DDS/GMER files

[ice_k99]

Hello,

In my last week or so I have had someone or something intercept my professional yahoo email address. It pretended to be me then sent every single one of my contacts in my email account an email redirecting them to some prescription drug website with a link (from my email address). Since then, I have noticed slower PC performance and Avast (Free) Anti-Virus has been hijacked (and this is with PC Tools Firewall Plus (Free Edition pre-installed), showing an (x) over the application icon in the bottom right hand corner of my windows Vista (laptop).

MWB was my first tool to use. It updated just fine, detected two Trojan.Agent viruses, and I removed them. My next move was to start Avast in reboot mode with a three hour scan in the scheduler task bar. It detected the same thing...and when it prompted me to take action, I deleted the first detection but accidentally pressed the up arrow in the second prompt. I wanted to be extra careful with a double scan to be sure that I removed all traces of infection, but after 4 hours and human error, I still have infection. Still infected. I think I messed that one up by doubling up MWB and Avast scheduled reboot and messing up the keyboard prompt...ugh. It said that one of my C:/Users/appdata/localLow/sun/java/deploymentDj/cache/6.0/57/1192D4F9-1960f9b7 was infected by Java:Djewers-C[trj] and C:/ProgramFiles/SpywareDoctor/avdb/temp/1192D4F9-4d6 infected by Java:Djewers-C[trj]. There is no indication now of anything wrong with my avast right now and it still has the two files in its virus chest. I messed up my keyboard prompt by pressing the up arrow my first attempt, which may have skipped it, but I ran it another time for 3 hours and it found them again...this time I just moved both of them to the virus chest. They are still sitting there.

I am in the process of running DeFogger on my Windows Vista laptop (I have two computers on my network, my laptop is my first infected priority which I am typing to you on now) and I think I will just reformat my older PC. Defogger would not "ask for reboot", but everything else went as indicated in the instruction manual for "I'm infected, what do I do now?", except the program keeps defaulting over to the same "disable, re-enable" startup menu GUI after I press disable and it says "ok"...I do not believe it is working at all (being duped by this trojan.agent?) because it will not ask me for a reboot. I still have PC Tools Firewall running along with the avast antivirus ( they start on startup of windows ) and I have the logs from running gmer, dds, and hijackthis.

If there is some assistance that I can use to go on from here I would greatly appreciate it. I really would like to keep my laptop w/o reformatting.. I will upload my zip file with my dds pasted below right now.

DDS Copy/Paste:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Keith at 13:56:22.15 on Sat 08/14/2010

Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_21

Microsoft

Attach.zip.zip

hijackthis.txt

[Maniac]

Hello ice_k99! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  
• Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  
• Keep me informed about any changes.
  

Step 1

Please, uninstall the following applications:

1. Ask Toolbar
   

You can read, how to do this here:

• Windows XP
  
• Windows Vista
  
• Windows 7
  

Step 2

• Launch Malwarebytes' Anti-Malware
  
• Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  
• Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

1. Malwarebytes' Anti-Malware log
   
2. a new fresh DDS log only
   

[ice_k99]

Hey guys,

This is my third attempt at gaining some sort of attention from this forum. I would seriously appreciate it if someone could help me out. I am getting to the point where I want to pull my hair out and my OCD has HiJacked my brain. This really is bothering me. I know I have an infection because Avast (free edition) has been tampered with and my Avast and Windows updates won't work (just the newest Vista V. 3.5 .NET family file addition is giving me and error message for Windows Updates). As far as I can tell from the error message generated by Windows, I googled it, ran their solutions for problem solving, and it did not work.

Up until infection (as far as I know, it has been slightly bad for two weeks now), Avast (free) and PC Tools Firewall Plus have both been installed ever since day one with my computer. This is not my first serious virus, so I wanted to make sure that I kept my system protected this time around and pre-installing these programs is superior to preventing and problem solving viruses, and in the case you actually get a virus, you always have the backup logs of the programs which have been on your computer before infection, increasing file tampering analysis tools dramatically.

Since then I downloaded MWB (free), it updated just fine and detected one or two minor infections, both of which I quarantined and deleted. But, the problem was still there because in lieu of my paranoia I ran Avast's deep boot scan which found two trojan.agent horses, both of them quarantined and deleted.

Right now, my computer displays all icons and programs to be working just fine, but I know there is still something wrong. Avast won't scan, the screen saver scanner won't work that comes with the program, and it won't update because something has tampered with the startup initialization files associated with Avast.

Oh, just to be clear here, I noticed I had a virus when my yahoo email address sent out spam links to my entire contact list, more than 4 times each.

Some more information that I can provide right now is that when I googled "prg_ais-252", package prg_ais-252 is installed in my avast bootlog, one of the file changes in my boot.log file for avast, I learned about quite a serious infection from this google translated spanish forum page located at the link below:

http://translate.google.com/translate?hl=e...Ft327473-1.html

I do not wish to run 30 hours more worth of scans for nothing since obviously whatever has infected my computer is outsmarting both me and my 15 programs I have already run (in safe mode, pre-boot mode, CD boot BIOS setup mode, and normal). So, if someone could please help me out to outsmart this assimilation of my computer (something along the lines of ComboFix analysis), I would be deeply grateful.

Let me know what to do from here. I believe the only thing keeping this thing "somewhat at bay" is CCleaner cleaning the registry on Windows Vista Home Premium 32-bit SP2 Edition startup.

[ice_k99]

I sincerely apologize Borislav , I checked every day for the last three days for a response and did not notice or receive email notification. I feel bad, I am sorry that I am responding so late but I honestly did not recognize any new posts being made! I will make sure the "email notification" check box is checked this time.

After not seeing the Ask Toolbar listed in my programs that are currently installed, I ran a quick search for it, nothing popped up, and either I read more posts and deleted it already or it has hidden itself somewhere (IDK exactly..). I will work on this by trying to find it first and running the windows uninstaller on it. If that does not work, I have just downloaded Pocket KillBox! and RevoUninstaller (pro free trial) and will wait for your instructions. I just downloaded a new copy of DDS to my desktop and will run it now.

I will be posting MWB log and DDS asap.

Thank you so much for helping me!

-Keith

[ice_k99]

Geez, this is worse than I thought.

I just noticed that when I went to download MWB again, it redirects me automatically to http://fileforum.betanews.com/detail/Malwa...re/1186760019/1 instead of the CORRECT link: http://www.malwarebytes.org/mbam-download.php

Now I am really frustrated. I have to find a legitimate source to download MWB and I have clicked on five links already which redirect me to different pages for downloads, including filehippos redirected false link http://fs14.filehippo.com/7124/1423c220749...-setup-1.46.exe, which is quite elusive.

I just downloaded what seems to be a correct version from www.majorgeeks.com but I had to use the Australian link ftp://majorgeeks.mirror.internode.on.net/...-setup-1.46.exe to get the actual one (at least I think). Just noticed that half my programs install dates are the same date as today. Great. Time to clean house and then reset all my passwords.

I will try to install the Australian downloaded copy and post results from there.

[ice_k99]

Ok. Now PC Tools Firewall Plus is telling me that "Setup/Uninstall" is attempting to access the internet by using Malwarebytes' Anti-Malware with the location of the "Setup/Uninstall" program being located at C:\Windows/Temp\Is-edc40.tmp\M1.46(2).tmp with the Malwarebytes' Anti-Malware location at C:\Desktop\Mbam.exe ... I'll try renaming the exe file and see what happens...

[ice_k99]

Sorry, forgot to mention that the error code Mbam gives me is MBAM_ERROR_UPDATING (12150, 0, WinHttpQueryHeaders) when I blocked the application from updating from my .tmp location above

[ice_k99]

Malwarebytes' Anti-Malware 1.46
 www.malwarebytes.org

 Database version: 4446

 Windows 6.0.6002 Service Pack 2
 Internet Explorer 8.0.6001.18943

 8/18/2010 4:07:01 PM
 mbam-log-2010-08-18 (16-07-01).txt

 Scan type: Full scan (C:\|D:\|)
 Objects scanned: 146807
 Time elapsed: 1 hour(s), 21 minute(s), 6 second(s)

 Memory Processes Infected: 0
 Memory Modules Infected: 0
 Registry Keys Infected: 0
 Registry Values Infected: 0
 Registry Data Items Infected: 0
 Folders Infected: 0
 Files Infected: 0

 Memory Processes Infected:
 (No malicious items detected)

 Memory Modules Infected:
 (No malicious items detected)

 Registry Keys Infected:
 (No malicious items detected)

 Registry Values Infected:
 (No malicious items detected)

 Registry Data Items Infected:
 (No malicious items detected)

 Folders Infected:
 (No malicious items detected)

 Files Infected:
 (No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86  

Run by Keith at 16:07:18.87 on Wed 08/18/2010

Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21

Microsoft

[Maniac]

Thanks!

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[ice_k99]

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

That did not happen. Also, when I followed your directions to save the file, it would only save as type "binary" "Combo-Fix" to my desktop. Double clicked on it after shutting down Windows Defender, Avast, PC Tools Firewall, SpyDoctor (all properly) and a lot of prompts came up, one telling me that I had to disable my (free) version of Superantispyware's real-time anti-spyware protection, but I quote from their website

SUPERAntiSpyware FREE Edition does not have real-time anti-spyware protection

. Internet is still running on my laptop. I'm posting this from my other computer.

I'll post whatever it gives me asap..sigh.

[ice_k99]

ComboFix 10-08-18.04 - Keith 08/19/2010  17:17:24.1.2 - x86

Microsoft

[ice_k99]

Spyware Doctor says "Trojan-Downloader.Murlo" has been detected along with some minor cookie/ads threats now.

[Maniac]

Screenshot please.

[ice_k99]

Trying to give as much detail as possible:

Current Spyware Doctor status

Prompt that came up during my first run of Combo-Fix.exe from my desktop (that was saved as a "binary" file by default when I was asked to save the file from your download links to my desktop, I could not change that to Save As type "Application" as your Malwarebytes tutorial screen shot indicates

Finally, this is the screen that SHOULD have sown up after running Combo-Fix but it did not do this the first time. Nor the screen asking me to download Microsoft's recovery tool

[Maniac]

About Spyware Doctor: I really don't know how you trust and use it, everything is fine there.

About ComboFix: The log is available, the log it seems clean, it's okay.

[ice_k99]

Thank you for helping me. I appreciate this and I hope that you can use this information for additional updates to MWB PRO. There is still something infested inside my computer, however, that is trying to change my protocols for all my anti-virus programs (i.e. Avast still does not display scan settings on the "scan" tab, will not update due to "An attempt was made to load Avast with an incorrect format", PC Tools Firewall Plus keeps popping up warning signs that protocols are being transferred and altered by windows temp file locations when I run my virus programs, SUPERAntiSpyware (free) edition added two extra menu items to my start menu, one labeled "RUNAS alternate SUPERAntiSpyware start" which is probably bogus and another bogus looking one, and Combo-Fix did not even remotely run as specified on the tutorials on both this site has to reference nor the official ComboFix website tutorial - the GUI menus - despite using your exact Save As process. It - did not disconnect - Vista Home Premium from my wireless network internet, nor go through the normal routine GUI's, it loaded several pop-up warning messages in windows that asked me to stop the real-time process for the program SUPERAntiSpyware even though, I quote this again, exactly from SUPERAntiSpyware's website:

SUPERAntiSpyware FREE Edition does not have real-time anti-spyware protection.

I am reformatting after I back-up a couple things, because this is just is not right. Time for new techniques, IMO. I tried to post pictures to help illustrate the picture but there are weird things happening which I know are not normal and you say that everything is fine. I think this trojan virus has outsmarted the both of us. I hope my documentation and time spent doing my best to explain and illustrate this issue with Vista helps someone.

[ice_k99]

Remember, my yahoo email account was hijacked and spammed my entire contact list vigorously in the beginning, I am running Windows Vista Home Premium Edition, and I still cannot update Microsoft .NET Framework 3.5 Family Update (KB959209) x86

Download size: 1.4 MB

You may need to restart your computer for this update to take effect.

Update type: Important

This update is applicable to Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2. The Microsoft .NET Framework 3.5 Family Update provides compatibility roll-up updates for customer reported issues found after the release of Microsoft .NET Framework 3.5 SP1. This update is provided to you and licensed under the Windows Vista and Windows Server 2008 License Terms.

More information:

http://go.microsoft.com/fwlink/?LinkId=133330

Help and Support:

http://support.microsoft.com

[Maniac]

You should change all password for your accounts.

Sorry that I could not help you!

[ice_k99]

You should change all password for your accounts.

Sorry that I could not help you!

I will and your help is much appreciated. You will see a donation from me for your efforts. Thanks for sticking with me. --- I just reformatted both my computers. I will be changing my passwords now and calling my bank. MWB is on both my refomatted computers now which are updated regularly along with windows updates. Zone Alarm, SUPERAntiSpyware, and AVG were my top choices for security, along with some more common sense. I'm so exhausted, what a draining catastrophe this was for me, easily over 100 hours to get rid of that "parasitic" feeling. I felt so violated that it was making me sick. Even if you were not able to try very hard, I needed help badly. I am happy that this forum is here. People NEED you!

[Maniac]

We're right here, if you need help, start a new thread and will help you.

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing!