avalonnyc

Thanks for your help Gringo, and sorry for the delay. Please close this thread. Combofix frequently breaks the LMI Rescue connection I was using to do this remotely, so I elected to stop with this and remove the infection with other means.

Hi Gringo, After I posted, and before I got your reply, I used Process Explorer to identify two rundll32.exe processes that were loading two DLLs that were recreating the CRX file that MSE was removing, and then deleted the CRX and the two DLLs on reboot using Sysinternal's movefile.exe. Now I see no further problems, but have followed your instructions and here are the logs you requested. Note that all the LMI stuff referenced in RogueKiller is LogMeIn Rescue, which I am using to do this all remotely from another machine. Results of screen317's Security Check version 0.99.56 Windows 7 Service Pack 1 x86 (UAC is enabled) Internet Explorer 8 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.70.0.1100 Adobe Flash Player 11.5.502.135 Adobe Reader 9 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials msseces.exe Windows Defender MSMpEng.exe Microsoft Security Client Antimalware MsMpEng.exe Microsoft Security Client Antimalware NisSrv.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 26% Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log`````````````````````` # AdwCleaner v2.104 - Logfile created 01/03/2013 at 01:54:14 # Updated 29/12/2012 by Xplode # Operating system : Windows 7 Professional Service Pack 1 (32 bits) # User : GKorba - GKORBA01 # Boot Mode : Normal # Running from : C:\Users\gkorba\Desktop\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** ***** [internet Browsers] ***** -\\ Internet Explorer v8.0.7601.17514 [OK] Registry is clean. ************************* AdwCleaner[s1].txt - [517 octets] - [03/01/2013 01:54:14] ########## EOF - C:\AdwCleaner[s1].txt - [576 octets] ########## RogueKiller V8.4.2 [Dec 31 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : GKorba [Admin rights] Mode : Remove -- Date : 01/03/2013 02:03:25 ¤¤¤ Bad processes : 6 ¤¤¤ [sUSP PATH] unattended_srv.exe -- C:\Users\gkorba\AppData\Local\LogMeIn Rescue Unattended\LMIR0001.tmp\unattended_srv.exe -> KILLED [TermProc] [DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\rahook.dll -> UNLOADED [DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMIRhook.000.dll -> UNLOADED [sUSP PATH] unattended.exe -- C:\Users\gkorba\AppData\Local\LogMeIn Rescue Unattended\LMIR0001.tmp\unattended.exe -> KILLED [TermProc] [DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMIRhook.000.dll -> UNLOADED [DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\gkorba\AppData\Local\LOGMEI~1\LMIR0001.tmp\LMIRhook.000.dll -> UNLOADED ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1) [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG SSD PM800 TM 128 +++++ --- User --- [MBR] f581396ca32fa274db6c6e51095e85b1 [bSP] bd88243ba1753a8780c06e4eb19307c6 : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 9618 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 19779584 | Size: 112445 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3]_D_01032013_02d0203.txt >> RKreport[1]_S_01022013_02d1911.txt ; RKreport[2]_S_01032013_02d0200.txt ; RKreport[3]_D_01032013_02d0203.txt Thanks, John Wilson

Got "Rogue.SystemProgressiveProtection" from a fake Fedex emails. Ran updated MBAM and it removed several items: Files Detected: 4 C:\ProgramData\B2FCF13D1007295A0000B2FC3E4B33BC\B2FCF13D1007295A0000B2FC3E4B33BC.exe (Trojan.Lameshield.124) -> Quarantined and deleted successfully. C:\Users\gkorba\Desktop\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully. C:\Users\gkorba\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk (Rogue.SystemProgressiveProtection) -> Quarantined and deleted successfully. And subsequent full MBAM scan showed all clean. Then MSE kept finding Trojan:JS/Medfos.B in %appdata%\local\-f3a8-4422-bcdb-d6c8ded53e42.crx->manager.js, and it keeps coming back after telling MSE to delete it. I found the process that keeps creating that CRX is "C:\Windows\System32\rundll32.exe" "C:\Users\gkorba\AppData\Roaming\dlosat.dll",Reversed_Type, but I don't know how to get rid of it. Attached are dds.txt and attach.txt Thanks! Attach.txt DDS.txt