140

Method 1: Run the automated troubleshooter for your version of Windows:
For Windows 7 users:

Open the Hardware and Devices troubleshooter by clicking the Start button Picture of the Start button, and then clicking Control Panel.
In the search box, type troubleshooter, and then click Troubleshooting.
Under Hardware and Sound, click Configure a device.‌
Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

[Brian Bunney]

Thanks for your assistance essexboy. It is very much appreciated.

I will have to put this on hold for a week or so as I am away from the affected computer. I will follow your suggestion as soon as I return and let you know the result. I hope we can keep this thread open while I am away.

Thanks again.

[essexboy]

Yep no problem:)

[Brian Bunney]

I ran the troubleshooter. It identified a missing driver for my HP printer. Other than that, no additional messages or fixes.

[essexboy]

Could you go to control panel > device manager and let me know if there are any yellow triangles

[Brian Bunney]

There are yellow triangles next to the entries for the HP C309a series printer under "Other devices". Those are the only ones. I haven't worried about the printer drivers yet.

I still cannot read USB jumpdrives when plugged into the USB ports plugged into the MB. When USB drives are plugged in they do not register in Win Explorer. I have a PCI card to provide 2 USB 3.0 ports and I can read USB sticks plugged into those ports.

Regarding the CD/DVD drive, it shows up in Win Explorer but I cannot read any media. With a known good media inserted, clicking on the drive in Win Explorer opens the drive tray. I have confirmed that the CD/DVD drive is setup in BIOS to boot from however the media (factory Win 7) is not recognized and the system continues on and boots from Harddrive.

I have again run a complete set of scans using Avast IS. Nothing shows up.

Thanks.