reba_kay

You assisted me last weekend with a Trojan removal and now McAfee, Microsoft Security Scanner, and Microsoft malicious software removal have found a new Trojan - Medfos. Both of the microsoft products say they partially removed it. I tried to find the file to delete, but I can't find it. I ran malwarebytes anti-rootkit twice and it didn't find it, nor did regular malwarebytes. I also ran roguekiller in between running mbam. I would appreciate your assistance again. mbar-log-2012-11-18 (08-12-25).txt msert1.txt RKreport1_S_11182012_02d0753.txt

I do have a few questions: Do I also delete tdss, mbar, and security check? After reading your preventative maintenance.....Should I uninstall mcafee and install microsoft security essentials instead, then upgrade to malwarebytes pro, and down load WOT? Also, as I go into all my accounts, I should change all my passwords? Thanks again for your help!

Scan completed and log attached. Since I use firefox, should I just uninstall IE8? Uninstall Adobe reader too? checkup.txt

Both logs are attached. Thank you! mbam-log-2012-11-10 (12-04-49).txt RKreport-11102012.txt

Attached is the combofix log. I thought I had disabled everything, but I think an anit-spyware might have been running......would that effect combofix? combofix.txt

Good morning and thanks for your continued help. I am attaching the logs. The first one is one I had run yesterday before you started helping me. 2a, b, and c are from this morning. 2a.txt 2b.txt 2c.txt tdssreport.txt

RogueKiller V8.2.3 [11/07/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : BNB [Admin rights] Mode : Scan -- Date : 11/09/2012 21:45:48 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : Rans.Gendarm ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BEVT-75A0RT0 +++++ --- User --- [MBR] dd6967e897e9549401c89a8d9f38da4a [bSP] dea9defa67a18cc486b8c709b2ee22f0 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 208845 | Size: 15000 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30928845 | Size: 461837 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1]_S_11092012_02d2145.txt >> RKreport[1]_S_11092012_02d2145.txt

Mr. C, Thanks for your help. Will this also fix the svchost.exe issue as well? I have attached the two log files. Thanks again for your help! mbar-log-2012-11-09 (20-50-23).txt mbar-log-2012-11-09 (21-25-41).txt mbar-log-2012-11-09 (20-50-23).txt mbar-log-2012-11-09 (21-25-41).txt

I've seen lots of posts on removing svchost.exe, so I attempted to start down the removal path. Malwarebytes has removed svchost.exe several times, but it keeps finding it again. I have also used mcafee, kaspersky, and others. After reading posts, it seems the first step is to run Rogue Killer. I have done that and here is the log: It looks like there is another problem, too???? Not sure what my next step should be. mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : BNB [Admin rights] Mode : Scan -- Date : 11/09/2012 19:01:17 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\U --> FOUND [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-448086352-994739028-191266335-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\L --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-448086352-994739028-191266335-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L --> FOUND ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : Rans.Gendarm ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts

I've seen lots of posts on removing svchost.exe, so I attempted to start down the removal path. Malwarebytes has removed svchost.exe several times, but it keeps finding it again. I have also used mcafee, kaspersky, and others. After reading posts, it seems the first step is to run Rogue Killer. I have done that and here is the log: It looks like there is another problem, too???? Not sure what my next step should be. mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : BNB [Admin rights] Mode : Scan -- Date : 11/09/2012 19:01:17 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 10 ¤¤¤ [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND [HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\n.) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\U --> FOUND [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-448086352-994739028-191266335-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$c614d3bf243a3fd7a4fd36cd3756874b\L --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-448086352-994739028-191266335-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L --> FOUND ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : Rans.Gendarm ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts