[Michelle1123]

Sorry, but another observation, in case it helps. Now in the C:\ view the ComboFix thing appears as folder proper and there is also the text file we were looking for which it made as a log. However I still find some files/apps listed which look suspicious. Uploading the screen-grab, in case this information is of any significance.

Thanks!

Attached Thumbnails

• 

[Advertisements]

Progress dont'cha just love it

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\4.tmp
c:\windows\system32\3.tmp
c:\windows\system32\960.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\5D.tmp
c:\windows\zgtkg3jrsyzdb6wtgw3rh3wahhrjkae81.exe
c:\windows\xdfhs3we5sejahag2hzdehwgasfq81.exe
c:\cnuhbbf.exe
c:\windows\System32\drivers\mjm2987.sys 
c:\windows\System32\drivers\sps1f51.sys 
c:\windows\System32\drivers\bbf9fa5.sys 

Driver::
mjm2987
sps1f51
iaaadocn
xdfhs3we5sejahag2hzdehwgasfq80
zgtkg3jrsyzdb6wtgw3rh3wahhrjkae80
bbf9fa5

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"11584"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

[Essexboy]

Progress dont'cha just love it

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\4.tmp
c:\windows\system32\3.tmp
c:\windows\system32\960.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\5D.tmp
c:\windows\zgtkg3jrsyzdb6wtgw3rh3wahhrjkae81.exe
c:\windows\xdfhs3we5sejahag2hzdehwgasfq81.exe
c:\cnuhbbf.exe
c:\windows\System32\drivers\mjm2987.sys 
c:\windows\System32\drivers\sps1f51.sys 
c:\windows\System32\drivers\bbf9fa5.sys 

Driver::
mjm2987
sps1f51
iaaadocn
xdfhs3we5sejahag2hzdehwgasfq80
zgtkg3jrsyzdb6wtgw3rh3wahhrjkae80
bbf9fa5

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"11584"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

[Essexboy]

OK just seen the screen grab I will handle that when the logs return

[Michelle1123]

It does feel great to make progress as it was in the last few steps. This time however, it was not so :-(

When I executed the CFScript.txt as mentioned by dropping it into the ComboFix icon (It was the shortcut icon on my desktop but that triggered ComboFix and it opened up). However I fleetingly saw the message on its blue pop-up console which said something like

CFScript Error .. Loading your system(?) failed. Access Denied.

I am only sure of the part in italics verbatim. I may have got the other parts or even name of the script incorrect but it mentioned about some failed process and then said Access Denied. It then proceeded to run ComboFix through to the 50 stages. It then re-booted on its own to normal. ( I assumed I can now work in NORMAL mode unless instructed).

When it came back in NORMAL mode, I went to look for the ComboFix.txt and the other file OTListit Log which you mentioned. There was no such log and ComboFix "Folder" was back to the application icon view which had actually corrected last time and it had showed as a proper folder. But now, it has gone back to that same view and there were no files that I could post. I assuming I should be looking for the OTListit Log also in C:\.

I am pasting my C:\ complete listing screen grab here for your reference.

Also, just an observation, in NORMAL mode which I am working in now, the system response seems to be slow (processing some external/viral scripts!?!? .. not sure but just that it seems slower than I was used to .. or so I think)

Thanks

Attached Thumbnails

• 

[Essexboy]

It's being a pain in the butt this one But we persevere, I will now use MBAM as a sideways approach to the final pieces. I will look at speed up when we have finished - which I feel will not be too far away

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[Michelle1123]

I was able to execute MBAM as asked and am pasting the log here. While installing it I did face an issue of which I am attaching the screenshot here.

Also, the ComboFix "Folder" icon continues to show as an application icon. I am also attaching my latest C:\ Windows Explorer screen grab for whatever it is worth here.

The log from MBAM:
----------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600 Service Pack 2

8/3/2009 12:16:30 AM
mbam-log-2009-08-03 (00-16-30).txt

Scan type: Quick Scan
Objects scanned: 92512
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netcard (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\netcard.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\mktrrepj.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\twpq.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\wmcqqk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\xxx\local settings\Temp\zgtkg3jrsyzdb6wtgw3rh3wahhrjkae36.log (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\xxx\local settings\Temp\1E.tmp (Trojan.Oficla) -> Quarantined and deleted successfully.
c:\documents and settings\xxx\local settings\Temp\33.tmp (Trojan.Oficla) -> Quarantined and deleted successfully.
c:\documents and settings\xxx\local settings\Temp\592.exe (TrojanProxy.Slenugga) -> Quarantined and deleted successfully.
c:\program files\windows media player\msñonfig.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\program files\windows media player\svñhost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\Desktop\avenger.exe (Trojan.Agnet) -> Quarantined and deleted successfully.
C:\Documents and Settings\xxx\Start Menu\Programs\Startup\santa.bat (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\KBPK031216.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\xlhxx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
-------------------------------------------------------------------------------------

Attached Thumbnails

• 
• 

[Essexboy]

OK I will now remove combofix et al

Download and run OTC This will remove the majority of tools I have used so far, once it has run could you check the Combofix folder - if it has not gone then right click it and select delete

Having done that could you then re-run MBAM and let me know all the problems you are experiencing now

[Michelle1123]

Was able to run OLT fine. ComboFix folder has disappeared on its own.

I then ran MBAM and am pasting the log here:


-----------------------------------
Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600 Service Pack 2

8/3/2009 8:37:45 AM
mbam-log-2009-08-03 (08-37-45).txt

Scan type: Quick Scan
Objects scanned: 92528
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------

I used to use AVG (Grisoft) anti virus progrram but currently it seems to have been removed some time earlier when the infection started. Am planning to get something immediately for protection. I hope I now install it or any other anti-virus tool you may advise. Please let me know your recommended application or set of applications for future protection.

For your reference I am also attaching the screen grab of my C:\.

It seems to me that all of those suspicious files are gone though I am not sure of some of the files/folders listed in the C:\. I have not seen any issues except that the browser response is very slow in NORMAL mode which does not happen in SAFE mode. So, if I login to a site, it takes a while to "load" completely before I can click on any of the links on that page. Also I have not been able to successfully download using the browser in NORMAL mode. It takes too long to prepare for the download and the download never initiates. For all the downloads you have advised in this post, I had to go to SAFE with NETWORKING model to get the downloads done and save the utilities. I have then been logging into the system in SAFE mode after a re-boot to run those utilities. So, that's the only issue I see as of now.

Is the system now clean?

Thanks!!!!

Attached Thumbnails

• 

Edited by Michelle1123, 02 August 2009 - 09:36 PM.

[Michelle1123]

Although I mentioned about AVG, I later saw that I had the installation file for AVIRA and since downloading AVG would need to switch modes, I decided to try installing AVIRA thinking I can uninstall if it does not work well or if you advise for any other AV application/s.

I was able to install AVIRA in the NORMAL mode and even saw its icon in the systray. It then said that the system should re-boot and I let it re-boot. When it came back in NORMAL mode after re-boot I did not find the AVIRA icon in the systray. I was surprised and wondered it is to do with AVIRA installation or any remanants of some malware. So, I decided to un-install AVIRA from control panel. When I went there and tried to click on the option to un-install programs I was thrown an error message. It was similar to the one I had seen when I had tried to change the system time earlier and then had to finally change it in the SETUP during boot. So, I decided to try changing the system date now by clicking on the time display in the systray which is how I have been doing in the past. I again got the same error message and it did not allow me to change time either.

I am attaching a screenshot of the error message I got here.


Thanks

Update: Just I finished this post I got a message from AVIRA application which threw up a window saying that AVIRA wants to re-boot post an update. I now also see the AVIRA icon in the systray and so assume that the delay of more than 10 minutes was due to the updater running the full update as this was the first time and the size of update might have been large. However I am still not able to change the system time by clicking on the time display in the systray.

Thanks

Attached Thumbnails

• 

[Essexboy]

OK then lets try and cure the rest of your problems with speed etc. By the way all the folders in your screenshot are legit

First we will get IE8 it is faster and more secure

Download link here

Next a little spring clean

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter


On completion of all this can you let me know of any problems that you are having

[Michelle1123]

First of all thanks for your patience and helping me all through. Really, I mean it.

Now, back to the issues - and there are still some which are nagging and not making me use my laptop:

As you suggested, I downloaded IE8 and installed it. I then went ahead and downloaded TFC and tried to execute it in the NORMAL mode. I was very surprised that I got a message which said I did not have sufficient privileges (something to that effect). I tried to run the defragger and got the same message.

I did not find an option to log in as administrator in the default login I have been using in the NORMAL mode. I was not to login as a different user (admin) when I tried logoff option as I just did not seen any other login option.

So, I re-booted and came back into my favorite SAFE with NETWORKING mode (logged in as Adminstrator as I always see two user options in this mode) and executed TFC and it went smoothly and pretty fast. It did not re-boot but I did a system re-boot and came back to SAFE with NETWORKING mode (chose Administrator login) and executed the defragger you advised. It ran its course and showed at the end that it saved 7.2% space.

I tried again to re-boot and work in the normal mode. When I opened the browser, I was not able to work as the IE was constantly being refreshed and I could barely type something and it just kept refreshinly. Interestingly this was happnening a little earlier even before the the IE8 upgrade. So I can say that it is not something that happened due to IE8 upgrade.

When I re-booted and came into SAFE with NETWORKING mode, the browser opens very well, I can see it is IE8 now and I am typing this post from the same mode.

Some other points:

1. In NORMAL mode I still get the error related to dll for which I posted the screenshot in my previous post. That issue continues.
2. Before your last post, I noticed few funny things including the fact that notepad disappeared from my system and some times the system would ask me which application to open it with and I chose WordPad. This does not happen in SAFE mode.
3. Some times IE also closed citing some security fix requirement and acted very funny.
4. I have not been able to install any anti-virus software till now. I download and things work fine but somehow in the last step it either does not install or I get some error message. I can get specifics if you want me to attempt this again and get you the message screenshots.
5. A program that I have had for some time was disabled and I enabled it from Admininistrator login. It always is now throwing up some scan report which shows around 55+ threats. I am attaching the log that it threw last which I captured.
6. I have a feeling that my usual login in NORMAL mode does not have Admin privileges any longer -- something I remember I used to have earlier.


Update : I am unable to attach the log file in txt or zip format and when I try to paste, it is not accepted as it is too long from the error message. I will to download winzip and try as the current zip program I am using is not winzip but I am not sure if the site has debarred uploading .txt or .zip files. Thanks

[Michelle1123]

I am not able to upload that log using Winzip either because after I downloaded the winzip utility and attempted to install it, I got an error message saying WinZip is not a Win32 utility. I am attaching the error message here. The "hijackthis" you see in the error message is a user created folder name on my desktop which I have been using as a temp folder for such screen grabs.

The logs start with the following message and really big and I am at a loss to figure out how to share them with you. The first few lines are:

Prevx Scan Log - Version v3.0.1.65
Log Generated: 4/8/2009 00:25, Type: 0,1
Windows XP Professional Service Pack 2 (Build 2600) 32bit|1033
Some non-malicious files are not included in this log.

Attached Thumbnails

• 

[Essexboy]

There is something wierd happening here. Lets investigate a bit deeper

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Michelle1123]

Attaching the two files. I was not able to run AVZ in NORMAL mode and so it was all done under SAFE with NETWORKING mode.

I somehow I have a feeling that all rights in the default login in NORMAL mode have been affected. I am not able to even unzip a file which I am otherwise able to do in SAFE mode.

thanks

Attached Files

•  virusinfo_syscure.zip   49.73KB   151 downloads
•  virusinfo_syscheck.zip   49.29KB   118 downloads

[Michelle1123]

I am a novice (so, please pardon my ignorance) but was just trying to see the two syscheck files and see that there is at least one difference between this syscheck file and the one that I uploaded during the first AVZ scan. In this one, the Rundll32.exe has some changed properties. Under "Active Setup" the most recent syscheck does not have "Description" and "Manufacturer" listed while it was there when the scan was first run.

Some of the errors I have been getting when trying to change system time etc. also mentioned this dll file as I posted earlier. Is this something to be looked into further?

I am posting a visual snapshot of the details on Rundll32.exe which came in the two syschecks. I extracted the details from both of those and put them in this single view image which is attached.

Thanks

Attached Thumbnails

•