Help with infection

[southern_boy1975]

Hi, I have something stinky stuck to my system. I have been dealing with it for a few weeks now trying to use CCLeaner, MBAM, and AVG to clean it up. Not much success so far, it always seems better but then AVG warnings start up (C:\Windows\System32
svchost.exe and services.exe) for the most part. Then all the redirects on explorer start again as well. It has become very big pain  so I figured I had better reach out for some help. I am posting the logs you request, please let me know what other information you might need.
Thanks in advance for looking over them,
Jeremy

[year+ old attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[southern_boy1975]

Dave, Here are the 2 logs you asked for. Thanks so much for looking into this!

[year+ old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

Go to Microsoft Windows Update and get all critical updates.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
**********************************************************
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply
***********************************************************
Please download Rooter and Save it to your desktop.

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

[southern_boy1975]

Wow, I was out of date..... I thought windows automatic updates was on, I dunno. Sorry about the attachment post and here are the other logs you ask for. Aswmbr did ask me if I wanted the Avast virus definitions, I checked no as I was not sure.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-29 21:50:36
-----------------------------
21:50:36.051    OS Version: Windows x64 6.1.7601 Service Pack 1
21:50:36.051    Number of processors: 2 586 0x1706
21:50:36.051    ComputerName: SOUTHERN_BOY-PC  UserName: Southern_boy
21:50:38.939    Initialize success
21:50:48.846    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:50:48.846    Disk 0 Vendor: ST932042 SD13 Size: 305245MB BusType: 3
21:50:48.862    Disk 0 MBR read successfully
21:50:48.878    Disk 0 MBR scan
21:50:48.878    Disk 0 Windows 7 default MBR code
21:50:48.909    Disk 0 Partition 1 00     1C Hidd FAT32 LBA MSDOS5.0    10997 MB offset 63
21:50:48.924    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       294246 MB offset 22523130
21:50:48.956    Disk 0 scanning C:\Windows\system32\drivers
21:50:58.160    Service scanning
21:51:16.802    Modules scanning
21:51:16.817    Disk 0 trace - called modules:
21:51:16.895    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
21:51:16.895    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a48670]
21:51:16.911    3 CLASSPNP.SYS[fffff88001b8543f] -> nt!IofCallDriver -> [0xfffffa80046a6b30]
21:51:17.441    5 ACPI.sys[fffff88000fa27a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80046bc050]
21:51:17.441    Scan finished successfully
21:51:56.675    Disk 0 MBR has been saved successfully to "C:\Users\Southern_boy\Desktop\MBR.dat"
21:51:56.691    The log file has been saved successfully to "C:\Users\Southern_boy\Desktop\aswMBR Log.txt"





Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 23 Stepping 6, GenuineIntel
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.0.8112.16421
.
C:\  [Fixed-NTFS] .. ( Total:287 Go - Free:230 Go )
D:\  [CD_Rom]
.
Scan : 21:53.25
Path : C:\Users\Southern_boy\Desktop\Rooter.exe
User : Southern_boy ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (308)
Locked avgchsva.exe (436)
Locked avgrsa.exe (480)
Locked csrss.exe (612)
Locked wininit.exe (664)
Locked csrss.exe (684)
Locked winlogon.exe (740)
Locked services.exe (780)
Locked lsass.exe (804)
Locked lsm.exe (812)
Locked svchost.exe (944)
Locked agent_x64.exe (1004)
Locked nvvsvc.exe (112)
Locked nvSCPAPISvr.exe (476)
Locked svchost.exe (596)
Locked svchost.exe (1064)
Locked svchost.exe (1104)
Locked svchost.exe (1136)
Locked audiodg.exe (1200)
Locked svchost.exe (1256)
Locked svchost.exe (1360)
Locked nvxdsync.exe (1432)
Locked nvvsvc.exe (1444)
Locked ADSMSrv.exe (1648)
Locked AsLdrSrv.exe (1684)
Locked spoolsv.exe (1864)
Locked svchost.exe (2040)
Locked SASCORE64.EXE (1508)
Locked AppleMobileDeviceService.exe (1788)
Locked taskeng.exe (1812)
Locked avgwdsvc.exe (1680)
Locked mDNSResponder.exe (1308)
Locked svchost.exe (1956)
Locked mbamscheduler.exe (1348)
______ ??>5??? (2160)
Locked taskeng.exe (2208)
______ ??>5??? (2248)
Locked ALU.exe (2288)
Locked DCHelper.exe (2300)
Locked GoogleUpdate.exe (2308)
Locked sensorsrv.exe (2320)
______ ??>5??? (2348)
Locked svchost.exe (2476)
Locked ACMON.exe (2512)
Locked ToolbarUpdater.exe (2572)
Locked HControl.exe (2720)
Locked MsgTranAgt64.exe (2728)
Locked wcourier.exe (2736)
Locked BatteryLife.exe (2744)
Locked ACEngSvr.exe (2796)
Locked YahooAUService.exe (2852)
Locked avgnsa.exe (2900)
Locked Atouch64.exe (2912)
Locked AVGIDSAgent.exe (2984)
Locked ATKOSD.exe (3092)
Locked KBFiltr.exe (3100)
Locked WDC.exe (3108)
Locked WmiPrvSE.exe (3412)
Locked TrustedInstaller.exe (3800)
______ ??>5??? (4092)
______ ??>5??? (1408)
______ C:\Users\Southern_boy\AppData\Local\MediaGet2\mediaget.exe (1092)
______ C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (3308)
______ C:\Program Files (x86)\Yahoo!\Common\YMailAdvisor.exe (3668)
Locked SearchIndexer.exe (1708)
______ C:\Program Files (x86)\AVG\AVG10\avgtray.exe (3200)
Locked SynTPHelper.exe (1828)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (3812)
Locked WmiPrvSE.exe (928)
Locked WmiPrvSE.exe (4148)
Locked wmpnetwk.exe (4216)
Locked WmiPrvSE.exe (4372)
______ C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe (4696)
Locked svchost.exe (4956)
Locked PresentationFontCache.exe (3784)
Locked mscorsvw.exe (3080)
______ C:\Program Files (x86)\Internet Explorer\iexplore.exe (4840)
______ C:\Program Files (x86)\Internet Explorer\iexplore.exe (5104)
Locked mscorsvw.exe (5048)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe (4320)
Locked mbamservice.exe (5084)
______ C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (4500)
Locked daemonu.exe (1572)
______ C:\Program Files (x86)\Internet Explorer\iexplore.exe (4684)
Locked sppsvc.exe (5564)
Locked SearchProtocolHost.exe (6052)
______ ??>5??? (4808)
Locked SearchFilterHost.exe (5612)
______ C:\Users\Southern_boy\Desktop\Rooter.exe (3316)
______ ??>5??? (5000)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 44 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:11531810304)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:11531842560 | Length:308540042240)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Privacy Partners
C:\PROGRA~2\Privacy Partners
==> Rogues <==
.
----------------------\\ Scan completed at 21:53.41
.
C:\Rooter$\Rooter_1.txt - (29/09/2012 | 21:53.41)

[SuperDave]

How's your computer running now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[southern_boy1975]

Hi, it is running great. No more redirects, load time and explorer seems back to normal. I had almost forgot how fast it was before I picked up that junk. AVG has popped up a warning directed towards the desktop but I think it is something to do with one of the scans you had me install yesterday. I will run this ESET right now!

[southern_boy1975]

Wow, 3 hour scan.... Here you go, I hope things are looking better for me!

C:\Qoobox\Quarantine\C\Windows\Installer\{fd22fb96-86df-5db7-c393-135263f6cb2f}\U\[email protected]   Win64/Conedex.C trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{fd22fb96-86df-5db7-c393-135263f6cb2f}\U\[email protected]   Win64/Agent.BA trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{fd22fb96-86df-5db7-c393-135263f6cb2f}\U\[email protected]   Win64/Conedex.B trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{fd22fb96-86df-5db7-c393-135263f6cb2f}\U\[email protected]   Win64/Sirefef.AP trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{fd22fb96-86df-5db7-c393-135263f6cb2f}\U\[email protected]   probably a variant of Win32/Sirefef.FD trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir   Win64/Patched.B.Gen trojan   deleted - quarantined
C:\Users\Southern_boy\AppData\Local\Microsoft\Windows\Burn\Burn\HVAC-Calc_Residential_v4.0.45c_and_HVAC-Calc_Commercial_v4.0.31.zip   multiple threats   deleted - quarantined
C:\Users\Southern_boy\Downloads\HVAC-Calc_Residential_v4.0.45c_and_HVAC-Calc_Commercial_v4.0.31.zip   multiple threats   deleted - quarantined

[SuperDave]

Good show. We can do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

**********************************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
********************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[southern_boy1975]

Will do.... THANK YOU FOR EVERTHING!!!!

[SuperDave]

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.