Persistent infection will not go away. I suspect a browser hijack, but I need expert help, please! :)

[Jaldy]

Greetings!

The other day, my wife's computer had a blue screen at startup that said %hn was missing, and Windows could not start. After digging through the Internet with some experts, I found the culprit to be a virus in regards to consrv.dll. I was able to fix that issue in the recovery console. I thought all was well until I was using Google to search for something and I was getting redirected to an ad website, potentially malicious. I knew something was wrong, and I scanned again. I removed the infection, and restarted the computer as I was urged to do so. Immediately following the reboot, I ran another full scan and was given a clean bill of health--It was about this time that I decided to activate the trial version of Malwarebytes. All was well until I launched a browser window, and saw many, many blocked attempts to websites, with the process iexplore.exe. After that, the proccesses kept changing: ping.exe, svchost.exe, iexplore.exe, and repeat.

Now I seem to be dealing with a new threat. I have scanned and cleaned with Malwarebytes a few times, and the same trojan keeps popping up according to Malwarebytes: TrojanProxy.Agent and infects various folders and keys. In the last few seconds it has taken me to type this paragraph, the auto-protect feature of Malwarebytes has given me a load of information from the auto-protect log:

2012/05/14 12:08:39 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 57870, Process: ping.exe)
2012/05/14 12:08:39 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 57871, Process: ping.exe)
2012/05/14 12:08:39 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 57872, Process: ping.exe)
2012/05/14 12:08:39 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 57873, Process: ping.exe)
2012/05/14 12:08:40 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 57874, Process: ping.exe)
2012/05/14 12:08:40 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 57875, Process: ping.exe)
2012/05/14 12:08:40 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 57876, Process: ping.exe)
2012/05/14 12:08:40 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 57877, Process: ping.exe)
2012/05/14 12:08:40 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 57878, Process: ping.exe)
2012/05/14 12:08:40 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 57890, Process: ping.exe)

Here is my latest scan log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
[url="http://www.malwarebytes.org"]www.malwarebytes.org[/url]
Database version: v2012.05.14.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Katydid :: KATYDID-PC [administrator]
Protection: Enabled
5/14/2012 11:46:41 AM
mbam-log-2012-05-14 (11-46-41).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 101157
Time elapsed: 17 minute(s), 22 second(s) [aborted]
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.
Registry Keys Detected: 1
HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data:  -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.
(end)

And here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:02:13 PM, on 5/14/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\MSDAINITIALIZE\MSDAINITIALIZE.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\ProgramData\Battle.net\Agent\Agent.954\Agent.exe
C:\ProgramData\Battle.net\Client\Blizzard Launcher.1575\Blizzard Launcher.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Katydid\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSDAINITIALIZE] "C:\Program Files (x86)\Common Files\MSDAINITIALIZE\MSDAINITIALIZE.exe" /s
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-21-862457446-2587247183-1850121263-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-862457446-2587247183-1850121263-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\nwprovau.dll' missing
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [url="http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab"]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/url]
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 8237 bytes

Any help would be excellent! I may be in and out of the house because of family illness, but I won't leave any helpers hanging. Thank you!

Minor update: I just received the same blue screen error that I was referencing in the beginning of the above post. I am currently working to restore winsrv to its rightful place.

Edited May 14, 2012 by Maurice Naggar
merged

[Jaldy]

As I suspected, 3 hours after restoring her computer, the infection immediately returns once Internet Explorer is launched.

[MrCharlie]

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

[Jaldy]

Here are the two logs and Roguekiller report you requested. Thank you!

Attach.txt

DDS.txt

RKreport1.txt

[MrCharlie]

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

• There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  
• There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  
• I strongly suggest you back up all of the important items on the system before we continue.
  

Please let me know you have read this and agree to it.

Let me know what you decide to do....MrC

[Jaldy]

I am willing to proceed.

[MrCharlie]

OK, here you go.......

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[Jaldy]

Thank you!

As requested:

[Jaldy]

Whoops, forgot to hit the attach button.

TDSSKiller.2.7.34.0_15.05.2012_12.35.48_log.txt

[MrCharlie]

Next.......

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[Jaldy]

Done, and done! Saw a familiar filename in the deletions...

ComboFix.txt

[MrCharlie]

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

[Jaldy]

No malicious items were detected!

However, during the scan, an IP access attempt was blocked by the process MSDAINITIALIZE.EXE. I have no idea what this is.

The original issue seems fixed, hooray! If you are unable to help me with the above, please let me know, and I will consider this closed.

[MrCharlie]

Was that incoming or outgoing?

If you don't now, open up MB and click on the logs tab > post the latest "protection log".

MrC

[Jaldy]

The log file is 8MB, only because of the rampant pinging, etc. while I was infected with that back door. Would you still like me to attach it?

2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 52360, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52361, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52362, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 52363, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52364, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 52365, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52366, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52367, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 52368, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52369, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52370, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 52371, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52372, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52373, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52374, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 52375, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 52376, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52377, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52378, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 52379, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52380, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 52381, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 52382, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 52383, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52384, Process: ping.exe)
2012/05/15 13:31:49 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 52385, Process: ping.exe)

It was right about here where you helped me remove the back door! Thank you!

2012/05/15 13:39:17 -0500 KATYDID-PC Katydid MESSAGE Starting protection
2012/05/15 13:39:18 -0500 KATYDID-PC Katydid MESSAGE Protection started successfully
2012/05/15 13:39:21 -0500 KATYDID-PC Katydid MESSAGE Starting IP protection
2012/05/15 13:39:22 -0500 KATYDID-PC Katydid MESSAGE IP Protection started successfully
2012/05/15 13:41:46 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49247, Process: msdainitialize.exe)
2012/05/15 13:43:22 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49279, Process: msdainitialize.exe)
2012/05/15 13:44:03 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49285, Process: msdainitialize.exe)
2012/05/15 13:51:15 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49314, Process: msdainitialize.exe)
2012/05/15 13:51:15 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49316, Process: msdainitialize.exe)
2012/05/15 13:55:55 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49565, Process: msdainitialize.exe)
2012/05/15 14:10:28 -0500 KATYDID-PC Katydid IP-BLOCK 94.242.214.18 (Type: outgoing, Port: 49641, Process: msdainitialize.exe)
2012/05/15 14:15:19 -0500 KATYDID-PC Katydid MESSAGE Starting database refresh
2012/05/15 14:15:19 -0500 KATYDID-PC Katydid MESSAGE Stopping IP protection
2012/05/15 14:16:31 -0500 KATYDID-PC Katydid MESSAGE IP Protection stopped
2012/05/15 14:16:33 -0500 KATYDID-PC Katydid MESSAGE Database refreshed successfully
2012/05/15 14:16:33 -0500 KATYDID-PC Katydid MESSAGE Starting IP protection
2012/05/15 14:16:34 -0500 KATYDID-PC Katydid MESSAGE IP Protection started successfully

Doesn't seem to happen very often. When I looked up the process on Google, I couldn't find much relevant information except it's used to connect to SQL server or somesuch. I am not running any databases or connecting to any on my local network.

[MrCharlie]

Here's the ip address:

-------------------------------------------

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  
  :Filefind
  msdainitialize.exe
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

[Jaldy]

SystemLook 30.07.11 by jpshortstuff
Log created at 15:10 on 15/05/2012 by Katydid
Administrator - Elevation successful
========== Filefind ==========
Searching for "msdainitialize.exe"
C:\Program Files (x86)\Common Files\MSDAINITIALIZE\MSDAINITIALIZE.exe --a---- 70112 bytes [01:46 13/05/2012] [01:46 13/05/2012] 4D12ACF33BD16D354BAD72315FE72E53
-= EOF =-

[MrCharlie]

It was recently installed: 2012-05-13

Does it ring a bell??

2012-05-13 01:46 . 2012-05-13 01:46 -------- d-----w- c:\program files (x86)\Common Files\MSDAINITIALIZE

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"MSDAINITIALIZE"="c:\program files (x86)\Common Files\MSDAINITIALIZE\MSDAINITIALIZE.exe" [2012-05-13 70112]

----------------------------------

Please find this file and upload it to VirusTotal for a free scan, let me know the results. (just copy back the url)

c:\program files (x86)\Common Files\MSDAINITIALIZE\MSDAINITIALIZE.exe

http://www.virustotal.com/

MrC

[Jaldy]

https://www.virustotal.com/file/9bae255517369be0304d5f74a674b85da61bc5957764d085fe4c553475457a46/analysis/

[Jaldy]

Now that I think about it, the reason I was able to detect all these problems (which prompted me to start this thread) was because my wife had some fakeware pushed on her somehow.

Cannot remember the name. I BELIEVE it was Smart Fortress 2012. It was 2012 something, I know that for sure.

[MrCharlie]

OK, it's malware and now it's in the data base.

Can you manually delete this folder:

c:\program files (x86)\Common Files\MSDAINITIALIZE

Then download, unzip and run the attached file, (right click on it and choose Run as Administrator)

Reboot and......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how it is, MrC

[Jaldy]

I unzipped the file and imported it into the registry. (There was no run as administrator option, just merge)

Now when I start her computer, I see a blue screen blip for about .5 seconds, but I was able to get a snapshot of it with a camcorder. It reads:

STOP: C00000135 The program can't start because %hs is missing from your computer. Try re-installing the program to fix this problem.

I have a hunch that it's the consrv problem again. Stand by...

[Jaldy]

Yep, that was the culprit again. I'm not certain if anything was related to your registry key or the removal of the msdainitialize.exe file.

In case you don't know how I fixed the consrv error, here's a brief rundown:

1. Get to a recovery console (Windows 7 disk, etc.)

2. Run regedit from the command prompt.

3. Go to HKEY_LOCAL_MACHINE and highlight it. Click on File -> Load Hive

4. Navigate to your physical drive (which is usually D:\ when using the recovery mode) D:\Windows\system32\config

5. Load SYSTEM

6. Type anything you want for the key. I usually type "blah".

7. Browse "blah" which is now HKEY_LOCAL_MACHINE for your actual Windows registry hive.

8. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

Find the key named "Windows" and edit it. You will see a string like this:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Change consrv to "winsrv" on both SubSystems keys.

Highlight "blah" hive, and go to file -> unload hive and confirm.

[MrCharlie]

OK, you beat me to it..Good Job...That's the answer

How is it??

MrC

[Jaldy]

Computer is working, which is good news. And as your original request: the quick scan came up clean, before I launched any programs.

However, as soon as I loaded Internet Explorer to write up this post (on my wife's computer), I was spammed with more blocked traffic notifications:

2012/05/15 16:46:44 -0500 KATYDID-PC Katydid MESSAGE Database refreshed successfully
2012/05/15 16:46:44 -0500 KATYDID-PC Katydid MESSAGE Starting IP protection
2012/05/15 16:46:44 -0500 KATYDID-PC Katydid MESSAGE IP Protection started successfully
2012/05/15 16:48:28 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.187 (Type: outgoing, Port: 49439, Process: iexplore.exe)
2012/05/15 16:48:28 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.119.155 (Type: outgoing, Port: 49440, Process: iexplore.exe)
2012/05/15 16:48:28 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.186 (Type: outgoing, Port: 49441, Process: iexplore.exe)
2012/05/15 16:48:28 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.196 (Type: outgoing, Port: 49442, Process: iexplore.exe)
2012/05/15 16:48:28 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.119.154 (Type: outgoing, Port: 49443, Process: iexplore.exe)
2012/05/15 16:48:36 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.187 (Type: outgoing, Port: 49445, Process: iexplore.exe)
2012/05/15 16:48:36 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.119.155 (Type: outgoing, Port: 49446, Process: iexplore.exe)
2012/05/15 16:48:36 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.196 (Type: outgoing, Port: 49453, Process: iexplore.exe)
2012/05/15 16:48:36 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.186 (Type: outgoing, Port: 49451, Process: iexplore.exe)
2012/05/15 16:48:36 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.119.154 (Type: outgoing, Port: 49455, Process: iexplore.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49518, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 49519, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49520, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49521, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 49522, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 49523, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49524, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 49525, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49526, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49527, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 49528, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49529, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49530, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 49531, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49532, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49533, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49534, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49535, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 49536, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.122.75 (Type: outgoing, Port: 49537, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49538, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.139 (Type: outgoing, Port: 49539, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.124.191 (Type: outgoing, Port: 49540, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 217.23.9.140 (Type: outgoing, Port: 49541, Process: ping.exe)
2012/05/15 16:50:58 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49542, Process: ping.exe)
2012/05/15 16:51:06 -0500 KATYDID-PC Katydid IP-BLOCK 83.133.120.247 (Type: outgoing, Port: 49547, Process: ping.exe)

And they are still continuing to happen. However, re-scanning comes up clean.