negster22

February 3, 2011

Hi frenzylindsey,

Please give me some time to review your logs and I'll get back to you with my recommendations.

For all future replies, please copy/paste all logs into your topic, ie. do NOT attach them unless specifically requested to do so.

February 3, 2011

We're going to rerun OTL with a script as follows:

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html
Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to restart the OTL program.

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
:File
C:\Users\k\AppData\Local\{D76FD82B-FA59-4188-A2DF-67042DC86ADC}
C:\Users\k\AppData\Local\{510AE91C-6DCD-4999-804F-AECDE2D6293E}
C:\Users\k\AppData\Local\{2974EE54-CBF8-4F6E-8C9E-945FAE5FE2F7}
C:\Users\k\AppData\Local\{0471B5EB-7174-421A-BB05-C9B8E57CF681}
C:\Users\k\AppData\Local\{E920A6F0-F7E2-4463-A4B0-4494531F6CAC}
C:\Users\k\AppData\Local\{B013FC51-886C-4C59-9ABF-F426869744B8}
C:\Users\k\AppData\Local\{8A307458-C42C-49FB-A4F8-98C7F99690BB}
C:\Users\k\AppData\Local\{F4334F42-857D-4CFA-9298-3C50DCC1C73C}
C:\Users\k\AppData\Local\{708C86DE-44D4-43DC-96EB-6D1651636844}
C:\Users\k\AppData\Local\{03784383-AB5F-4EC4-AF82-B379CA02A81F}
C:\Users\k\AppData\Local\{EC8463CE-7AAC-49FA-95AD-53A7669321BA}
C:\Users\k\AppData\Local\{0535FC7E-42EC-40C3-8000-1E8DD30778EF}
C:\Users\k\AppData\Local\{341056B5-BFBD-4AC9-B7B8-BFDA250A50E5}
C:\Users\k\AppData\Local\{9B1B80AC-FA57-43A5-96CA-6184033112F6}
C:\Users\k\AppData\Local\{CA8B584A-DD0C-417F-9394-951BA995FAE7}
C:\Users\k\AppData\Local\{17919AB4-9A84-4500-A2C9-9D9433FA99AF}
C:\Users\k\AppData\Local\{81BF7F96-C8CC-4242-A042-E2D6164A558F}
C:\Users\k\AppData\Local\{60DF154A-B22B-4E45-B4C1-39553FA69344}
:Commands
	  [purity]
	  [resethosts]
	  [emptytemp]
	  [emptyflash]
	  [createrestorepoint]
	  [reboot]

Now click Run Fix and let the program run uninterrupted.
It should reboot your PC when it is done, if it doesn't please reboot manually.
Copy/Paste OTL Log in your next reply

This entry in your log shows that you downloaded Combofix:

2011/02/01 19:36:12 | 004,263,406 | ---- | M] () -- C:\Users\k\Desktop\Combo-Fix.exe

Did you run it, and if you did I need to see this log:

C:\Combofix.txt

If there is more than one log, I'd like to see all of them copied and pasted into your topic.

If you connect through a router, it is very possible and probable that your router may be the source of your infection. Have you tried resetting it or connecting directly to your modem via an Ethernet cable (hard-wired) connection?

February 3, 2011

Westchester Country NY - great place, I used to work there and live just across the river in Rockland. Great area!

I agree, usually that is, but now it looks more like a frozen Tundra!

You can delete this directory:

c:\users\Serge\AppData\Roaming\spcgfmeua

But, please upload this file for scanning at VirusTotal

c:\programdata\jNjLm04200\jNjLm04200

Select the "Upload a File" Tab.

Click the "Browse" button and a Windows Explorer-type interface will open that enables you to navigate through your file system.

Locate the suspect file you want analyzed for it's threat potential, left-click that file, and click "Send File" to upload it to VirusTotal.

If the file was previously scanned VirusTotal will display a message to that effect.

If that happens Select "Reanalyze".

Wait for it to be scanned and post back the url (copy/paste the link to the scan result page from your browser's address bar) if any of the scanners determine the file to be a threat.

========

Yes, that Qoobox directory contains Combofix quarantined items, among other things (so detections there represent inactive quarantined threats)!

I didn't see nt.dll in the Combofix deletions, so I'd like you to do this:

Please open a run line (click Start, type Run into the Start Search box, and under the "Programs" heading, select -> Run)

Copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should open in Notepad. Please copy/paste its contents in your next reply.

Thanks for running the ESET scan - that is normally my next suggested step after Combofix has done its job!

Are the redirects gone now?

February 2, 2011

Hi effa

Great, but just remember, I need the logs to "see" what needs to be removed so there will be additional follow-up recommendations once I have all that information. I have dealt with removing whitesmoke before.

February 2, 2011

Now, you know why Explorer would not open!

I want to check out the contents of those two suspicious directories by creating and running a batch script, as follows:

(If you have any script-blocking programs or components in your security line-up, such as Norton script blocking, you will have to disable it)

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as dirlist.bat, by using the File -> "Save as" function on the Notepad Menu (be sure to set the Save as type to "All Files")!!!

dir /a /s c:\users\Serge\AppData\Roaming\spcgfmeua > dirlist.txt
dir /a /s c:\programdata\jNjLm04200 >> dirlist.txt
Notepad dirlist.txt

3. Right-click dirlist.bat on your desktop and select "Run as Administrator".

4. Paste back the contents of the file dirlist.txt that opens in Notepad.

February 2, 2011

Why don't you start explorer.exe from task manager and then you will have your desktop back.

Please post TDSSKiller if you have it. First see if Combofix produced the log at this location:

C:\Combofix.txt

If not, then you can try to get Combofix to complete, by running it in safe mode. Make sure ALL anti-virus and anti-malware are turned off.

Also, these two folders look suspicious due to random naming:

011-01-16 00:55:52 -------- d-----w- c:\users\serge\appdata\roaming\spcgfmeua

2011-01-09 22:31:30 -------- d-----w- c:\progra~2\jNjLm04200

You can check out what's in there and report back.

February 2, 2011

Hi and Welcome, effa!

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Note: Please don't worry - it's normal for it to have a weird looking multi-char gibberish name

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please perform a rootkit scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds), Save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

-

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

===========

Download OTL and save it on your desktop:

http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
Do NOT touch your keyboard until the scan is done!!
It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
Copy/Paste OTL.txt and attach Extras.txt into your next reply,
Exit OTL by clicking the X at top right.

Please Copy/Paste the following logs into your next reply (do NOT attach them):

1. ARKQ.txt

2. TDSSKiller

3. OTL

February 2, 2011

Hi and Welcome!

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please perform a rootkit scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
After the automatic "quick" scan is finished (a few seconds), if you're prompted to perform a full system scan due to potential ROOTKIT activity - respond with a [bNo
In the right pane, UNCHECK the following items:
- Drives/Partition other than System drive (typically only C:\ should be checked)
- IAT/EAT
- Show All (this should be unchecked by default)
[*]Select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress.
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Exit the Program
[*]Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
[*]Re-enable your antivirus and any antimalware programs you disabled before running the scan

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

===========

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading normally, the Advanced Options Menu should appear;
Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
Choose your usual account, and launch Combofix as directed above.

Please Copy/Paste the following logs into your next reply:

1. ARK.txt

2. TDSSKiller

3. Combofix.txt

February 2, 2011

Hi and Welcome!

First, disable Spybot's TeaTimer or any fixes we make will be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

Keep Teatimer OFF until we are completely finished with your clean-up!!!

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

===========

Download OTL and save it on your desktop:

http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Click the OTL icon (for Vista or Win 7, right click the icon and Run as Administrator) to start the program.
In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
Do NOT touch your keyboard until the scan is done!!
It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
Copy/Paste OTL.txt and attach Extras.txt into your next reply,
Exit OTL by clicking the X at top right.

Please Copy/Paste the following logs into your next reply:

1. TDSSKiller

2. OTL

January 31, 2011

Hi and Welcome,

You are running an old version of HJT, but HJT rarely shows the signs of today's malware infections anyway.

Please run the scans requested in this topic and copy/paste all logs into your next reply (it's best if you run them in NORMAL mode not safe mode):

I'm infected - What do I do now?

Thanks for your cooperation!

January 30, 2011

Your Welcome!!! I'm glad your PC is running better and that MSE is now fully functional.

What did the KBDTH3R.dll: search turn up?

It appears that file was deleted successfully by Combofix (though we do not have the Combofix log) and it was definitely malicious. However, it never made it to the developer for analysis because of the Combofix stalling problem.

jld-dave is talking about a server configuration with networked client computers, and You do not have that type of network set-up.

Defogger is a program that disables disk emulation software like Daemon Tools or Alcohol, and since I see no sign of those in your logs, You can go ahead and follow the re-enable directions:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

# The application window will appear

# Click the Re-enable button to re-enable your CD Emulation drivers.

# Click Yes to continue

# A 'Finished!' message will appear

# Click OK

# DeFogger will now ask to reboot the machine - click OK

# IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

# Your Emulation drivers are now re-enabled.

Keep an eye on the MBAM IP alerts for a while longer and I'll keep this topic open so You can report back!

January 28, 2011

OK. Yes, it is simple and you can keep both programs running in the background and maximize them only when you need to. They are "light on resources". I always keep them running to monitor things!

January 28, 2011

The registry start-up for the malicious file has been deleted by Combofix as it is no longer appearing in DDS.txt!

That was smart of you to run DDS.SCR on your own.

Now lets do a search for the file that start-up was referencing:

KBDTH3R.dll:

Open a Notepad

Copy and paste the following into Notepad:

cd\
dir /a /s KBDTH3R.dll > findfile.txt
notepad findfile.txt

Save the file to your desktop as findfile.bat, by setting the Save as File Type to "All files".

Right-click findfile.bat on your desktop, and select "Run as Administrator".

Your PC will search for the file.

When the search is done, a Notepad file will open.

Please copy and paste the search results in that Notepad file in your next reply.

==========

Since You're still getting the outbound connection alerts from MBAM, we will troubleshoot that with Process Explorer and TCPView in combination

FYI: There are 193 domains (sites) hosted on IP Address 208.73.210.29

http://sameip.org/ip/208.73.210.29

1. Download TCPView for Windows:

http://technet.microsoft.com/en-us/sysinternals/bb897437

Create a new folder called C:\TCPView and then download and UNZIP TCPView to that folder

2. Download Process Explorer for Windows:

http://technet.microsoft.com/en-us/sysinternals/bb896653

Create a new folder called C:\ProcessExplorer and then download and UNZIP Process Explorer to that folder

The basic steps to catch "transmitting malware" in the act are:

1. Use TCPView to inspect which processes have open ports. The processes wil be identified by name and PID (process ID).

2. We want to identify the svchost process that is attempting outbound connections to 208.73.210.29 and determine its Process ID (PID) from the network activity reported by TCPView. This way we can then identify what services (DLLs) are loaded by the svchost in question by running Process Explorer.

3. Then it becomes a matter of correlating the data presented in 1 & 2 to see if any of the Dynamic Link Libraries (DLLs) loaded by that targeted (suspicious) svchost are malicious.

This is how you accomplish what I've just outlined above:

Right-Click TCPView.exe and select "Run as Administrator" to launch it.

On the Menu, Click -> Options and if "Resolve Addresses" is not checked, CHECK it

As soon as MBAM throw up a "block" alert, keep an eye on the TCP View Display and when You see an outbound connection attempt to 208.73.210.29, You need to get the PID of the responsible svchost.exe.

In the Process Collumn, the PID is the number that appears after the colon:

scvhost.exe:1334

In the above example, the PID is 1334

Next, Launch Process Explorer, by right-clicking Procexp.exe and selecting "Run as Administrator".

On the Menu, Under View -> "Show lower Pane" and "Verify Signatures" should both be CHECKED.

Select (click) the svchost.exe Process with the PID that matches the one "phoning home" in TCPView

Let the Lower Pane refresh to show the loaded DLLs

Then click File -> Save and save the Process Explorer log and post it back here.

This may not work if MBAM is blocking the connections so You may have to disable MBAM's "Website Blocking" feature by right-clicking the MBAM system tray icon, and clicking "Website Blocking" so that it is disabled (UNCHECKED).

As soon as you "catch" the responsible svchost.exe, and produce a log in Process Explorer, you can re-enable MBAM's website blocking.

January 26, 2011

Now we have to run Combofix again with a script, to get rid of your infection.

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt by using the File -> "Save as" Notepad Menu function.

http://forums.malwarebytes.org/index.php?showtopic=73638&st=0entry379895

KillAll::

DDS::
mRun: [<NO NAME>] 

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fyqoc"=-

Collect::
c:\users\Jonker\AppData\Roaming\KBDTH3R.dll

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

If the run does not finish or You have problems, please launch Combofix in safe mode following the same directions as above.

NOTE: If ComboFix prompts you to:

Update to a newer version, make sure you allow it to update.
Upload infected files for analysis (it should), please allow it to do so.

Please copy/paste the log (C:\Combofix.txt) that opens when it finishes (Do NOT attach it) into your next reply.

Please let me know if your still experiencing the outbound connection alerts from MBAM because I thought of a way to troubleshoot them.

January 26, 2011

Good, and I'll be back with a CFScript to target a couple of things noted in your DDS and Combofix logs. However, I wanted to let you know that perhaps it was TDSSKiller that enabled your MSE to act normally, since You ran it after CF. It may help to try that again in the interim since I have run it and I know it scans quickly.

January 26, 2011

Please re-enable MSE!! I am glad that you can now access it and that it's running fine.

I have to examine your logs and focus on the rest of what you said in your reply, but I wanted to let you know that those Java Exploit detections were in Java Cache as I suspected.

This is how you can clear the Java cache:

Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
[*] Click OK to leave the Temporary Files Window
[*]Click OK to leave the Java Control Panel.

As Java Cache can be an infection repository, You can clean it out on a regular basis and/or quickly scan it periodically for infectious elements, by right-clicking the following folder and selecting the "Scan with <Your antivirus>" option:

The location of this folder usually is:

In Vista and Windows 7:

C:\Users\<user_name>\AppData\LocalLow\Sun\Java\Deployment\cache\

January 26, 2011

Thanks for the MBAM IP detection log and the Avira log.

The MBAM IP Log does not indicate the svchost PID so I am unable to help you diagnose what DLL may be causing the the outbound requests.

However, just by Googling I see there are a lot of people getting these alerts and wondering what they are all about, so this requires further investigation.

But very important and firstly,

MSE is indeed active according to your dds scan report:

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl3b08514b;MpKsl3b08514b;c:\programdata\microsoft\microsoft antimalware\definition updates\{b7f0e7f1-e4d5-4514-98ee-a4d8aee99595}\MpKsl3b08514b.sys [2011-1-25 28752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

All the services and EXE's related to MSE are RUNNING normally, and the autostart is intact.

That causes a problem because You now have two active AVs and that is bad for system stablity and it can cause a myriad of issues due to conflicts when both programs simultaneously perform an identical operation.

You have to uninstall either MSE or Antivir - its your choice. I know Antivir is completely compatible with MBAM.

I found out that MSE record it's alerts to the Windows System Event log:

To access the System Event Log:

Click start | run | then paste or type eventvwr.msc into the "Start Search" box, and then at the top, click eventvwr.msc.
When the Event Viewer opens, in the left pane click on Event Viewer and then Windows Logs.
It will expand to show you four log choices: Application, Security, System, and Internet Explorer.
Double-click on the System Event log to display it.
Inspect the entries to see if there are any Warnings listed pertaining to MSE with an Event ID of 1006

The MSE alert should match this one:

Event Type: Warning
Event Source: Microsoft Antimalware
Event Category: None
Event ID: 1006
Microsoft Antimalware has detected spyware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=370...atid=2147519003
Name: Virus:DOS/EICAR_Test_File

You can filter the entries to make it easier to search for what you want.

==============================

This entry from your DDS Scan looks suspicious so I am going to have You run a Combofix scan.

uRun: [fyqoc] rundll32 "c:\users\jonker\appdata\roaming\KBDTH3R.dll",yuvdi

Please make sure you remove one of your antivirus programs first, so you only have one running on your system, and it is VERY IMPORTANT that You disable your remaining AV before even downloading Combofix.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading normally, the Advanced Options Menu should appear;
Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
Choose your usual account, and launch Combofix as instructed above..

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please post back the :

1. Combofix log

2. TDSSKiller log

January 26, 2011

Try following this Bleeping Computer Removal Guide for "Your Protection" located >HERE<

If You are NOT successful in removing it by following that guide then please follow the directions in this topic

I'm infected - What do I do now?

and copy/paste (do NOT attach) ALL of the requested logs into your next reply!

Good Luck!

January 25, 2011

Open Notepad and copy paste the following text in the code box into Notepad.

Save it as an test.exe file by setting the "Save as Type" to all files.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

MSE if active should recognize this as a threat and quarantine it.

The IP address You gave is located in LA, CA, . It is not on a spam blocklist.

Java detections may have been in Java cache which is a common reservoir for threats.

You "Run Process Explorer" from here:

http://technet.microsoft.com/en-us/sysinternals/bb896653

and check if the MSE services are running (salmon color).

Click View -> Show Lower Pane

Click Options -> Verify Image Signatures

Click on the "System" Process in the upper pane, and the lower pane will refresh to show all loaded drivers

You can check to see if MSE's driver is loaded and signed

Also, you check to see if there are any unsigned drivers that are loaded that cannot be explained by their properties.

If you know the PID (Process ID) of the svchost.exe attempting outbound connections to 208.73.210.29, then you can click on it and the lower pane will refresh to reveal all DLLs loaded by that svchost and again signature checking and Properties can help evaluate whether there is a suspicious DLL there, as can the name of the DLL.

Please follow these directions and post all requested logs into your next reply (do NOT attach them):

I'm infected - What do I do now?

January 25, 2011

That item appears to be a HP promotional video that came pre-installed in the W7 Public Video Folder. This is it here:

From the Combofix log, it looks like that was the only thing removed - let's see:

Please open a run line (click Start ->Type Run into the "Start Search" box)

Under Programs, double-click "Run"

Copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should open in Notepad. Please post the contents in your next reply.

=======

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

NOTE: Do NOT choose the option to automatically uninstall the ESET Online Scanner with all its components because you need to retain the scan log for posting & that option will delete the ESET Scan log!!

ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click "Start"
Approve the installation of the ActiveX control that's required to enable scanning
Make sure the box to
- Remove found threats. is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"

When the scan is done:

Please post the scan report in your next reply. It can be found in this location:
C:\Program Files\EsetOnlineScanner\log.txt
You can remove the ESET Online Scanner using the Windows Control Panel - Add/Remove Programs feature

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

January 24, 2011

Is shutting down the wireless modem a common "feature" of malware?

No, it isn't a common feature of malware but setting an infected proxy that reroutes your internet activity is. Most threats incorporate some kind of connection to download updates, install new threats, and phone "home" so they are reliant on an internet connection.

It is very possible that another anti-malware tool may have disrupted your wireless connection in the process of trying to remove the infection and the malicious proxy. That would be my best guess! The main thing is that your PC is running fine now and I'm happy to hear that!!

January 24, 2011

Please describe the symptoms of your infection. the only thing that I am seeing are some questionable Firefox Toolbar Add-ons.

Make files and folders visible:

Click Start > Open "My Computer"

Select the Tools menu and click "Folder Options."

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

=================

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

=================

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to explorer.exe

Double-click explorer.exe on your Desktop to run it

In the "Scan Type" window, select Full System Scan

Perform a scan and the Click Finish when the scan is done.

Here's an illustrated tutorial if you need it:

http://secure-computer-solutions.com/blog/...ng_malware.html

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start, Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown (including the quotes):

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

ONLY If You have problems running Combofix, then try running it in "Safe Mode with Networking" as follows:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading normally, the Advanced Options Menu should appear;
Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
Choose your usual account, and launch Combofix as instructed in Step 1 above.

Please post MSRT log, TDSSKiller log, Combofix log, and reply to my question concerning your symptoms of your infection.

January 23, 2011

Your Combofix log is clean except for this Fake AV vestige which will remove with a registry fix.

Copy/paste the following text in the code box to Notepad, making sure that Wordwrap is UNChecked under the Format settings!!

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this to your desktop as fix.reg, by setting the " Save as Type"* to All files (*.*)in the pull down menu.

Double-click fix.reg (looks like aqua blocks icon)on your desktop and when you're prompted as to whether You want to add the information to the Registry, respond Y (yes).

Reboot.

Then run DDS.scr again and post the log!

Here are the directions in case you need them:

Download DDS and save it to your desktop from here

Disable any script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste dds.txt into your next reply (do NOT attach and hold on to attach.txt for now).

January 22, 2011

Are you still with me?

January 20, 2011

Please run Gmer like this, and use the randomly named version from the download link I provide in these directions:

Download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Very Important: Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Please perform a rootkit "Quick" scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
After the automatic "quick" scan is finished (a few seconds)
Save the scan log to the Windows clipboard
- Open Notepad or a similar text editor
- Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
- Exit the Program
- Save the Scan log as ARKQ.txt and post it in your next reply.
[*]Re-enable your antivirus and any antimalware programs you disabled before running the scan

Some background information on what we're planning to do can be found >HERE<

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers and programs.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!
If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter (copy/paste)this command exactly as shown (including the quotes):

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Events

Profiles

Forums

Posts posted by negster22

Important Information