enhanced protection mode

[eustace flynn]

Hi Essexboy

I can't believe it but I did it!
Here's the info.

http://www.mediafire.com/file/k594sh85cazjd5s/OTS.Txt

[essexboy]

OK lots and lots of temporary files to clear - so  this may take longer than normal to run 
There will be a zip file within c:\_OTS\moved files could you upload that to  Mediafire  and post the sharing link please.  Once I have grabbed it you can delete the link

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Driver Services - Safe List]
YY -> (mdxgthkn) mdxgthkn [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\AUTOTELIC\Local Settings\Temp\mdxgthkn.sys
[Registry - Safe List]
< FireFox Extensions [User Folders] > ->
YY -> No name found   -> C:\Documents and Settings\AUTOTELIC\Application Data\Mozilla\Firefox\Profiles\5l78mbfx.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\mozapps\extensions
< FireFox Extensions [Program Folders] > ->
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
YN -> No name found ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\] > -> HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\] > -> HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D}" [HKLM] -> [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Drivers32 [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
YN -> "vidc.LEAD" -> [LCODCCMP.DLL]
[Files/Folders - Created Within 7 Days]
NY ->  update.2 -> C:\WINDOWS\update.2
NY ->  rpcminer -> C:\WINDOWS\rpcminer
NY ->  phoenix -> C:\WINDOWS\phoenix
NY ->  update.5.0 -> C:\WINDOWS\update.5.0
[Files/Folders - Modified Within 7 Days]
NY ->  info1 -> C:\WINDOWS\info1
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
NY ->  geoiplist -> C:\WINDOWS\geoiplist
[Files - No Company Name]
NY ->  geoiplist -> C:\WINDOWS\geoiplist
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  info1 -> C:\WINDOWS\info1
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[saisory]

Hi...


I have the same problem can :'( it also started in facebook.. downloading a fake flash player.. suddenly all of my protection turned off..

[Rednose]

Hi saisory, welcome to the forum

I am sorry you have problems, but if you need help to fix them you should start your own topic.

Greetz, Red.

[DavidR]

Hi...

I have the same problem can :'( it also started in facebook.. downloading a fake flash player.. suddenly all of my protection turned off..

You will need to start you own New Topic in the viruses and worms forum, http://forum.avast.com/index.php?board=4.0 and click the New Topic button at the top of the page.

Download and Run the OTS analysis tool mentioned in Reply #14 of this topic, http://forum.avast.com/index.php?topic=81947.msg669791#msg669791, attach the OTS log to the new topic.

[eustace flynn]

Essexboy

Sorry for the delay. I got the log file you wanted (at least I hope this is it).

http://www.mediafire.com/?k594sh85cazjd5s

PS When do I stop being a "Newbie"? I hate that word!

[essexboy]

Close - but you gave me the initial run 

Do you still have the enhanced protection popups ?

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[eustace flynn]

Essexboy

Here's the zip file.
(It's a huge file)

http://www.mediafire.com/file/yzu5igmyyogre6m/07232011_175651.zip

Eustace

[essexboy]

Ta you can delete the link now 

Also how is the computer behaving ?

[eustace flynn]

The scan shows I'm clean now.

The machine seems to be fine but I'll reserve final judgement until I've used it a bit.

Still can't login to Facebook (although that may not be such a bad thing).

Many Thanks

Eustace

[essexboy]

Let me know how it is running tomorrow and if it is good I will remove my tools

[eustace flynn]

Will do.

[kim9]

Hi Eustace Flynn, I got the same problem exactly like you on my computer. I followed your steps with Malwarebytes and I managed to reinstall avast. THANKS A LOT, got badly lost in between... Everything seems ok now except that like you I can't access facebook no more. Did you manage to fix that as well. Would appreciate your input if you did ! Thanks in advance.

[reinvaldez]

got the same issue here. I want to ask how to get rid of this intruder. below is the result of the quick scan of malwarebytes.

Code: [Select]

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7270

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/25/2011 2:24:33 PM
mbam-log-2011-07-25 (14-24-25).txt

Scan type: Quick scan
Objects scanned: 163753
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 8
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) -> 1916 -> No action taken.
c:\Windows\sysdriver32.exe (Trojan.Agent) -> 2932 -> No action taken.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> 128 -> No action taken.
c:\Windows\update.tray-14-0\svchost.exe (Trojan.Dropper) -> 2896 -> No action taken.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> 2924 -> No action taken.
c:\Windows\sysdriver32_.exe (Trojan.Agent) -> 2940 -> No action taken.
c:\Windows\systemup.exe (Trojan.Agent) -> 2948 -> No action taken.
c:\Windows\update.3\svchost.exe (Trojan.Agent) -> 2976 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 (Trojan.Dropper) -> Value: tray_ico0 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico1 (Trojan.Dropper) -> Value: tray_ico1 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup (Trojan.Agent) -> Value: systemup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv (Trojan.Dropper) -> Value: wxpdrv -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w_distrib.exe (Trojan.Agent) -> Value: w_distrib.exe -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) -> No action taken.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Windows\update.tray-14-0\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Windows\sysdriver32_.exe (Trojan.Agent) -> No action taken.
c:\Windows\systemup.exe (Trojan.Agent) -> No action taken.
c:\Windows\services32.exe (Trojan.Dropper) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$R97H2KI.exe (Trojan.Agent) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$RG3MKR6.exe (Trojan.Agent) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$RPO6SZV.exe (Trojan.Agent) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$RSH27WV.exe (Trojan.Agent) -> No action taken.
c:\Windows\AutoKMS.exe (RiskWare.Tool.CK) -> No action taken.
c:\Windows\update.3\svchost.exe (Trojan.Agent) -> No action taken.


[marko.raic]

Ok people i have the same problem with my avast! and it all started with one message on facebook from my friend which said that she will send link with video of me.I go to that link and asked me to download flash player,i did it but after that,my computer began to restart by itself almost immideatly after i connect to the internet,and when i try to open user interface it says that it is in enhanced protection mode. i got picture of it

http://imageshack.us/photo/my-images/11/modec.jpg/