Avast! doesnt remove a rootkit file

[CUPIC]

Hello to everybody, I'm new here and I'm looking for help.

First of all, sorry, my English is disaster.

Last night I used Avast! AV to scan my comuter and it found a infected ROOTKIT file on

C:/winodows/windows32/drivers/fylwqx.sys

Since Avast! found it i have a "blue screen" and I can't access to my User profile on Windows Vista.

Avast was not able to delete the infected file as well some others AV programs (AVIRA, SPYBOOT, AVG...). I have tried to remove the rootkit file manually but without success.

Now, I'm useing SAFE MODE with networking. But even in SAFE MODE, blue screen comes up frequently.


What do you think I should do?

Thank you!

[Rednose]

Hi CUPIC, welcome to the forum

I am sorry to hear you have so much problems. The best I can do for you is to pm essexboy. He is in charge of the "viruses and worms" section, and the most qualified person here to help you.

http://forum.avast.com/index.php?topic=53253.0

So please be patient, and wait for him to help you

Greetz, Red.

[essexboy]

Hi this can be run from safe mode

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
c:\system volume information|_REGISTRY_MACHINE_SOFTWARE;true;true;true /FP
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs please

[CUPIC]

Thank you very much for your help!

 I did exactly as you said and here there are two files OLT.txt and EXTRAS.txt

When you have extra time, please check it and see if there is some suspicious services.

 Thanks again!

Best regards!

[essexboy]

It looks like the infection came from a USB drive.  Once combofix starts running allow it to boot back to normal mode if possible.   

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
DRV - [2010.07.12 04:34:02 | 000,054,112 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\avgfwd6x.sys -- (Avgfwfd)
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\S-1-5-21-4190731207-121853071-4191398483-1000..\Run: [futur] File not found
O33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{377dff67-a9de-11dd-bac3-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{39106cf0-ab35-11dd-9726-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\AutoRun\command - "" = D:\fooool.exe
O33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\explore\Command - "" = D:\fooool.exe
O33 - MountPoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}\Shell\open\Command - "" = D:\fooool.exe
O33 - MountPoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}\Shell\AutoRun\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
O33 - MountPoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}\Shell\open\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\windowsupdate.com
O33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\AutoRun\command - "" = fooool.exe
O33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\explore\Command - "" = fooool.exe
O33 - MountPoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}\Shell\open\Command - "" = fooool.exe
O33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\AutoRun\command - "" = D:\LANCE/srasli.exe
O33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\explore\command - "" = D:\LANCE/srasli.exe
O33 - MountPoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}\Shell\open\command - "" = D:\LANCE/srasli.exe
O33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\AutoRun\command - "" = fooool.exe
O33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\explore\Command - "" = fooool.exe
O33 - MountPoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}\Shell\open\Command - "" = fooool.exe
[2010.10.23 04:13:24 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\AVG10
[2011.01.22 20:34:38 | 000,000,000 | ---- | M] ()(C:\Windows\System32\?????) -- C:\Windows\System32\?????
[2011.01.22 20:20:18 | 000,000,000 | ---- | C] ()(C:\Windows\System32\?????) -- C:\Windows\System32\?????

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

.
THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[CUPIC]

First of all, thank you for your help.

I did everyting as you said: I run OTL scaner but it stop working processing one file:
 
PROCESSING... PROO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

And it lasts for hours ...

Thank you for help!

Should I format my disc?

[SafeSurf]

CUPIC,

Hold off on formatting until Essexboy gives you further instruction.  He has other tools he can use to help you.  He usually comes on the forum late UK time.  Thank you.

[CUPIC]

OK, I'm very patient and thankful!

[essexboy]

Continue straight to the combofix run now please

[CUPIC]

Thank you!

I downloaded a Combofix and run it, although the program is reported that I should download a newer version of it. I have not done so.

The file that  caused the problems now no longer exists!

That was the fylwqx.sys file in system32/drivers. And now I can access to my User prfile, normally.

But, I noticed one very strange service in startup on my msconfig, called ,,futur" It did not exist before.

Should I turn off that service?

The LOG combofix file is attached.

THANK YOU SO MUCH!

[essexboy]

Hi you must let combofix update - otherwise it cannot do its job properly.  You have been using some infected USB drives, they need to be vaccinated using Panda USB Vaccine  http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\users\User\AppData\Local\Temp\DZE.exe

Driver::
DZE
fylwqx

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{377dff67-a9de-11dd-bac3-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39106cf0-ab35-11dd-9726-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52b58a6f-ada5-11dd-bbed-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba4564c-d7e6-11dd-8f78-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9ba48f4-d8ac-11dd-b4b9-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc5d4ae4-dd57-11dd-a1db-001b383f358f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edb5e675-24ee-11e0-808a-da2f9059bcb9}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4da3995-caf2-11dd-b7aa-001b383f358f}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

[CUPIC]

I did everything as you said.

There is 2 files.


Thank you!

[essexboy]

That looks good now, what are your current problems ?

[CUPIC]

When I logged to my Windows normally, after I scaned my commputer with ComboFix, Spybot S@D ask me if i want to allow some changes.

Message was>

"DISABLE CMD"

What to do?

thank you!

[essexboy]

To be honest... Remove Spybot and get winpatrol and MBAM to cover your security

Allow it