[FogLight]

Hi Experts,

I need your help. Here's my story -

Since the first of the year I've been hanging about on a 'social-site' that has a lot of 'oddballs.' I'm sure some of them are hackers.

About the middle of last month a series of 'odd' things happened to my machine. First my clock kept getting 'screwed up' with the wrong time, then my virus checker kept turning itself off, and then I started seeing 'evidence' on this aforementioned 'social-site' that some people were 'aware' of what I was doing on my machine ... nothing 'solid' in this regard, just a 'very funny feeling' ...

Then, a week or so ago I went in to my firewall log just to begin looking around. I found a whole bunch of 'pings' from some site in Virginia about the middle of last month -- the period I mentioned above when things got a little 'strange' on my machine ... and then shortly after that no 'attempted access' events at all, which normally happen all the time -- like something had been 'turned off' someplace ... not normal at all ...

Anyway, I finally found you guys, and have read the "Malware Removal Guide - Read Before Posting" thread and followed the steps.

I can't say I have everything correct in my head as to what the programs found, but several registry keys were flagged as 'infected' and these have been 'fixed,' I guess ...

Anyway, I'll now try to upload the logs, and hope to hear something back from you before too much longer.

Best Regards,

Foggy

[evilfantasy]

Everything in the MBAM log says No action taken.

Did you remove the threats after saving the log?

[FogLight]

Hey !

Thanks for quick reply, EF !

Yes, I went ahead and allowed all detected problems to be fixed by whatever tool found them.

As I recall there were four 'infected' registry keys, perhaps among some other things as well. Each respective tool thought it had fixed everything it found, then I saved the logs.

[FogLight]

Do I need to turn off McAffee before running the tools ?

[evilfantasy]

You will need to turn off McAffee to run this.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[FogLight]

Hey EF,

After my post about McAffee, I went ahead and used msconfig to turn off all services and startups, then ran all three tools again.

The logs seem to indicate all scans came up 'clean.' Latest logs attc'd.

Did my best to run ComboFix as advised. Although all McAffee services were disabled, and the McAffee icon in the tray was not present, I still got an alert from McAffee about an 'unrecognized program' when I ran comboFix.

I told McAffee to 'trust' the program, and then comboFix reported it had detected McAffee running.

I tried several ways to 'completely disable' McAffee, but was not successfull.

At that point, with all McAffee services disabled after yet another reboot, with no McAffee icon in the tray, as described before, I went ahead and allowed comboFix to complete.

It generated the report which is attc'd.

Wondering what it all means at this point !

Best,

Foggy

[evilfantasy]

Quote:

After my post about McAffee, I went ahead and used msconfig to turn off all services and startups, then ran all three tools again.

You need to keep the computer in Normal Startup Mode. I have to see everything running in order to figure out what might be the problem.

But I'm not seeing anything wrong.

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[FogLight]

One possible issue with the F-Scan is that I recently upgraded to IE8.

I can already see from the report that it may have had a problem removing the items it found.

Also, when I clicked on the 'virus' it found, the F-Scan site had said it 'didn't match any documents' or something to that effect. If F-Scan 'found it' shouldn't there be something on the F-Scan site which 'recognizes' what it found ?

Just asking ...

Anyway, the F-Scan log is attc'd.

Best,

FL

[evilfantasy]

No it wasn't removed and it didn't give m ea file path to work with so we need to look for it another way.

It's a low level threat but a threat still. We will probably need to do another online scan...

Please download SystemLook from one of the links below and save it to your desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the contents of the following codebox into the main textfield.

Code:

:filefind 
mtrepair2.exe
mtrepair1.exe
winnb54.dll
navigationenhancer-1.dll

• Click the Look button to start the scan.
• Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
• When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

[FogLight]

Here is the systemlook log.

[evilfantasy]

I kind of expected that.

This trojan is injected in audio (mp3) files so could be in a number of places on the computer.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

----------

Delete temporary files

Go to:

• Start
• Run
• type: CLEANMGR.EXE
• Press Enter.

When prompted select the C: drive and click OK.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

Click OK or Enter

----------

This scanner works with Internet Explorer only!

Scan with the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once BitDefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)

You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

Click Upload
Locate the file and double click it.
Copy the link below Share This Link: and post it back here.

[FogLight]

When I run "ComboFix /u" from the cmd line it does not uninstal itself, but just attempts to run another scan.

Please advise ...

[evilfantasy]

Delete ComboFix
Delete the text file in C:\combofix.txt and also delete the C:\qoobox folder.

Disable/Enable the System Restore Utility

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

[FogLight]

Hey EF,

Sounds like you are instructing me to totally delete all restore points ...

Before I do so, I'd like to ask a question -

Could you please say a few words about why this is necessary and where we are going with this ?

Best,

FL

[FogLight]

In fact, it seems you may have a 'diagnosis' already in mind as to what's going on with my system.

Could you share your thoughts on the diagnosis please ?

[evilfantasy]

Removing the old restore points is all I'm asking. By doing so it will leave a new restore point to where you are now. You will still be able to restore but you will only have the one restore point until more are created. Combofix /u failed and that step would have cleared the old infected restore points also. So we need to do it manually.

The BitDefender scan is going to scan your restore points, that can make the scan last very long. I'm really just trying to make it easier on you. If you would rather wait until the end then that's OK but BitDefender is going to remove any that are infected anyway.

[FogLight]

Thanks for prev. reply -- I know how infuriating it can be when some idiot ( me ) is wasting your time ( you ) with a bunch of silly questions ...

Anyways, I had decided to go ahead and delete the restore points anyway, as you had previously indicated, even before your more recent reply.

Good Call !

Anyway, I then went ahead and ran the onLineScan also as you had directed in that same earlier post ...

There seems to have been a single virus found ...

http://www.filedropper.com/bitDefend...5-04-2009-1508

What the F* am I paying McAfee for ? ( I mean that rhetorically, of course - but please feel free to 'chime in' with any appropriate comment as well, if you wish )

So, after reviewing the latest log, please make at least one more post with your summary of this thread, just so I'll know ( and maybe even others who read this ) are 'thinking right' about what all happened here !!

Best,

Foggy

[evilfantasy]

Quote:

What the F* am I paying McAfee for ? ( I mean that rhetorically, of course - but please feel free to 'chime in' with any appropriate comment as well, if you wish )

An antivirus is a safety net, not a brick wall. You still need to be careful as there are new files released all of the time. An antivirus is only as good as it's last update and many of the new threats have to be found and added to the database then released in an update.

That said, there are plenty of free antivirus and firewalls that are just as good or better than the paid ones. Let me know if you want the links to them.

Hopefully everything is gone now.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[FogLight]

I was good on the Windows updated, but Secunia found 3 apps out of date - Adobe, adobe flash player, and mozilla ... so these were updated using links from the Secunia report ...

There was an 'issue' with the Mozilla update - it took 'forever' to download ( from some site in denmark ) and when I tried to install it, the install failed immediately because of a 'corrupt file' ...

So, I just de-installed Mozilla from my machine ...

Another 'interesting' thing about the Secunia site was that after rebooting after updating and running Secunia's tool again, it still reported adobe flash player to be one release out of date, even though on Adobe - Flash Player reports that the player is up to date ...

Just thought I'd mention that ...

Thanks again for all the help, EF

[evilfantasy]

There is a bug in the Adobe update process.

Download the Flash Player Uninstaller and save it to your desktop.

Run the uninstaller program and then reboot your computer to complete the uninstall.

Download and install the latest version of Flash Player