[RESOLVED] Recurring (and Harmful??) Malware and Spyware infections ?

[Broni]

Combofix log looks good now but....

You're running two AV programs, AVG and Avast.
You must uninstall one of them.
If AVG use AVG Remover: http://www.avg.com/us-en/utilities

When done....

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

[slickcondo]

Combofix log looks good now but....

You're running two AV programs, AVG and Avast.
You must uninstall one of them.
If AVG use AVG Remover: http://www.avg.com/us-en/utilities

When done....

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

I know I have two AV installed. I installed the AVAST just before I got your latest reply about using ComboFix. It seems that AVAST now have the option to install it either as a full AV program or as a Back-Up to my main AV (which is the AVG).

I just wanted to use a different AV to scan and see what it throws up and got a clean bill of health. (But I did disabled all AVG modules except the RootKit model that can't be disabled when I ran AVAST).

As for how my laptop is behaving now, it seems that on some pages of websites (like this reply page), the page is extending way outside my monitor. But on the first Home page of this site, it fits within the laptop monitor view. So something must have changed and sadly make it more inconvenient to use.

When running OTL, the scan freezes at Scanning FireFox Setting....I ran it twice (after uninstalling AVG with AVG Uninstall Tool) with the same results. Perhaps I misunderstood your instruciton? Do I run it first time without pasting the text you asked me to copy and paste and then run again with the text pasted or just run it once with the text pasted ? I did it with the text pasted and it hang at FireFox setting.Your clarification on this will be much appreciated. Thanks.

[Broni]

You must uninstall one of AV programs.
There is no compromise here.

When done...

Delete your OTL file, download new one and try again.

[slickcondo]

You must uninstall one of AV programs.
There is no compromise here.

When done...

Delete your OTL file, download new one and try again.

I have already deleted one AV program before I ran the OTL previously. In any case, I've deleted OTL and re-download and ran again. Same problem. Freezes at Scanning FireFox Setting. So I ....

1) Unistalled FireFox and ran OTL again. Freezes at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{adb44c00-1b8.......


2) Delete OTL and re-download and ran it again. Again, freezes at the same place !

I've also found that everytime when I bootup my laptop, it now have 2 options shown:

1) MICROSOFT RECOVERY CONSOLE, but under it, it says: Don't use this (debugger enabled)
2) my current systems - ie: Windows XP Professional.......
3) Also, I am now unable to get into Safe Mode. After selecting Safe Mode, it freezes at the next page full of systems info.
4) and finally, I noticed that some of my settings have been changed, most noticeably, hidden files are now no longer hidden, including file extensions been vissible now, etc.

QUESTIONS:
1) Having done all the scans as requested, were any infections detected ?
2) What did running the Fixes do ? What did it fixed ?
3) and what will running the OTL do or is meant to do ?

(and all I wanted is to know is are those list of "infections" I posted real or false positives or if they are harmful. )

If no problems/infections have been picked up from all those scans, I'd like to try and use my restore points to restore back to the time before all the scans were done, not that I don't appreciate all the time and efforts you have given on this, but I'd like to get back my original settings, etc if I can. Besides, I like to know what's been done to my systems.

Any clarifications and some sort of summary of what we have done and their implications to my systems will be very much appreciated.

By the way, what's next regarding the OTL scan ?

Many thanks.

[Broni]

MICROSOFT RECOVERY CONSOLE, but under it, it says: Don't use this (debugger enabled)

Recovery Console is a very important troubleshooting tool and it should be present on every XP computer. It was installed by Combofix.

I am now unable to get into Safe Mode

We'll look into it.

hidden files are now no longer hidden, including file extensions been vissible now

Seeing file extensions is rather handy feature so I'd leave it as it is now. As for hidden files...
Open Windows Explorer, go Tools>Folder options>View tab and chackmark "Do not show hidden files and folders".
OK your way out.

Combofix removed plenty of infection so using system restore at this point would be a very bad idea as some of restore points may be infected.

See if you can run OTL from safe mode.

[slickcondo]

Seeing file extensions is rather handy feature so I'd leave it as it is now. As for hidden files...
Open Windows Explorer, go Tools>Folder options>View tab and chackmark "Do not show hidden files and folders".
OK your way out.

See if you can run OTL from safe mode.

Thanks for the clarifications on the points I raised.

I have reset to hide the hidden files, but it seems that each time I attempt to ran OTL, it resets the hidden files to show up. Same as for the file extensions. Just thought you'd like to know. In fact, the ADVANCED tab in Internet Options setting is changed each time OTL is run even when it freezes half way during the scan.

I can't get into Safe Mode to run OTL. For some reason, I am no longer able to get inot Safe Mode following all the scans that have been made.

The last driver that is loaded and then freezes when trying to boot into Safe Mode is

....WINDOWS\system32\Drivers\Mup.sys

But if AVG is installed, it would stopped at

...WINDOWS\Systems32\Drivers\avgidshx.sys

after Mup.sys is executed.

I have googled to find a fix, but they don't seem to work.

[Broni]

In attempt to fix safe mode issue....

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.

Click the Preferences button.
Click the Repairs tab.
Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
You may be asked to reboot your computer for the changes to take effect.

If you upgraded Superantispyware to version 5.0, the instructions are a little different.

• From the Main Menu, click the Repairs button at the bottom.
• Scroll through the Repairs list and click on (highlight) Repair broken SafeBoot key
• Then click the Repair Selected Item button.
• You may be asked to reboot your computer for the changes to take effect.

[slickcondo]

In attempt to fix safe mode issue....

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection. To use this feature, launch SUPERAntiSypware.

Click the Preferences button.
Click the Repairs tab.
Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
You may be asked to reboot your computer for the changes to take effect.

If you upgraded Superantispyware to version 5.0, the instructions are a little different.

• From the Main Menu, click the Repairs button at the bottom.
• Scroll through the Repairs list and click on (highlight) Repair broken SafeBoot key
• Then click the Repair Selected Item button.
• You may be asked to reboot your computer for the changes to take effect.

Ran SuperAntiSpyware repair, but sadly it didn't fixed the problem

[Broni]

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

[Train]

Just For Your Information:::;

It is well known that when booting to safe mode if can hang for 30 minutes or more on Mup.sys . I just walk off and check back in a half hour or more and generally the computer has continued to boot up. Just my experience with that mess.
Like i says JFYI.

[slickcondo]

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  
  NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

Here is the first scan result - SECURITY CHECK. Next one to follow soon.

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG 2012
AVG LiveKive
AVG 2012
ZoneAlarm Firewall
ZoneAlarm Free
ZoneAlarm Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware
CCleaner
Java(TM) 6 Update 26
Out of date Java installed!
Adobe Flash Player 11.2.202.235
Adobe Reader X (10.1.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
``````````End of Log````````````

[slickcondo]

Just For Your Information:::;

It is well known that when booting to safe mode if can hang for 30 minutes or more on Mup.sys . I just walk off and check back in a half hour or more and generally the computer has continued to boot up. Just my experience with that mess.
Like i says JFYI.

Hi Train,

Thanks for the info. I am aware that it can someitmes take the Save Mode to continue after it load the drivers. The longest experience I had (on a different laptop) was about 15 minutes. But it has been quite fast on this current laptop. But I will give it another try and wait a bit longer on this and see. I've recently let is hang for about 20 minutes without any change. All the same, thanks,

[slickcondo]

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

Here is the FARBER SERVUCE SCANNER Scan Report

Farbar Service Scanner Version: 22-06-2012 01
Ran by Richard (administrator) on 23-06-2012 at 04:44:25
Running from "C:\Documents and Settings\Richard\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

[slickcondo]

3. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, click on List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

TFC ran and about 9mB of files deleted and rebooted

ESET scan ran. I noticed that the 2 in the D drive are programs that were downloaded but were never installed. At the end of the scan, there was an option to delete the Quaratine. So I did. Hope that is the right thing to do. Scan report as follows:

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined

C:\System Volume Information\_restore{59032749-F808-4419-8175-DC7A8C7F0441}\RP2027\A0219086.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined

D:\Downloads\MICS INTERESTING PROG\HARD DISK Ghosting, Backup and Recovery\Selfimage\Selfimage.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined

D:\Downloads\TV and Internet speed\Facemoods.exe a variant of Win32/SweetIM.B application cleaned by deleting - quarantined

[Broni]

At this point your computer is clean so....

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.