Medfos.b and others

[cakloss]

I read Medfos topic at http://forums,malwarebytes.org/index.php?showtopic=121173,

moderated by Gringo (William Rowland).

I did not find a solution found in the solutions area that I was requested to review before making a post.

After my initial description below,

I give a list of the logs I got from various programs used in the above topic,

in the order they were generated.

 

The system is Compaq Presario SR5710F with Windows XP SP3, 3 GB RAM,

Firefox v23 browser, Malwarebytes Pro, ClamWin, Spybot, and Spyware Blaster with Java 7 enabled.

 

About one week ago, the following activity began in about the order listed:

links began intermittently redirected to suspicious sites, then

an intermittent, ultimately continual dialog box:

 

Data Execution Prevention - Microsoft Windows

To help protect your computer, Windows has closed this program.

Close Message

 

If this message was closed by clicking "Close Message" or the upper right hand "X"

or using process explorer,

the the following dialog box appeared:

 

Windows Explorer

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.

We have created an error report that you can send to help us improve Windows Explorer.

We will treat this report as confidential and anonymous.

To see what data this error report contains, click here.

Debug                  Send Error Report                   Don't Send

 

If this message was closed by clicking "Don't Send" or the upper right hand "X"

or using process explorer,

the the original dialog box - Data Execution Prevention - appeared.

 

Copying a new copy of explorer.exe from the dllcache or

expanding from the i386 folder, made no change.

 

Trying to use Recovery Console to return to a prior configuration failed

with a message about their being 414 KB low memory and

requiring 512 KB (3GB RAM has been installed for years).

 

Running Malwarebytes on a full scan revealed two copies of Medfos trojan,

two malware dll's (uteri.dll and maons.dll, both in %APPDATA%), some malware that was effecting memory, and four other pieces of malware.

 

Running Malwarebytes multiple times after multiples removals continued to reveal a variety of malware,

some Medfos, some new.

 

Soon the computer monitor began refreshing every 5 to 10 seconds, clearing any window present.

The only thing I could use was the cmd windows from the run command.

 

After reading the Malwarebytes article described initially,

I applied the following tools in the following order, as had occurred in that post:

DDS

Security Check

Adw Cleaner

Rogue Killer

ComboFix

ComboFix with a ClearJavaCache:: CFScript

Revo Uninstaller to remove Java

CCleaner

Malwarebytes for a Quick Scan which revealed no malware

HijackThis

OTL

 

Hear I stopped because the moderator created a script for OTL

that was unique to that individual's computer

which computer was also running Windows 7 instead of mine's XP.

 

After all this the only effect of malware left was the infinite loop

of the Data Execution Prevention and subsequent dialog boxes.

 

The various logs created by the anti-malware programs above

are given as an attachment.

[AdvancedSetup]

Hello and

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks