Request Help for trojan removal - Combofix Log interpretation

[Jhavey]

Hello,
  Sorry for not following the directions posted her fully as I had been working on removing the trojan on my own for many hours prior to finding the help this site offered.  I only read the directions after registering and by then I had already run combofix.

   History:  I was infected several days ago with a trojan.  After many hours of running Malwarebytes, SuperAntispyware and Avast, along with editing the registry, and reinstalling drivers I got the system at least usable again.  All three programs showed the computer as clean.

   When I then connected to the internet I went to update Malwarebytes and the trojan broke loose again.
It appeared as Trojan.Vundo.
It now stopped Malwarebytes from loading and got the error 707.  At this point I found this forum and read about the fix offered to someone with that problem.
  I ran combofix and it then allowed me to reload the latest Malwarebytes and I ran that.

At this point I fell as though things are greatly improved but am hoping for some expert advice with regards to my combofix log.  I would like to be as sure as I can that the trojan is completely gone.  I will post the log below in hopes that someone here can please advice me further.
Once again I appologize for attempting the fix prior to contacting this forum but I was unaware of protocol at that point.

I have read all the instructions and made my best attempt to follow them.
All three logs attached.
    At this point my biggest concern is inability to start ICS (windows firewall).

Any help would be greatly appreciated.

[Saving space, attachment deleted by admin]

[Jhavey]

I wanted to add the fact that I am unable to turn on the windows firewall.  When I try it says ICS cannot start.

I have fought this infection for so many hours now that I had almost given up and was ready to reinstall windows but I just did not want to give in to this nasty.
   I was encouraged by people on this forum were able to do for others with similar infections so I gave it another try.  Combofix seemed to do the best work after having tried many others.

Up to the point of running Combofix I was unable to run in safe mode and it seems to have repaired that as I can now run it.

I do not know how to interpret the comfix log and so am hoping for some help there if anyone is willing.
I want to be as sure as I can that I am clean again.  Since this thing has fought me for so many hours I still do not have a real good feeling.   

I try to keep the computer off the internet until I feel it is safe.  I am posting from another computer in the mean time.

I was so encouraged by a person with a similar problem when he stated that their computer is now running better that ever after he got assistance here.

[SuperDave]

Hello jhavey and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

There is evidence of McAfee anti-virus and scanning tools left on your comuter. This will get rid of them

Download the McAfee Consumer Product Removal Tool to your Desktop.

Using McAfee Consumer Product Removal tool:

* Double click the MCPR.exe
* A Command Line window will be displayed, and then close automatically.
* Wait for a second Command Line window to be displayed.

Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.

* After the second window appears, the program will begin the cleanup.
* Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window: The machine must reboot to complete the un-installation. Reboot now? [y.n]
* Press Y on the keyboard.
* Wait for the computer to restart.
* All McAfee products are now removed from your computer.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Karen\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O23 - Service: Helcdw5x - Creative Technology Ltd - (no file)
O23 - Service: MD Simple Burner Service (NetMDSB) - Unknown owner - E:\Program Files\Sony\MD Simple Burner\NetMDSB.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

[Jhavey]

Hello SuperDave,
Thank you for your response. 
I will follow your instructions when I am back home this evening.

As you can see my Windows Firewall cannot start. I had tried several options I found posted on malware sites and was unable to start it.

Would you recommend purchasing a firewall such as ZoneAlert rather than any further attempts to restart windows firewall?

Thanks for your assistance

[SuperDave]

Hello jhavey, the Windows Firewall doesn't offer very good protection. See below.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

[Jhavey]

Hi SuperDave,
  I followed your instructions.
The only problem I encountered was cleaning up McAfee.  The program hung about 7/8 of the way through the cleanup.  At a point called " Removing product Vs".   I had to cold boot to recover.

Now any time I try to run that removal program again it says" Cleanup failed"  "Cleanup is already running"

I am attaching my new hijack log after doing all you instructed me to.
I installed the Comodo firewall.
 I will now attempt to reconnect to the internet and keep my fingers crossed.

Thank goodness for considerate people such as yourself.

Many thanks!

[Saving space, attachment deleted by admin]

[SuperDave]

Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

[Jhavey]

Hello SuperDave,
Ran the program you directed and am posting the log.
  I am just getting familiar with Comodo firewall and not sure I allowed this new program permission correctly as the log file does not seem to contain much?

Please let me know how things look or if I did not run the MBR correctly.

Thanks

I am a little confused now.  I just ran SAS to see what it thought at this point and it said it found 1 Trojan.Downloader-Gen\suspicious
When I went to remove it it said it was removing MBR.exe?


Update:
Read lots about MBR.exe .  Tried elevated command mode and that did not work.
Booted to safe mode and ran MBR.exe and it ran fine there.
Posting its results now.
Hopefully this means I am clean?

Update2:
Ran boot time scan with Avast and it says it found a tojan in
c:\System VolumeInformation\-restore{B37680B2-BA0A-4E5D-BF30-83E44C5886243\RP1645\A0562830.dll
is infected by Win32:jifas-CJ [trj]
   I moved that to the chest and will run SAS and Malwarebytes afterward, then rerun AVAST boot scan again.

Am I being reinfected over and over again?



[Saving space, attachment deleted by admin]

[SuperDave]

Am I being reinfected over and over again?

System Volume information is your System Restore. Infections like to hide here and when you do a System Restore, you re-infect yourself again. We will be dealing with this soon. I would like you to run this scan.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Jhavey]

Hi SD,
I will follow your instructions.
In the mean time I also ran SAS again and it found
C:\recycler\s-1-5-21=109 ......   dc14.exe

Just wanted to mention this before I ran your directions.

Thanks so much for your help and Happy New Year to you!

Since downloading ESET things are now worse than when I first started this whole deal.
Nothing will run now and it says I do not have permissions to even restart the computer.
I am attempting saffe mode now.  Looks like it will run here.
Looks like it needs the internet? I was trying to avoids that but will enable the internet.

I need to stop for now. Will attempt tomorrow.
Thanks for your help and Cheers!

Update:
   As mentioned things have gotten way bad now. Worse than ever.
None of the startup programs load.  Every program I try to start states:
"windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.

What now???

Does  this virus "know" it was under attach and thus decide to shut me down?

I really need you input now as I do not appear to be able to do anything at all.


Update2:
  I found that if I use the "run as" command and pick an alternate user it let me try to run ESET but this program wants to download from the internet and seems to hang on this step?
I am now able to run SAS via this alternate user permission so I am running that and will attempt ESET once again afterwards.
   Also wanted to add the fact that I have not done any "system restores" since a week ago.

update 3:
unable to run ESET since cannot connect to the internet
start menu does not load and Comodo is not running
Got it to run in safe mode but it said it was not running correctly
when I went to the start - run window it already was populated with " firewall.cpl" ??

Seems as though there is nothing I can do now without further instruction.
Was able to run this log

Was able to connect to internet via safemode and run ESET. It fails to get update and asks if proxy is configured?


[Saving space, attachment deleted by admin]

[Jhavey]

SD,
  I am feeling like I may be at the end of my rope?
Any other suggestions before I give it a safe distance and NUKEIT?

[SuperDave]

I'm sorry that I haven't been able to get back to you sooner. I'm trying to handle all the posts on this board by myself and I'm still in-training. I'm sure that when my mentor gets back he will be able to fix you up. Please just hold tight for a little while.

[Jhavey]

Hi SD,
Thanks for the response.  I would like to beat this thing without having to re-install windows. That has been my goal for over a week now.  At some point I may need to decide to back off an re-install so I will be anxious to hear from your mentor before hand.
   Who is it that I might hope to hear from soon?

I understand that you have been very busy and that you volunteer your time.Thank you very much for your efforts.

[SuperDave]

I just had a message from Evilfantasy and he's going to start working on some clean-up. I put your case at the top of the list.

[evilfantasy]

Hello Jhavey.

Your version of MBAM is out of date.

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Also give me a brief description of what the computer is doing now.

.