Fraudpack, antivirussuite, bad.proxy, and normal can't run explorer properly

By Olikut
Feb 1, 2011
  1. a few days ago my XP machine became hosed. On normal startup, it takes eons longer to load windows, and when it does it fails to load the taskbar (or rather, the top edge of it is visible, but not expandable). Most programs cannot run. I cannot run windows update or install/update antivirus suites (like avast). The machine was running AVG and Spycatcher, but neither impeded the infection or was able to find it once it occurred. I've installed Avast now but it cannot update or operate properly (in safe mode) and cannot run at all in normal mode. My first MBAM run (in safe mode, it won't run in normal) found the aforementioned malware (subsequent runs have found nothing). Gmer has found nothing (in normal mode or safemode).

    My 8-step logs follow:


  2. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

  3. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it:
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  4. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    First off, Thanks a ton Broni for taking the time.

    I was able to run MBRCheck in normal mode. Combofix hung in normal and ran in safemode (w/ networking). When Combofix restarted I saw my taskbar for the first time in a few days. woot.

    MBRCheck log:

    Combofix log:
  5. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    You were running two AV programs, AVG and Avast.
    I assume, you uninstalled AVG in order to run Combofix?
    I need to know before we proceed.
    I still can see some nasties there.
  6. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    I uninstalled AVG a couple days ago, and installed Avast.

    Spycatcher refused to uninstall, so I had started manually deleting those files.

    Before running Combofix though I ran AppRemover, which gave me the option of removing both Avast and Spycatcher (I suppose the remnants from the registry), which I did. So when I ran Combofix I should have had no antivirus suites installed.

    After Combofix completed, and after my last post, I reinstalled Avast.
  7. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    c:\program files\AVG\AVG10\avgwdsvc.exe
    c:\documents and settings\All Users\Application Data\AVG10
    c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
    c:\program files\AVG
    AVG Security Toolbar Service
    uInternet Settings,ProxyOverride = <local>;*.local

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  8. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    I just disabled avast rather than uninstall it this time.

    CF log:
  9. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Looks good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %PROGRAMFILES%\Common Files\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %USERPROFILE%\Favorites\*.url /x
    %ALLUSERSPROFILE%\*.dat /x
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %systemroot%\pchealth\helpctr\System\*.exe /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  10. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    So far my PC actually runs like it should. So doing well.

    OTL log (up to LOP check):
  11. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    remainder of OTL log: (LOP check on):
  12. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Extras log:
  13. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Good news :)

    Update your Java version here:

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
      IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
      FF - prefs.js..keyword.URL: ""
      FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\
      FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
      O2 - BHO: (SpywareBlock Class) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - File not found
      O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
      O3 - HKU\S-1-5-21-839522115-861567501-2147252035-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
      O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Reg Error: Key error.)
      O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Reg Error: Key error.)
      O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - File not found
      O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - File not found
      O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
      [2011/01/29 11:11:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
      [2010/10/20 08:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ryan\Application Data\AVG10
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  14. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Ooof. Bad news.

    I was able to update Java to the latest, but upon restart my taskbar was gone again, I couldn't use the JavaRa link in your post (a broken redirect immediately altered the link).

    I tried to soft reboot, but it hanged at 'saving settings' (just like it did before), requiring a hard reboot. For now I'll try to continue with your list in safe mode w/ networking.
  15. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Ran latest OTL in safe mode w/ networking. normal windows: taskbar is gone, firefox will run but appears to be hijacked, it refused to connect to techspot. Safemode firefox appears to operate fine.

    OTL run fix log:
  16. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Security Check checkup log:
  17. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Perhaps I should mention that I did run JavaRa in safemode w/ networking before the latest OTL run. I had to run it twice. First time it errored and failed before it finished. 2nd time it appeared to finish successfully (and produced a log).
  18. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Did you just install AVG 2011, because I can see it listed in SecurityCheck log?

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  19. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Morning Broni. Thanks again for all your help.

    I tried to install AVG 2011 the other day, but like I mentioned before, I uninstalled it and it doesn't currently show up in the windows add/remove programs list. It also isn't found by AppRemover.

    My Eset scan (in safe mode) last night found nothing, so no report.

    My TDSSkiller scan cleaned nothing, log below (I ran it in safe mode, I'll go ahead and attempt in normal mode now):

  20. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Firefox safe mode, or computer safe mode?
  21. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    computer safe mode.
  22. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Can you check, if IE is having same issue?
  23. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    in normal windows mode, IE won't even open. The process starts, but no window ever shows up. For firefox, the window shows up, but it can't connect to anything now.
  24. Broni

    Broni Malware Annihilator Posts: 52,792   +343

    Go Start>Run (Start search in Vista), type in:
    Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"

    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
  25. Olikut

    Olikut TS Rookie Topic Starter Posts: 24

    Ok. I completed that.

    Firefox still can't connect to anything in windows normal.
    IE process still starts, but window wont' open in windows normal.

    Both operate fine in windows safe mode w/ networking.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...