malware preventing me from opening programs or using system restore.

podwarrior1 · 04-08-2011, 04:18 PM

I'm having some problems with my computer. I can't open most programs that would help me (spybot, adaware, malwarebytes). When I try to open these I get a notification that "ana.exe" is trying to make changes and needs permission. Of course, I don't let it but the programs won't open. I can't open Firefox or Internet Explorer. I have tried to use system restore but it is shut off or something... I've never seen that before. I tried to use system restore from the boot process but it wouldn't let me.

I also get a fake Windows Security Center popup that tells me to download some security program. Any help would be greatly appreciated.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jordan at 18:55:37.15 on Fri 04/08/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3326.2323 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\lxbkcoms.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\WUDFHost.exe
C:\Users\Jordan\AppData\Local\Temp\9E5C.tmp\MBR.DAT
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
G:\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://att.my.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:33440
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [W5E7SH31DG] c:\users\jordan\appdata\local\temp\Dkv.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Intel AppUp(SM) center] "c:\program files\intel\intelappstore\bin\serviceManager.lnk"
StartupFolder: c:\users\jordan\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jordan\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jordan\appdata\roaming\mozilla\firefox\profiles\ij9gvy71.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.ftp - webproxy.andrews.edu
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - webproxy.andrews.edu
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - webproxy.andrews.edu
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - webproxy.andrews.edu
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - webproxy.andrews.edu
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\jordan\appdata\roaming\mozilla\firefox\profiles\ij9gvy71.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 64288]
R1 UGURU;UGURU;c:\windows\system32\drivers\uGuru.sys [2008-3-10 21048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-10-16 369256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b0a9348e6f0f;Google Update Service (gupdate1c9b0a9348e6f0f);c:\program files\google\update\GoogleUpdate.exe [2009-3-29 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-8 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);c:\windows\system32\drivers\lmvac.sys [2008-5-14 18912]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-8 1343400]
.
=============== Created Last 30 ================
.
2011-04-08 20:47:18 232866 --sha-w- c:\users\jordan\appdata\local\mjg.exe
2011-04-08 20:47:17 232866 --sha-w- c:\users\jordan\appdata\local\ana.exe
2011-04-08 19:52:49 -------- d-----w- c:\users\jordan\appdata\local\javasharedresources
2011-04-08 19:50:11 161792 ----a-w- c:\windows\Dlycoa.exe
2011-04-08 19:50:04 135168 --sha-r- c:\windows\system32\KBDTH3U.dll
2011-04-08 19:41:24 -------- d--h--w- c:\program files\Zero G Registry
2011-04-08 19:41:23 -------- d--h--w- c:\users\jordan\InstallAnywhere
2011-04-08 19:39:02 -------- d-----w- c:\program files\common files\IBM
2011-04-08 19:38:30 -------- d-----w- c:\program files\IBM
2011-04-08 12

47 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{94cd7e0a-3e3a-4b07-a710-c16d683e9b46}\mpengine.dll
2011-04-03 13:52:59 -------- d-----w- c:\program files\Coder1 Software
2011-03-22 22:56:32 -------- d-----w- c:\users\jordan\appdata\roaming\Rovio
2011-03-22 12:16:14 -------- d-----w- c:\program files\Rovio
2011-03-22 12

12 -------- d-----w- c:\users\jordan\appdata\local\Intel
2011-03-18 01:28:15 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-03-18 01:28:07 -------- d-----w- c:\program files\common files\xing shared
2011-03-18 01:28:03 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-03-18 01:27:57 100864 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
.
==================== Find3M ====================
.
2011-04-08 19:38:10 205 ----a-w- c:\windows\system32\lsprst7.dll
2011-03-18 01:27:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-18 01:27:54 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-01 21:29:18 720896 ----a-w- c:\windows\iun6002.exe
.
============= FINISH: 19:04:17.55 ===============

RPMcMurphy · 04-10-2011, 06:27 AM

Hello and welcome. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Download GMER Rootkit Scanner from here to your desktop.

Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

Make sure that your security software is disabled
Uncheck the box next to "Files" this time also
If you still can't run it, try in the Safe Mode

Please include the following in your next post:
GMER log

podwarrior1 · 04-10-2011, 08:28 AM

Thanks for the response! I downloaded Gmer and wasn't able to run it at first, but then I was able to run in it safe mode. Here is the log:

GMER 1.0.15.15570 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-10 11:26:35
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort2 SAMSUNG_HD321KJ rev.CP100-12
Running: gmer.exe; Driver: C:\Users\Jordan\AppData\Local\Temp\uxtiqpod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82245589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8226A092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtProtectVirtualMemory 778B51C0 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtWriteVirtualMemory 778B5D40 5 Bytes JMP 0032000A
.text C:\Windows\system32\svchost.exe[800] ntdll.dll!KiUserExceptionDispatcher 778B6298 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[800] ole32.dll!CoCreateInstance 76E0590C 5 Bytes JMP 003A000A
.text C:\Windows\Explorer.EXE[1152] ntdll.dll!NtProtectVirtualMemory 778B51C0 5 Bytes JMP 005A000A
.text C:\Windows\Explorer.EXE[1152] ntdll.dll!NtWriteVirtualMemory 778B5D40 5 Bytes JMP 005B000A
.text C:\Windows\Explorer.EXE[1152] ntdll.dll!KiUserExceptionDispatcher 778B6298 5 Bytes JMP 0024000A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000045 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskSAMSUNG_HD321KJ_________________________CP100-12#5&1b7613b3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

RPMcMurphy · 04-10-2011, 08:36 AM

podwarrior1:

Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
Then click Continue > Reboot now
Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
Attach that log, please.

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
When finished, it will produce a report for you.

.
Please include the following in your next post:
TDSSKiller log

ComboFix log

podwarrior1 · 04-10-2011, 09:13 AM

Hey! I think that really made some progress. Both logs are attached. It got rid of ana.exe which was causing me the most problems, but also got rid of some other stuff.

Firefox is running again and my task manager processes look a lot clearer.

Let me know if there is anything else I should do! Thanks so much.

RPMcMurphy · 04-10-2011, 09:48 AM

podwarrior1:

Please do this next:

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:33440
uInternet Settings,ProxyOverride = <local>

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Uncheck any entries from C:\System Volume Information or C:\Qoobox
Be sure that everything else is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please post the results.

Please include the following in your next post:
ComboFix log

MBAM log

podwarrior1 · 04-10-2011, 11:02 AM

Ok, the two logs are attached. Got rid of some more stuff. The stuff that was in Qoobox, I realize that is quarantined, but why not remove it?

RPMcMurphy · 04-10-2011, 03:03 PM

podwarrior1:

You are correct, qoobox is the ComboFix quarantine. Occasionally ComboFix will remove something legitimate in which case procedures are available to restore them. I don't like to let other programs remove anything from there just in case I need to restore them or upload them for analysis. Once we finish we will uninstall ComboFix which will remove qoobox and everything in it.

How is your computer running now? Please do this next:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java(TM) 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Please run ESET Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:
How is your computer running now?

ESET log

podwarrior1 · 04-10-2011, 06:15 PM

My computer is running well again, thanks! The problems I was having before all seem to be gone. I know exactly how the problems started too...won't be making that same mistake again.

I updated Java.

I ran the ESET scanner. I don't see any "tab" options, but I did export the scan results which are attached.

RPMcMurphy · 04-10-2011, 08:01 PM

podwarrior1:

One or more of the identified infections is possibly a keylogger.

You should change all of you passwords as soon as possible. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

This will take care of the ESET detections that are not already quarantined:

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
del "C:\Users\Jordan\AppData\Local\exohogev.dll"
del "C:\Users\Jordan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2265a3e1-41a176d4"
del "C:\Users\Jordan\Documents\My Games\RA2\ra2_101.exe"
del /Q %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run.

Now I have another update and some very important cleanup for you to take care of:

Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Uninstall ComboFix

Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
Combofix /Uninstall

Delete the following tools along with any other logs you saved from our work:

DDS
GMER
TDSSKiller

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Install an anti-virus program. I don't see any anti-virus software running on your computer. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

Restart any anti-malware programs that we disabled while we were cleaning your machine.
Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

podwarrior1 · 04-10-2011, 09:20 PM

Hey, many thanks. I will definitely look into getting an AV program. The few I have used in the past mostly annoyed me, took up too much system resources, or cost money. But... haven't had this serious of a problem on my computer before, so it may be time to actually get an AV program.

I am about to run TFC, and I updated Adobe Reader and uninstalled Combofix.

Glad to have my computer working again, I really appreciate all the time and help you've given to me today.

RPMcMurphy · 04-11-2011, 02:06 PM

You're welcome, podwarrior1. Take care.

**Clark76** · 04-12-2011, 05:42 PM

Since this issue appears to be resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum