Infected by: Win32:Patched-WQ Win32:malware-gen

[whenpigsfly]

Malwarebytes:

2 files attached.

OTL:

2 file attached

aswMBR:

Downloaded and ran as instructed but blue-screened and comp restarted before it could be completed. I attempted this twice with same results.


Other info:

When it first kicked off, AVAST seemed to find the stuff in the subject line and attempted to remove it. I ran a boot-scan. The latest scan indicates no apparent threats.

There was some strange activity in Google chrome with the browser redirecting to the same page. AVAST has been blocking attacks fairly often while online. And while online blue-screen would sometimes kick in and comp shut down.


Many thanks in advance for any help!

[essexboy]

Lets check out the MBR

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  [2011/11/22 11:37:43 | 000,000,000 | -HSD | C] -- C:\Users\cjbl\AppData\Local\4b013c53
  [2011/11/14 15:05:10 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjou
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[whenpigsfly]

Not sure if OTL finished properly as on reboot desktop items are still missing.

The attached log produced by OTL after running a quickscan on reboot.

Got to the desktop to run MBRcheck using 'run' on Task Manager. MBR log attached.

Many thanks,

EDIT: Have restarted and desktop icons are back.

EDIT#2: Following a 'quick scan' in AVAST the following was found:

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys   Severity HIGH   Threat: Win32:Rootkit-gen    Outcome: MOVED TO CHEST

[essexboy]

Hmm that was in a backup area however it warrants a deeper look

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[whenpigsfly]

Downloaded Combofix and ran as instructed, downloaded an update.

Combofix got as far as starting to scan. It indicated that it would typically take 10 mins (or maybe double for seriously infected machines). I left it running for over an hour. Then, when there didn't seem to be much activity I closed the window. I've not tried to run it again.

No log file seems to have appeared. Instead there is a file of type 'File' in the c:\ called ComboFix. (It has an icon with a PC on it).

Many thanks.

[Pondus]

did you disable avast before you run combofix ?

see what is marked with red in Essexboys post...

[whenpigsfly]

I thought I had but only for ten mins. When I realised that it was going to take longer than 10 mins I disabled it for an hour.

His instructions also say not to run it again? Should I wait for a response or try running it again?

[Pondus]

His instructions also say not to run it again?

then you do as he say and wait   

[essexboy]

Re-run combofix but this time run it from safe mode please

[whenpigsfly]

I re-ran ComboFix from safe mode, I got warnings about Avast Antivirus and Avast antispyware being active. I tried to disable all these functions as well as windows defender before clicking ok.

Got another warning saying that these were still on but that ComboFix would run anyway.



ComboFix started running, upon which it said "Access denied. Administrator permissions are needed to use the selected options." (This only happened in safe mode). Then it saved a restore point.

It was running again for about an hour and a half before I stopped it. Do you think I should let it keep running until it does something??

Many thanks for your time.

[essexboy]

Methinks I will need to use a tool from outside of windows for this one, as Combofix is not performing the way it should plus it should be able to access all system elements

Can you burn a CD ?

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

• Double click Dr Web
• IMGBurn will open
• Burn the ISO to a cd

• Reboot the infected computer with the CD in the drive
• Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
  
• As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

• Use arrow keys to select  DrWeb-LiveCD (Default)
• When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

• The programme will now scan for and cure/delete any malware that it finds.  Allow it to do so  
• Once completed reboot to normal windows
• No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

[/list][/list]

[whenpigsfly]

Downloaded Dr Web and Burnt it to CD, booted, ran it.

It is still running (about 80% done), seems very thorough.

One of the things it has picked up is that OTL.exe is infected by Trojan.Siggen3.24046 , to which DrWeb responded by deleting the file.

When the scan is complete should I re-download OTL.exe and run it produce another log as requested above?

Many thanks,

[essexboy]

Yes please - Some antivirus programmes do not like OTL as it can make quite deep changes to the system

[whenpigsfly]

Ok, OTL log attached. (Only 1 file, no extras?)

DrWeb took over 48h to get through it all! It didn't seem to find all that much.
On rebooting to hard drive everything seems ok, machine is running seemingly well.

Am I 'cured'?

Many thanks,

[essexboy]

Looks good to I, does windows updates work ?

Any remaining problems ?