Directed by Root Admin to post here - possible infection

[Debbi]

This is what I posted previously so that you have the history.  I am attaching the Frst.txt and Addition.txt

 

I have a premium lifetime subscription and last night I received the updated version 2.0.2.1012 to download.  I did so and when I asked it to update and scan it would not update.  Stopped the update and ran a scan.  37 pups found and quarantined.

 

Tried to again update and discovered I could not access internet.

 

Since this was the only change to my computer, I uninstalled and was able to access internet.

 

Did a reinstall.  Same problem.  Uninstalled and then ran the mbam clean program recommended in the forums.

 

Two subsequent removal and reinstalls later, I found that if I turned off the button for malicious website protection in settings, I was able to access internet.  This leaves me with a message stating that my computer is not safe. 

 

Ran another scan (the updates worked this time) and 114 pups were found.  Which leads me to believe they came in on the installs (37x3 = 111).

 

Ran a scan again this morning, program updated correctly, and nothing further was found, although the malicious website protection is still turned off and I still have the message that my computer is unsafe.

 

I also used the anti rootkit program and it found nothing.

 

I have Windows 8, use Firefox (which is current), McAfee.  Windows firewalls are turned off so as not to conflict with McAfee.  I enabled the plugin for Firefox for McAfee for "safe website" monitoring.

 

Help please?

Addition.txt

FRST.txt

[gringo_pr]

Hello

Very sorry for the delay, I would like to know if you still need help with this problem

Gringo

[Debbi]

Thanks for the reply.  Still having issues, however, there has been a death in the family and I am not in town to be in front of my computer.  System is running two malwarebytes at one time even though I have uninstalled using recommended program and the computer also is slow, and hangs quite a bit. Malwarebytes does not seem to be updating correctly either.  When I get back, and it will be a few days, I will post again.

Would be mind checking back to see when I post again?  I really would like to get this issue fixed.  My laptop was great until that install of the newest malware 2.0.2.1012.  I am almost ready to take it to be wiped but I am also told that may not fix the problem either.

Thanks again.  Talk soon.

[gringo_pr]

Hello

No problem and I will check back in a few days

Gringo

[gringo_pr]

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

[Debbi]

Good morning.  Arrived home yesterday.  Thanks for checking back.

 

System has been running just the one Malwarebytes since yesterday. Not sure what happened to change that.  I did not remove or change anything in connection with that as I was gone and laptop was completely off the entire time. 

 

The last update to the Malwarebytes shows 2014.7.22.11.  It is now 7/23 and it is 9:14 am.  Not sure how often the program should update in the background.

 

I removed Samsung SAgent yesterday as this was hanging up log off and had been for some time.  Did the research to see if I needed it. 

 

Speed is better although Firefox gives me a "not responding" message quite frequently.  Also received an error message on Explorer (I have to use that to connect to work) that Explorer was corrupted and that the system was taking things back down to the original search bar with some strange name that started with an "s".  I exited that immediately.  Sorry I did not catch the name.  Just did not want whatever was trying to start up to complete.

 

Both the Firefox and Explorer issues are new.  Had not had them before.

 

I have run a number of programs trying to see if I have an infection since my original post because I had not heard back.  All were programs recommended in your forums and I have come up with nothing.  So it is extremely puzzling to me what has happened but I do not want to just assume all is well now.

 

Thanks in advance for any help you can give me.  Heads up that this is my home laptop and I will be here today and can respond during the day today.  Otherwise,  I will be mostly doing the tasks you give me in the evenings starting tomorrow. 

[Debbi]

I forgot to add that I still cannot access internet when the malicious website detection is turned on.  It is 11:12 am and the update is now at 2014.7.23.4.

[gringo_pr]

Hello Debbi

I would like you to rerun FRST for me and send me a new report

If you cannot find it here is the link again.

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ - Click on the BLUE download buttons only - ( The GREEN ones are ads)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

I would like for you to use these settings

Under whitelist I would like everything to be checked

Under optional scan

Only have Addition.txt select (the other three blank)

Press the Scan button.

It will make a two logs (FRST.txt) and (Addition.txt) in the same directory the tool is run from.

Please attach both reports to your reply to me

[Debbi]

Hello!

 

I have attached the reports. 

 

I also now have (again) two malware programs showing in my taskbar tray - 7.24.1 shows on both.

 

Addition.txtFRST.txt

[gringo_pr]

Hello Debbi

Are you using a proxy on the computer?

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

[Debbi]

Hello Gringo.

 

Attached are the scans requested.  As far as proxy, no I am not.  I use a portable USB modem from US Cellular to access internet.

 

Speeds yesterday were horrible and there was significant lag time in connections.  Speed is better this morning and this evening. 

 

Also, now only one Malwarebytes icon shows in tray since Saturday.  Did not do anything to change that.

 

The adware cleanup tool showed StumbleUpon in the scan however I unchecked that as I use this program for promotion/advertising purposes for my business.

 

Thanks and let me know what's next.JRT.txtAdwCleanerR1.txtAdwCleanerS1.txt

[gringo_pr]

Hello Debbi

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

• Link 1

  Link 2

  Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
• Log from Combofix
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[Debbi]

Good evening.  Combofix found one infection.  Log attached. 

 

Has there been a work around or update that will allow  real time malicious web site protection in the Mbam program?

 

ComboFix.txt

 

What exactly was that infection and can you tell how it came through?  And how to prevent future invasions?

 

There are still lag times on connecting to websites. Not as bad as it was though. 

 

Thanks!

 

 

[gringo_pr]

I would like to try reinstalling Malwarebytes Antimalware at this time.

To completely remove Malwarebytes Antimalware you will first need you will need to uninstall it from the control panel in (XP) add/remove and in (Vista and later) program and features

Then I want you to run our cleanup tool that will remove any traces that is left over.

http://downloads.malwarebytes.org/file/mbam_clean

Now to reinstall Malwqarebytes Antimalware

1.Download Malwarebytes Anti-Malware 2.0 at http://downloads.malwarebytes.org/file/mbam

2.After downloading, double-click the downloaded file to get started.

3.Choose Yes if the User Account Control dialog appears.

4.The installation wizard will now appear to guide you through the upgrade process.

5.Click on Next.

6.Review and accept the license agreement, then click Next.

7.Review the latest changes made to Malwarebytes Anti-Malware, then click Next.

8.Choose where to install Malwarebytes Anti-Malware, then click Next.

9.Choose whether or not to have a Start Menu entry and its name, then click Next.

10.Choose if you want a desktop icon, then click Next.

11.Review your installation choices, then click Install.

12.The wizard will begin to install the files.

13.After upgrading, you will have the option to enable a free trial of Malwarebytes Anti-Malware Premium.

To see a video on how to do this - https://helpdesk.malwarebytes.org/hc/en-us/articles/202325618

You will need to add you ID and Key back to activate the premium features

[Debbi]

ok.  McAfee disabled and Mbam uninstalled and mbam clean run.  Reinstalled using the link you gave.  Update would not complete.  Turned off malicious website protection and update completed.  Reinstated McAfee.  So we are still in the same position for that. Did not need to update the regsitry/account as they are still there.

[gringo_pr]

Hello Debbi

Very strange

I would like you to rerun FRST for me and send me a new report

If you cannot find it here is the link again.

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ - Click on the BLUE download buttons only - ( The GREEN ones are ads)

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

I would like for you to use these settings

Under whitelist I would like everything to be checked

Under optional scan

Only have Addition.txt select (the other three blank)

Press the Scan button.

It will make a two logs (FRST.txt) and (Addition.txt) in the same directory the tool is run from.

Please attach both reports to your reply to me

[Debbi]

Good evening!  Logs attached.

 

 

Addition.txtFRST.txt

[gringo_pr]

Lets see if the 1.75 version does the same thing

First lets remove the 2.0 version of the software

To completely remove Malwarebytes Antimalware you will first need you will need to uninstall it from the control panel in (XP) add/remove and in (Vista and later) program and features

Then I want you to run our cleanup tool that will remove any traces that is left over.

http://downloads.malwarebytes.org/file/mbam_clean

You can download the older version here - http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Click on the blue button that says "download now" Version 1.75

Once it is installed do not check for updates yet

go to the Settings and then go to the Updater Settings tab and untick the two topmost boxes. - this will keep it from being updated to the latest version but still allow database updates

I will need to know if this clears the problem

[Debbi]

Did the uninstall, ran the cleanup, installed the 1.75 version with update unchecked.  Loaded correctly on start up and the malicious website protection appears to be working correctly.  The database is out of date 400 + days. 

 

Next step?  I am not going to update until you tell me to.  Thanks!

[gringo_pr]

Hello debbi

Make sure you do this part and allow it to update after

go to the Settings and then go to the Updater Settings tab and untick the two topmost boxes. - this will keep it from being updated to the latest version but still allow database updates

Gringo

[Debbi]

Good morning.  All is well.  The program updated in the background last night and is at vs. 2014.08.02.02 this morning.  What next?

[gringo_pr]

Hello Debbi

We have an updfate coming out this month (don't know when) I think you should keep it as 1.75 untill that update comes out and then try the update

Griongo

[Debbi]

Will this update have the newer format or look like the 1.75 in format?  Also, have we finished what we need to do and am I good to go now?

 

Did you ever figure out what infected me in that systeme32.exe file?  And was there a way to see how if came through?

 

I have been extremely proactive about keeping my computers and laptops clean and always am very careful about my activity on the internet and rarely download other than to keep programs current, etc.  I would like to know if there are further steps needed.

 

Thanks for all of your help.

[gringo_pr]

Hello

It will have the new format like 2.0 and not like 1.75

:Why we need to remove some of our tools:

• Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.

  They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

  The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

• To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
  Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

• turn off all active protection software
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box ComboFix /Uninstall and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

:Remove the rest of our tools:

Please download DelFix and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click DelFix.exe.
• select all options avalible
• Click the Run button.
• The tool will delete itself once it finishes, if not delete it by yourself.
• If asked to restart the computer, please do so

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

• Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

  CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

  Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

• Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is

  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

  Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article

Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

As Java seems to get exploited on a daily basis I advise to disable java in your web browsers - How to disable java in your web browsers - Disable Java

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

• internetsafety

  Internet Safety for Kids

Here is some more reading for you from some of my colleges

• PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

  COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo

[Debbi]

Thanks for all of your help!  I have run the programs and cleaned the computer.  If I have any further problems, I will get in touch with you.