Malware running under SVCHOST.EXE

[skozar]

Greetings,

I'm currently running WINXP / SP3 with antivirus and malware bytes. Basically Malware bytes was able to clean most of the issues. The malware seems to run as one instance of SVCHOST and will peg out the processor. Using process explorer I can see it opening up a TCP connection to 91.212.226.33 /24 which redirects to a dns server and will open a browser and start trying to load a ton of other malware, not just one but many different types. The antivirus avast seems to stop it at this point. I also null routed the IP block so it couldn't connect, however I manually stop the one instance of svchost that is causing the issue, not the other legit ones. After a few minutes it will start back up, this time I noticed that it was opening TCP HTTP connections to other IP addresses not the one I have null routed. Once again it will try to redirect to different website / google search results and it will peg out the processor. I'm not sure how to stop this from constantly restarting and pegging out the processor and redirecting to other sites that try to load malware. Both Malwarebytes and Avast have not been able to detect any issue with QUICK and Detailed Scan. It seems what ever this is is hiding.

Process Explorer shows the following string in memory. What else can I provide? Thank you for your help.

Parameters

System\CurrentControlSet\Services

nServiceMain

ServiceDll

ServiceDllUnloadOnStop

eventlog

ncacn_np

\PIPE\

DefaultRpcStackSize

AuthenticationCapabilities

ImpersonationLevel

AuthenticationLevel

CoInitializeSecurityParam

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

VS_VERSION_INFO

StringFileInfo

CompanyName

Microsoft Corporation

FileDescription

Generic Host Process for Win32 Services

FileVersion

5.1.2600.5512 (xpsp.080413-2111)

InternalName

svchost.exe

LegalCopyright

Microsoft Corporation. All rights reserved.

OriginalFilename

svchost.exe

ProductName

Microsoft

Windows

Operating System

ProductVersion

VarFileInfo

Translation

!This program cannot be run in DOS mode.

5Rich

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

QQV

PWj

WQP

SvchostPushServiceGlobals

ServiceMain

Y@PVPVh

VWh@@

SVW

SVW3

PSh

tQj

VVVV

t6PV

t!VV

QSV3

ucj

jWX

Wht@

jdj

QQSVWd

QSV

u-SS

uLV

FFf

!FFf

F$Pj

f9>t f

FFf9>u

tof

tSf

FFf9>u

ShP$

VWh

QRPh

uRS

taj

u:Vj

VVj

PSj

PSSj

PSSj

unj

GPW

FFf

FFf

PWWj

WWj

SVW

HHt

jWX]

SVW

QRPhh2

VWj

VWj

NETAPI32.dll

ole32.dll

Netbios

CoInitializeEx

CoInitializeSecurity

ADVAPI32.dll

KERNEL32.dll

ntdll.dll

RPCRT4.dll

RegQueryValueExW

SetSecurityDescriptorDacl

SetEntriesInAclW

SetSecurityDescriptorGroup

SetSecurityDescriptorOwner

InitializeSecurityDescriptor

GetTokenInformation

OpenProcessToken

OpenThreadToken

SetServiceStatus

RegisterServiceCtrlHandlerW

RegCloseKey

RegOpenKeyExW

StartServiceCtrlDispatcherW

HeapFree

GetLastError

WideCharToMultiByte

lstrlenW

LocalFree

GetCurrentProcess

GetCurrentThread

GetProcAddress

LoadLibraryExW

LeaveCriticalSection

HeapAlloc

EnterCriticalSection

LCMapStringW

FreeLibrary

lstrcpyW

ExpandEnvironmentStringsW

lstrcmpiW

ExitProcess

GetCommandLineW

InitializeCriticalSection

GetProcessHeap

SetErrorMode

SetUnhandledExceptionFilter

RegisterWaitForSingleObject

InterlockedCompareExchange

LoadLibraryA

QueryPerformanceCounter

GetTickCount

GetCurrentThreadId

GetCurrentProcessId

GetSystemTimeAsFileTime

TerminateProcess

UnhandledExceptionFilter

LocalAlloc

lstrcmpW

DelayLoadFailureHook

NtQuerySecurityObject

RtlFreeHeap

NtOpenKey

wcscat

wcscpy

RtlAllocateHeap

RtlCompareUnicodeString

RtlInitUnicodeString

RtlInitializeSid

RtlLengthRequiredSid

RtlSubAuthoritySid

NtClose

RtlSubAuthorityCountSid

RtlGetDaclSecurityDescriptor

RtlQueryInformationAcl

RtlGetAce

RtlImageNtHeader

wcslen

RtlUnhandledExceptionFilter

RtlCopySid

RpcServerUnregisterIfEx

RpcMgmtWaitServerListen

RpcMgmtSetServerStackSize

RpcServerUnregisterIf

RpcServerListen

RpcServerUseProtseqEpW

RpcServerRegisterIf

I_RpcMapWin32Status

RpcMgmtStopServerListening

RSDS

svchost.pdb

kQw

[Maniac]

Hello skozar! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Step 1:

• Launch Malwarebytes' Anti-Malware
  
• Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  
• Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2:

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

Step 3:

Please download the following scanning tool. GMER

• Open the zip file and copy the file
  gmer.exe
  to your Desktop.
  
  
• Double click on
  gmer.exe
  and run it.
  
  
• It may take a minute to load and become available.
  
  
• Do not make any changes. Click on the
  SCAN
  button and DO NOT use the computer while it's scanning.
  
  
• Once the scan is done click on the
  SAVE
  button and browse to your Desktop and save the file as
  GMER.LOG
  
  
• Zip up the
  GMER.LOG
  file and save it as
  gmerlog.zip
  and attach it to your reply post.
  
  
• DO NOT
  directly post this log into a reply. You
  MUST
  attach it as a
  .ZIP
  file.
  
  
• Click OK and quit the GMER program.
  
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

In your next reply, please include these log(s) in this sequence:

1. MalwareBytes' Anti-Malware log
   
2. DDS log with Attach.txt
   
3. GMER log
   

[skozar]

Greetings,

Thank you for helping..

I was unable to scan the whole harddrive (files) in GMER, the system crashed. One item to note, this is VM machine running XP.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4063

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/3/2010 7:19:57 PM

mbam-log-2010-05-03 (19-19-57).txt

Scan type: Quick scan

Objects scanned: 157539

Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

==== Disk Partitions =========================

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player ActiveX

Adobe Reader 8.1.0

autoDOC Firebox Report Generator

avast! Free Antivirus

AxCrypt (Remove Only)

COINMSSOAP3

DataGuardian CentralControl 5.64

Google Chrome

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB979306)

Ipswitch WS_Ping ProPack Uninstall

Java 6 Update 2

Java 6 Update 3

JGsoft EditPad Pro 6 DEMO 6.3.2

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft Office Visio Viewer 2007

Microsoft Office XP Professional with FrontPage

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft WSE 2.0 SP1 Runtime

Microsoft XML Parser and SDK

Mitel 6110 CCM Client Component Pack

Mozilla Firefox (2.0.0.6)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NoteTab Light 5 (Remove only)

Opera 9.23

PuTTY version 0.60

Security Task Manager 1.7h

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

ThreatFire

TightVNC 1.3.9

Trillian

UltraVNC v1.0.2

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows Internet Explorer 8 (KB980302)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB980182)

VanDyke Software SecureCRT 5.2

VMware Tools

WatchGuard Firebox System 7.3

WatchGuard Fireware 8.3

WatchGuard System Manager 8.3.1

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows XP Service Pack 3

WinRAR archiver

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86

Run by skozar at 19:21:26.17 on Mon 05/03/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\skozar\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [VMware Tools] "c:\program files\vmware\vmware tools\VMwareTray.exe"

mRun: [VMware User Process] "c:\program files\vmware\vmware tools\VMwareUser.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

TCP: {B2BE8713-126F-47CF-83CA-0E7008334148} = 64.80.255.101,63.139.151.101

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\skozar\applic~1\mozilla\firefox\profiles\q74ist9d.default\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-05-02 21:37:37 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys

2010-05-02 21:37:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys

2010-05-02 21:37:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys

2010-05-02 21:37:36 0 d-----w- c:\program files\ThreatFire

2010-05-02 21:37:36 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

2010-04-28 23:22:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan

2010-04-28 23:22:08 0 d-----w- c:\program files\Security Task Manager

2010-04-27 23:59:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-04-27 22:06:53 768 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-27 22:06:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-27 21:29:35 0 d-----w- c:\windows\system32\NtmsData

2010-04-27 02:32:39 0 d-----w- c:\program files\AVG

2010-04-27 02:26:33 0 d-sh--w- c:\documents and settings\skozar\IECompatCache

2010-04-27 02:17:43 16883056 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe

2010-04-27 02:12:05 562840 ----a-w- C:\ChromeSetup.exe

2010-04-27 01:41:35 0 d-----w- c:\docume~1\skozar\applic~1\Malwarebytes

2010-04-27 01:41:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-27 01:41:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 01:41:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-27 01:41:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-04-27 01:40:49 319 ----a-w- C:\trojan_fakerean_exe_fix.reg

2010-04-27 01:35:22 2131808 ----a-w- C:\avg_free_stb_all_9_114_cnet.exe

2010-04-27 01:28:31 5918776 ----a-w- C:\mbam-setup-1.45.exe

2010-04-27 01:22:05 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys

2010-04-27 01:22:05 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys

2010-04-27 01:21:51 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys

2010-04-27 01:21:51 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys

2010-04-27 01:21:47 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-04-27 01:21:47 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-04-27 01:21:47 0 d-----w- c:\docume~1\skozar\applic~1\918A6495EA0DC200258A5398C198B695

2010-04-21 23:37:15 0 d-----w- C:\ios

2010-04-20 23:24:56 0 d-----w- c:\windows\system32\scripting

2010-04-20 23:24:55 0 d-----w- c:\windows\system32\en

2010-04-20 23:24:55 0 d-----w- c:\windows\l2schemas

2010-04-20 23:23:13 0 d-----w- c:\windows\network diagnostic

2010-04-20 23:17:08 0 d-sh--w- c:\documents and settings\skozar\PrivacIE

2010-04-20 23:15:35 0 d-sh--w- c:\documents and settings\skozar\IETldCache

2010-04-20 22:04:30 0 d-----w- c:\windows\system32\KB905474

2010-04-20 22:03:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-04-20 22:03:58 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-04-20 22:03:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-04-20 22:03:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-04-20 22:03:58 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-04-20 22:03:58 11070976 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-04-20 22:03:55 0 d-----w- c:\windows\ie8updates

2010-04-20 22:03:53 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-04-20 22:03:32 0 dc-h--w- c:\windows\ie8

2010-04-20 15:21:04 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-04-20 15:20:55 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-04-20 15:20:41 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-04-20 15:20:38 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-04-20 15:18:36 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx

2010-04-20 15:18:06 331776 -c----w- c:\windows\system32\dllcache\msadce.dll

2010-04-20 15:18:05 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2010-04-20 15:17:58 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll

2010-04-20 15:17:16 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-04-20 15:16:47 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-04-20 15:16:47 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2010-04-20 15:16:47 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb

2010-04-20 15:14:58 0 d-----w- c:\windows\system32\SoftwareDistribution

2010-04-20 13:53:12 2165296 ----a-r- c:\windows\system32\vmwogl32.dll

2010-04-20 13:52:55 0 d-----w- c:\program files\VMware

2010-04-20 13:52:55 0 d-----w- c:\program files\common files\VMware

2010-04-20 13:48:53 0 d-----w- c:\docume~1\skozar\applic~1\WatchGuard

2010-04-20 13:47:21 0 d-----w- c:\windows\system32\appmgmt

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 19:24:28.49 ===============

GMER.zip

[Maniac]

Step 1:

Please, uninstall the following applications:

1. Adobe Reader 8.1.0
   

You can read, how to this in:

• Windows XP
  
• Windows Vista
  
• Windows 7
  

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location and post it back when you reply
  Then look for the following Java folders and if found delete them.
  C:\Program Files\Java
  C:\Program Files\Common Files\Java
  C:\Windows\Sun
  C:\Documents and Settings\All Users\Application Data\Java
  C:\Documents and Settings\All Users\Application Data\Sun\Java
  C:\Documents and Settings\username\Application Data\Java
  C:\Documents and Settings\username\Application Data\Sun\Java
  

Step 1:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

1. JavaRa log
   
2. ComboFix log
   

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.