MrHappy

Looks as if a legit Microsoft server is being blocked... See Info below IP General Information IP Address: 40.108.144.74 Hostname: 40.108.144.74 ISP: Microsoft Corporation IP Geolocation Information Continent: North America (NA) Country: United States (US) City: San Antonio Time Zone: America/Chicago Latitude: 29.4241 (29°25'26.76" N) Longitude: -98.4936 (98°29'36.96" S) Guessing maybe one of the subhosted sites got flagged but it's killing OneDrive communications as well.

It's been a couple days and all is quiet I am happy to report. Thank you so much for your assistance!

So far it's all quiet. Woohoo! I'd like to go another full 24 hrs if you dont mind since it's been sporadic in the past before we close this thread. My only question is what we actually did to finally remove this? I'd tried ComboFix prior (but not with the script you gave me) and RootRepeal didn't even run. Also, just out of curiosity, why the router reboot? Thank you again and I'll keep this updated.

Router is reset and I'll keep the thread updated. I'll leave the laptop on over the evening. Thank you!

That is the exact message from the protection logs. For the ernel32.dll sometimes it will pop up saying MBAM has found a malicious process and give me the option to quarantine or allow but recently it just appears as a message in the log (with no popup occurring) Here's logs from Thurs and today with entries.. Thursday: 14:37:04 Jim MESSAGE Protection started successfully 14:37:08 Jim MESSAGE IP Protection started successfully 15:18:00 Jim ERROR Scheduled update failed: WinHttpSendRequest failed with error code 12007 15:41:27 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent ALLOW 15:45:08 Jim MESSAGE Protection started successfully 15:45:12 Jim MESSAGE IP Protection started successfully 16:06:24 Jim MESSAGE IP Protection stopped 16:06:24 Jim MESSAGE IP Protection started successfully 16:18:03 Jim MESSAGE Scheduled update executed successfully 16:18:04 Jim MESSAGE IP Protection stopped 16:18:08 Jim MESSAGE Database updated successfully 16:18:09 Jim MESSAGE IP Protection started successfully 17:18:04 Jim MESSAGE Scheduled update executed successfully 17:18:05 Jim MESSAGE IP Protection stopped 17:18:14 Jim MESSAGE Database updated successfully 17:18:15 Jim MESSAGE IP Protection started successfully 17:34:47 Jim MESSAGE Protection started successfully 17:34:50 Jim MESSAGE IP Protection started successfully 20:37:45 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE 20:37:46 Jim ERROR Quarantine failed: UtilityReadFile failed with error code 2 20:37:56 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY 20:38:31 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY 20:40:50 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY 21:06:46 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY 21:38:18 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY 22:38:18 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY And today's so far... 10:56:46 Jim MESSAGE Protection started successfully 10:56:50 Jim MESSAGE IP Protection started successfully 11:02:19 Jim DETECTION C:\WINDOWS\SYSTEM32\SWIN32.EXE Trojan.Agent ALLOW 11:11:48 Jim MESSAGE Protection started successfully 11:11:52 Jim MESSAGE IP Protection started successfully 11:18:03 Jim MESSAGE Scheduled update executed successfully 11:18:04 Jim MESSAGE IP Protection stopped 11:18:08 Jim MESSAGE Database updated successfully 11:18:09 Jim MESSAGE IP Protection started successfully 11:21:35 Jim MESSAGE Protection started successfully 11:21:39 Jim MESSAGE IP Protection started successfully 14:05:50 Jim MESSAGE Protection started successfully 14:05:54 Jim MESSAGE IP Protection started successfully 14:18:05 Jim MESSAGE Scheduled update executed successfully 14:18:06 Jim MESSAGE IP Protection stopped 14:18:10 Jim MESSAGE Database updated successfully 14:18:11 Jim MESSAGE IP Protection started successfully The SWIN32.EXE is new, I haven't seen that prior to today and it didn't pop up, just showed in the logs. The ERNEL32.DLL does both (or has in the past).

Also, I just checked my Malwarebytes log following the reboot after ComboFix and have a new entry not previously seen: 11:02:19 Jim DETECTION C:\WINDOWS\SYSTEM32\SWIN32.EXE Trojan.Agent ALLOW Nothing popped up (MBAM was closed during ComboFix scan by the way) and I certainly didn't allow it.

Done and done Below is the ComboFix log... ComboFix 10-07-15.05 - Jim 07/17/2010 11:02:14.6.2 - x86 Microsoft

Sorry, I meant to type rootrepeal.sys not roorrepeal.sys.

Unfortunately that was even less productive. In safe mode it causes an instant blue screen of death (page fault in unpaged area for roorrepeal.sys). Tried it twice, once as admin once by just running the file normally. It at least runs for a while in standard mode but closes before it ever finishes scanning somewhere nested in the c:\Windows\WinSXS folder (or perhaps after, it's kind of hard to tell) I do not normally get any BSOD on this laptop otherwise, fyi.

When attempting to run RootRepeal it begins, runs for a while then a small window pops up but nothing is in the window and it is completely transparent. I can move it around the screen (and it just shows whatever is behind it on the background) If I click anywhere on the window it closes and then rootrepeal briefly says non-responsive and closes itself. Am I able to run this in safe mode as an attempt to get it to complete?

I actually ran one last night with no detections (it only pops up finding the ernel32.dll file but never during a full scan and the file doesnt exist on the drive even by showing all files and checking with attrib) but I've updated it to the most current since yesterday evening and am running it again. Will post the results as soon as it completes.

MBAM and MS Security Essentials disabled during the scan. ComboFix run as administrator (system is Vista but the user is an admin, fyi, however I explicitly ran it as admin just in case) Log is below: ComboFix 10-07-15.03 - Jim 07/16/2010 10:10:42.5.2 - x86 Microsoft

FYI, I am still getting (at least) the ERNEL32.DLL infection popup from MBAM. The other 2 have not shown up yet but with time they usually do. MBAM entries in the protection log are below: 20:37:45 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent QUARANTINE 20:37:46 Jim ERROR Quarantine failed: UtilityReadFile failed with error code 2 20:37:56 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent DENY I'll await your next steps. Thank you.

I checked my MBAM protection logs and noticed this entry following the reboot from earlier today and am a bit concerned.... 15:41:27 Jim DETECTION C:\WINDOWS\SYSTEM32\ERNEL32.DLL Trojan.Agent ALLOW 15:45:08 Jim MESSAGE Protection started successfully 15:45:12 Jim MESSAGE IP Protection started successfully Why would that be set to allow? I am the only one who has access to this machine and definitely did not set it to allow. Also, there is nothing listed in the Ignore List within MBAM. If this is set to allow the popup warning will never occur, correct? (Note that I did not get an MBAM popup when this apparently happened and only noticed this due to the log entry) This is one of the 3 items that was previously popping up. As for ESET, it found no threats with all options checked. I'm going to leave the PC on and running to check for any more MBAM warnings or log entries. Any other thoughts or tasks you'd like me to perform? Do you know how to disallow that entry from above? Thank you again.

I had actually run JavaRA to remove all old Java (after combofix I believe) and was running 6r20 but removed it and installed 6r21 (though I don't believe 21 was a security update but I could be wrong on that). Have previously run ESET as well but am doing so again at the present. I'll post the results of that scan as soon as it completes. Thank you again so much for your continued help!!