18 replies to this topic

[UsaraKa]

Hi I just recently got a unknown virus that I need help getting rid of. The symptoms include popups recurring frequently while browsing the internet. CA anti virus detected new viruses(I forgot to write them down so I could post them I will do so next time). Malwarebytes does not work anymore. Every time I try to open the application it says it can't find the .exe file. I tried reinstalling the software and still the same problem. Spybot also now stalls on virtumonde and never finishes running. I tried to remove the virus myself so I didn't have to bother you guys but I've exhausted every resource I know. So I would really appreciate the help. Thanks.

Here is my HijackThis Log File.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:28 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23B19E00-1A38-4376-AFD3-F373D7EBD6D0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {97470B61-BA8C-9077-F3DF-C5DECEB15C96} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\Toolbar\CallingIDIE.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafw] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [basiwuzeb] Rundll32.exe "c:\windows\system32\tukibazi.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1159571986060
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1199903057328
O20 - AppInit_DLLs: goradoja.dll c:\windows\system32\tukibazi.dll
O20 - Winlogon Notify: khfgfef - C:\WINDOWS\
O20 - Winlogon Notify: vtstt - C:\WINDOWS\
O21 - SSODL: depigafat - {8340ddcd-9682-442c-a196-a1e1d3cdf373} - c:\windows\system32\tukibazi.dll
O22 - SharedTaskScheduler: mujuzedij - {8340ddcd-9682-442c-a196-a1e1d3cdf373} - c:\windows\system32\tukibazi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 10389 bytes

Edited by UsaraKa, 09 October 2009 - 07:17 PM.

[CatByte]

Hi,

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds.pif to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[UsaraKa]

Hi I'll post my new symptoms first. When I was going to reply to your post CatByte my computer suddenly restarted and would not boot. It said windows was not responding properly and gave me the following options start windows normally, start windows with last known good configuration, safe mode, safe mode with command prompt, and safe mode with networking. I tried starting windows with all available settings and none of them worked. So I started windows in safe mode with networking and I canceled loading on sptd.sys + a347bus.sys. I started my browser and downloaded combofix and ran it. My computer will now start up normally but still suffers the same symptoms. I will also include my combofix log file in the post. My computer also says the following when explorer opens Rundll can't load the following processes lopuheso.dll + powirimu.dll. CA Anitivirus also detected a virus located in Win32/SillyDl.PRR. I've done a little searching on my own and I'm almost positive I have the vundo trojan. The symptoms are exactly the same as the vundo trojan and it also seems to be the new variation. On the vundo wikipedia article under the infection section second paragraph it describes my symptoms exactly. I will attach all of the logs in my post. Thanks for the help.

Attached Files

•  DDS.txt   9.74KB   214 downloads
•  Attach.txt   8.29KB   223 downloads
•  Gmer.txt   12.5KB   653 downloads
•  combo_log.txt   20.4KB   181 downloads

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Unknown_Virus_Please_Help_t107514.html&view=findpost&p=602655#entry602655

Collect::
c:\windows\system32\liwadefi.dll
c:\windows\system32\nukizani.dll
c:\windows\system32\tazezela.dll
c:\windows\system32\bulimane.exe
c:\windows\system32\mevavega.dll
c:\windows\system32\rotirufe.exe
c:\windows\system32\jiwewena.dll
c:\windows\system32\reboyuti.dll
c:\windows\system32\jegulufo.exe
c:\windows\system32\bunamige.dll
c:\windows\system32\defarewo.dll
c:\windows\system32\goradoja.dll.tmp
c:\windows\system32\mebozihi.dll.tmp
c:\windows\system32\mezeweku.exe
c:\windows\system32\nozojehe.dll.tmp
c:\windows\system32\pamatuma.dll
c:\windows\system32\patafudi.dll
c:\windows\system32\pedanawe.dll
c:\windows\system32\penonoge.dll.tmp
c:\windows\system32\teyodalu.dll
c:\windows\system32\yinazeku.dll
c:\windows\system32\lopuheso.dll
c:\windows\system32\powirimu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a9f343e-c106-461e-8960-ee59d4b61831}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"basiwuzeb"=-
"zoyuhunimo"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgfef]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstt]

DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[UsaraKa]

This seems to be one of the worst viruses I've had. I was just about to follow your instructions in your post CatByte and a program called Security Tool installed automatically on my computer. None of my desktop items would appear on my desktop and the computer became really slow. Then when I was about to run ComboFix a blue screen popped up saying that the computer is shutting down to prevent any further damage to the computer. I went to get a pen and paper to write down exactly what the computer screen said but it shut down too fast. I tried to run ComboFix when it restarted but it would not allow it to run. So I restarted the computer in safe mode and ran ComboFix. It seemed to run and finish correctly to my knowledge. I will attach the ComboFix log to my post. I don't know if you want me to attach my logs or just copy and paste the log into the post. It doesn't matter to me whichever you prefer. Every time I'm about to follow your instructions something else happens to my computer. THIS VIRUS IS DRIVING ME CRAZY!!! Thanks for your help I'll be awaiting your next instructions I just hope that I won't be interrupted again.

Attached Files

•  combo_log_2.txt   19.39KB   169 downloads

Edited by UsaraKa, 14 October 2009 - 09:32 AM.

[CatByte]

Hi,

please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Unknown_Virus_Please_Help_t107514.html&view=findpost&p=602903#entry602903

Collect::
c:\windows\system32\doheyesi.dll
c:\windows\system32\lahesumo.dll
c:\windows\system32\wovahova.dll
c:\windows\system32\woyadolu.exe
c:\windows\system32\zarorero.dll


DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Check to see if malwarebytes is now working.

If it is not - do the following:

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"

Now run a quick scan with malwarebytes - update it first, have it remove any infections found and post the log.

[UsaraKa]

Hey CatBtye, a lot of my symptoms appear to be gone! I haven't had anymore of those random pop-ups, computer appears to be running faster, security tool is gone, and malwarebytes is working properly. Malwarebytes still wasn't working after combofix finished so I was going to follow your instructions to get malwarebytes running again but there was no .exe file for malwarebytes anywhere! I tried reinstalling malwarebytes previously with no success but I tried it again and it worked! When combofix was finishing running this prompt should up saying "Combo Fix needs to submit malware files for further analysis. Please ensure that you're connected to the internet before clicking OK. Uploading files to server... Upload was successful." Also when combofix finished and the log report popped up there was nothing on the desktop. No shortcuts, no files, no taskbar, absolutely nothing. So I opened task manager logged off and logged back on to my account and everything was back to normal. Thanks and I'll be awaiting your next instructions.

Attached Files

•  combo_log_3.txt   16KB   306 downloads
•  mbam_log.txt   836bytes   170 downloads

Edited by UsaraKa, 15 October 2009 - 10:42 AM.

[CatByte]

Hi,

I had requested the first combofix script be uploaded also, but that one doesn't appear to have gone through, so could you please do it manually:

please do the following:

Please open this link HERE in a new window.

In the box marked Link to topic where this file was requested: please paste in the following text

http://forums.whatthetech.com/Unknown_Virus_Please_Help_t107514.html&view=findpost&p=602903#entry602903

Click the Browse button and navigate to C:\Qoobox\Quarantine

There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip ( the * denotes Date and Time stamp - it will be close to this: 10/14/2009 10:01 )

Select this file and click Open
In the Largest box please put

File Requested By CatByte
Failed Submit::

Finally click SendFile

Please return here and let me know when that file has been uploaded.

[UsaraKa]

Ok the file was submitted successfully CatByte. I will be awaiting your next instructions. Thanks.

[CatByte]

Thanks"

Please do the following:

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Please also post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues

[UsaraKa]

Hey CatByte, here are my log files. My computer seems to be running a lot better still. I've had no more pop-ups, computer seems to be running faster, malwarebytes works now, and no more rouge programs have installed automatically. There are however a couple of things to report that might be something. I haven't checked to see if spybot is working again since I've just been following your instructions. The other thing is firefox does not seem to be working properly. I don't know if it's just firefox that's the problem or if something else is causing the problem. Firefox is not as fast as it used to be. It seems to have trouble loading things in the background like advertisements. It also just crashed all of a sudden on me and when I ran kaspersky online scanner it froze and stopped running. After that I ran kaspersky online scanner with internet explorer and it ran all the way through without any problems. The firefox problems are making me a little nervous because how I got the virus was browsing the internet with firefox and it was stalling on loading something in the background like an advertisement and then boom I got the virus and all the problems started happening. Thanks for the help and I'll be awaiting your next instructions.

Attached Files

•  kaspersky_log.txt   4.35KB   247 downloads
•  Attach.txt   18.07KB   183 downloads
•  DDS.txt   11.13KB   297 downloads

[CatByte]

Hi,

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Unknown_Virus_Please_Help_t107514.html&view=findpost&p=602903#entry602903

Collect::
C:\WINDOWS\system32\spool\prtprocs\w32x86\87.tmp

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version 9.2)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Please download JavaRa to your desktop and unzip it to its own folder.

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
• Scroll down to the Java SE Runtime Environment (JRE) option.
• Download and install the latest Java Runtime Environment (JRE) version for your computer.(version 6, update 16)

NEXT

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

[UsaraKa]

Ok here are my log files. After ComboFix finished I clicked Ok to submit files for analysis and this is what it said "Webserver appears to be temporarily inaccessible. For your convenience, Combofix created a submissions form located at: *C:\CF-Submit.htm. Other than that everything went fine. I'll be awaiting your next instructions. Thank you.

Attached Files

•  combo_log_4.txt   80.53KB   138 downloads
•  GooredFix.txt   1.88KB   173 downloads

[CatByte]

Hi,

Are you still having issues with firefox?

If you are, then I suggest a clean uninstall and re-installation.

to completely remove firefox from your system as though it had never been installed before, follow the steps in this tutorial HERE

This will completely remove firefox and your old profile, so you can start afresh.

Let me know if that resolves the issue.

[UsaraKa]

Hey CatByte, firefox seems to be running a lot better. I haven't noticed any of the issues I've had before. Would you still suggest uninstalling and reinstalling firefox? I don't care about my old profile I don't have anything important to save so it wouldn't be a problem I just need to know. The only other thing I have to report is a pop-up advertising for google chrome opened in a new tab while browsing with firefox. I don't know if I accidentally clicked on something to open it or if there's a problem with the pop-up itself. Other than that everything appears to be running normal. Thanks.

Edited by UsaraKa, 18 October 2009 - 12:03 PM.