Request Help for trojan removal - Combofix Log interpretation

[Jhavey]

Hello Evilfantasy,
Thanks for taking on my case.

I am only able to connect with the internent in safe mode. I am unsure if my inability to update is the virus or what.
When I do as request it states"
Contact Malwarebytes with ewrror coder 732 (12029,0).

When I first got this issue I was unable to update Malwarebytes.
When I updated it said they would not run without the latest version.
I had to download the latest version which I did.  This was bout 10 days ago and so as far as I knew it was up to date at time but perhaps I only got a new version and not the latest updates?

Do not seem to be able to update now?

Went direct to site and downloaded ver 1.43 (is this the same as updates?)
I ma running 1.43 now.

Ver 1.43 shows now infections, just as the previous version did?
Is the version different from being up to date?  I do not seem to be able to update ?

[evilfantasy]

Can you use Safe Mode With Networking?

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Jhavey]

I can run safemode with networking.
Erased existing combofix.exe and downloaded new.
Will not install.  With browswer closed it runs  its small initial task bar and gets to all blue then nothing ...
Tried several times.

update:
Renamed combofix.exe to another name and this allowed it to run.  It stopped installing saying AVAST was running and to stop avast first.
   My start task window has been hidden by the virus and I could not find AVAST running so I told it to continue anyways.
   What should I look for in the task manager window for avast?
Posted log. I know it says Avast is running and Comodo also.  I need to know how to turn these off since my start tast window is no longer working.  What should I disable in task manger?
When I opened Avast it said it was disabled?

No apparent change in computer operation.

[Saving space, attachment deleted by admin]

[evilfantasy]

Try not to restart the computer until one of the tools we use does it for you or tells you to.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
 
There are 4 different versions. If one of them won't run then download and try to run the next one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

 
Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

----------

Now try ComboFix again.

[Jhavey]

Ran ok it seems here is the log and I will now attempt Combofix.

Can you please tell me what processes to stop in task manager that correspond with AVast and Comodo?   
As I said my lower right hand task bar (start ups) does not show and so I cannot see avast or Comodo to stop them there.

Tried to run Combofix and once again it says Avast is running.  When I open avast it says it is disabled.
How can I shut it down, and also Comodo if I need to?

Running Combofix now but not sure if it will be the log you want with Avast running?

update:
Combo ran until the Preparing the log step and then hung up.  Waited > 20 minutes then terminated.
Boot up to normal mode and nothing has changed. Still have no permissions to run programs and no strat task bar loaded.


[Saving space, attachment deleted by admin]

[evilfantasy]

Try ComboFix again. Don't worry about the Avast warnings.

[Jhavey]

Came home from work at lunch in order to run combofix again.

It runs for about 10 minutes and in that time it does > 50 steps printed to screen.

It then goes into " Preparing log report. Do not run any other programs until combofix has finished."

I would expect that report generation to complete rather quickly. Do not know how long to wait.
 I gave it 20 minutes, (total run time of 30 minutes).  and it did not complete?
Should I have waited longer?   I was pretty sure when I ran it days ago (when it ran OK) that it completed much quicker than this?

At this point if I try to run task manager it will not run so I think computer is hung to some extent.

Ran once again in safe mode with networking on and it finished ok.  Does this program require networking?

Log attached.



[Saving space, attachment deleted by admin]

[evilfantasy]

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
Cl90udccd
Helcdw5x
jswmidin

File::
c:\docume~1\KARENH~1\LOCALS~1\Temp\jswmidin.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[kaveman1969]

Yeah, you guys are malware gurus, lol. This site is a joke. If you want real help OP go to <<link removed>>

[kpac]

Yeah, you guys are malware gurus, lol. This site is a joke. If you want real help OP go to <<link removed>>

Get a life. You don't like it here, leave.

[Jhavey]

Did as requested and seemed to go ok.
The computer rebooted itself and when I returned it was in the normal run mode.
There was no combofix.txt log and the computer ran same as previously - with no permisssions and no run task bar.

I rebooted to safe mode with networking and combofix started running automatically by itself at the creating a log stage.  It completed and logs attached.

[Saving space, attachment deleted by admin]

[evilfantasy]

Suspicious file scan

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\SYSTEM32\DRIVERS\usbmm1x1.sys* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

[Jhavey]

http://virusscan.jotti.org/en/scanresult/a78faebc4b257a7744602e64e33143cdc8ed3940

Nothing found in all 20 scans.

of further interest:

http://www.threatexpert.com/files/usbmm1x1.sys.html

[Jhavey]

I have mentioned a few times how my start task bar no longer shows - ever since attempting to run ESET.  I see the more proper name might be the notification bar in the lower right hand corner that shows the start up processes.

Can we at least fix this?  It bothers me that I cannot see the AVAST icons and Combofix says it is running along with Comodo?    Yet when I open the  AVAST program it says it is disabled?

I would feel a little better if I could see the start task icons.  Are they simply hidden or is the trojan actively disabling this feature?

[evilfantasy]

Run this tool please then restart the computer. http://sourceforge.net/projects/viruseffectremo/

Then post the logs from OTL.

Download OTL to your desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* When the window appears, underneath Output at the top change it to Minimal Output.
* Check the boxes beside LOP Check and Purity Check.
* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy and pate the contents of these files, one at a time, into your next reply.

Note: You may need two or more posts to fit them all in.