Enhanced Protection virus

Viruses and worms
1

I was hit a few nights ago with the Koobface virus from facebook. I read a few threads on here and thought I’d see if Essexboy could lead me to the promised land. This site won’t allow more than 10000 word post so I don’t know which part of the OTS to attach. Please provide more instructions.


OTS logfile created on: 8/22/2011 4:52:37 PM - Run 1
OTS by OldTimer - Version 3.1.44.3     Folder = C:\Users\Mich\Pictures\My Pictures\Mich misc
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.94 Gb Total Space | 395.94 Gb Free Space | 86.84% Space Free | Partition Type: NTFS
Drive D: | 9.72 Gb Total Space | 1.46 Gb Free Space | 15.05% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: MICH-PC
Current User Name: Mich
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Mich\Pictures\My Pictures\Mich misc\OTS.exe -> [2011/08/22 16:50:02 | 000,645,632 | ---- | M] (OldTimer Tools)
systemup.exe -> C:\Windows\systemup.exe -> [2011/08/22 06:04:40 | 000,137,728 | ---- | M] ()
svchostdriver.exe -> C:\Windows\update.7.1\svchostdriver.exe -> [2011/08/22 04:33:02 | 000,382,464 | ---- | M] ()
svchost.exe -> C:\Windows\update.2\svchost.exe -> [2011/08/22 04:31:47 | 000,634,880 | ---- | M] ()
svchost.exe -> C:\Windows\update.5.0\svchost.exe -> [2011/08/22 04:29:44 | 000,355,840 | ---- | M] ()
sysdriver32.exe -> C:\Windows\sysdriver32.exe -> [2011/08/22 04:26:41 | 000,258,048 | ---- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0-lnk\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
svchost.exe -> C:\Windows\update.1\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
firefox.exe -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe -> [2011/08/17 16:10:40 | 000,924,632 | ---- | M] (Mozilla Corporation)
phoenix.exe -> C:\Windows\phoenix\phoenix.exe -> [2011/06/14 15:51:54 | 006,962,815 | ---- | M] ()
armsvc.exe -> C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -> [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated)
toolbarupdaterservice.exe -> C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe -> [2011/05/20 10:03:34 | 000,210,144 | ---- | M] ()
hpdrvmntsvc.exe -> C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -> [2010/10/14 17:27:38 | 000,092,216 | ---- | M] (Hewlett-Packard Company)
sftvsa.exe -> C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -> [2010/04/24 01:10:34 | 000,209,768 | ---- | M] (Microsoft Corporation)
sftlist.exe -> C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -> [2010/04/24 01:10:28 | 000,483,688 | ---- | M] (Microsoft Corporation)
qbupdate.exe -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> [2010/02/02 01:32:46 | 000,984,352 | ---- | M] (Intuit Inc.)
qbcfmonitorservice.exe -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -> [2010/01/31 08:01:28 | 000,045,056 | ---- | M] (Intuit)
hp_remote_solution.exe -> C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe -> [2009/08/24 19:11:15 | 000,656,896 | ---- | M] (Hewlett-Packard)
picturemover.exe -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe -> [2009/06/03 13:35:16 | 000,430,080 | ---- | M] (Hewlett-Packard Company)
hpsysdrv.exe -> C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe -> [2008/11/20 11:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard)
 
[Modules - No Company Name]
systemup.exe -> C:\Windows\systemup.exe -> [2011/08/22 06:04:40 | 000,137,728 | ---- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0-lnk\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
mozjs.dll -> C:\Program Files (x86)\Mozilla Firefox\mozjs.dll -> [2011/08/17 16:10:40 | 001,846,232 | ---- | M] ()
system.management.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e9a08576157b4aeb91a3aaa452fcb00\System.Management.ni.dll -> [2011/08/10 18:46:14 | 001,051,136 | ---- | M] ()
presentationframework.aero.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7f94f6b13f92f1e093716d3e15bf86d1\PresentationFramework.Aero.ni.dll -> [2011/08/10 18:38:25 | 000,368,128 | ---- | M] ()
system.runtime.remoting.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\e3e3b399b69c569ab1ed3b0ace2c8c20\System.Runtime.Remoting.ni.dll -> [2011/08/10 18:38:12 | 000,771,584 | ---- | M] ()
system.data.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\b7d1c271ec6b4df64c95563fc81ffc2f\System.Data.ni.dll -> [2011/08/10 18:38:10 | 006,611,456 | ---- | M] ()
presentationframework.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c60906a715473ceccf93f0559527e84d\PresentationFramework.ni.dll -> [2011/08/10 18:38:03 | 014,339,072 | ---- | M] ()
system.drawing.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\9e87dd8fe5d0f925d80a6a6eaf74fdb9\System.Drawing.ni.dll -> [2011/08/10 18:37:45 | 001,587,200 | ---- | M] ()
presentationcore.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\5566b57732d9edea236f54d06149835a\PresentationCore.ni.dll -> [2011/08/10 18:37:43 | 012,234,752 | ---- | M] ()
windowsbase.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase
2

have you tried Malwarebytes ?

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
make sure it is updated before you scan
click on the remove selected button to quarantine anything found

post the scan log here

3

Yep tis the enhanced thingy

Alas there was insufficient data posted to stop it so…

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

4

To Essexboy:

It wasn’t showing my reply so I am doing it again. Sorry for any duplicates.

Danbar

5

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL PRC - [2011/08/23 08:09:38 | 000,636,416 | ---- | M] () -- C:\Windows\update.2\svchost.exe PRC - [2011/08/23 08:09:38 | 000,636,416 | ---- | M] () -- C:\Windows\update.2\svchost.exe PRC - [2011/06/29 12:20:24 | 000,743,936 | ---- | M] (Ufasoft) -- C:\Windows\ufa\ufa.exe O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O3 - HKU\S-1-5-21-84136863-795062345-1550129199-1001\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O3 - HKU\S-1-5-21-84136863-795062345-1550129199-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [1977203.exe] C:\Windows\Temp\1977203.exe () O4 - HKLM..\Run: [avgnt] File not found O4 - HKLM..\Run: [tray_ico] File not found O4 - HKLM..\Run: [tray_ico1] File not found O4 - HKLM..\Run: [tray_ico2] File not found O4 - HKLM..\Run: [tray_ico3] File not found O4 - HKLM..\Run: [tray_ico4] File not found O31 - SafeBoot: AlternateShell - services32.exe [2011/08/22 07:23:08 | 000,000,000 | ---D | C] -- C:\Windows\av_ico [2011/08/22 04:33:03 | 000,000,000 | -H-D | C] -- C:\Windows\update.7.1 [2011/08/22 04:31:48 | 000,000,000 | -H-D | C] -- C:\Windows\update.2 [2011/08/22 04:31:35 | 000,000,000 | ---D | C] -- C:\Windows\ufa [2011/08/22 04:31:35 | 000,000,000 | ---D | C] -- C:\Windows\rpcminer [2011/08/22 04:31:35 | 000,000,000 | ---D | C] -- C:\Windows\phoenix [2011/08/22 04:29:45 | 000,000,000 | -H-D | C] -- C:\Windows\update.5.0 [2011/08/22 04:24:46 | 000,000,000 | -H-D | C] -- C:\Windows\update.1 [2011/08/22 04:24:28 | 000,000,000 | -H-D | C] -- C:\Windows\update.tray-8-0-lnk [2011/08/22 04:24:28 | 000,000,000 | -H-D | C] -- C:\Windows\update.tray-8-0 [2011/08/23 11:30:25 | 005,589,370 | ---- | M] () -- C:\Windows\phoenix.rar [2011/08/23 11:30:25 | 001,075,284 | ---- | M] () -- C:\Windows\rpcminer.rar [2011/08/23 11:30:25 | 000,246,272 | ---- | M] () -- C:\Windows\unrar.exe [2011/08/23 11:30:25 | 000,182,617 | ---- | M] () -- C:\Windows\ufa.rar [2011/08/23 08:09:39 | 000,000,202 | ---- | M] () -- C:\Windows\info1 [2011/08/22 04:27:15 | 000,000,000 | ---- | M] () -- C:\Windows\loader2.exe_ok [2011/08/22 04:31:34 | 005,589,370 | ---- | C] () -- C:\Windows\phoenix.rar [2011/08/22 04:31:34 | 001,075,284 | ---- | C] () -- C:\Windows\rpcminer.rar [2011/08/22 04:31:34 | 000,182,617 | ---- | C] () -- C:\Windows\ufa.rar [2011/08/22 04:29:08 | 004,636,907 | ---- | C] () -- C:\Windows\geoiplist [2011/08/22 04:29:07 | 000,904,792 | ---- | C] () -- C:\Windows\geoiplist.rar [2011/08/22 04:29:07 | 000,246,272 | ---- | C] () -- C:\Windows\unrar.exe [2011/08/22 04:28:49 | 000,000,202 | ---- | C] () -- C:\Windows\info1 [2011/08/22 04:27:15 | 000,000,000 | ---- | C] () -- C:\Windows\loader2.exe_ok [2011/08/23 08:09:38 | 000,636,416 | ---- | M] () MD5=5DCDE53F902E7BBBE5171E6A9E6B5B90 -- C:\Windows\update.2\svchost.exe [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] () MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -- C:\Windows\update.tray-8-0-lnk\svchost.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

6

Here are the reports you asked for.

Thx,

Danbar

7

You need to save your OTL log file in ANSI mode (image1) as you did for your first OTL log. See image2 extract of it when you try to view your attachment.

8

Sorry about that. I think I changed it for you. Here are both logs again.

Thx,

Danbar

9

Any further problems ?

10

No problem.

That’s better, the previous MBAM attachment was fine only a problem with the OTL file format.

11

To DavidR:

I don’t know if the entire process is finished or not (I see Essexboy asked if there were any further problems), but my Avira Anti-virus program still is locked in the Enhanced Protection mode, my Windows defender is saying there is Adware:Win32/OpenCandy and my windows firewall is turned off. Just wondering what I should do now. I’ll gladly wait for more instructions if there is more to do.

Thx,

Danbar

12

To Essexboy:

A few issues still exist-

  1. My Avira Anti-virus program is still locked in the Enhanced Protection mode.

  2. My windows defender lists an Adware: Win32/OpenCandy threat.

  3. My windows firewall is turned off.

I don’t know if the process is entirely finished but was just wanting to know what I should do next.

Thx,

Danbar

13

You will need to install Avira again as it has been corrupted

If you could run a fresh OTL log selecting all users I will remove the open candy (that is considered an either/or removal as some people instal it voluntarily )

For the firewall could you run the fixit on this page http://support.microsoft.com/mats/windows_security_diagnostic/en-us

14

I was only commenting on the format of the attachments, essexboy is the malware removal specialist ;D

15

To Essexboy:

Should I run a full scan or quick scan of the OTL?

Danbar

16

Quick scan should suffice but do ensure that all users is selected

17

Looks like my newbie status is a good fit. I had done everything as you asked and when I went to re-install the Avira program, I accidentally re-installed the infected one and all hell broke loose. My PC went into safe mode but I was able to go through the forum threads again and redid everything like before and all of the reports say the virus was destroyed and everything is running ok. Except my computer is still in safe mode and I can’t get out of it. Sorry for letting you down so close to the end. What can I do?

Danbar

18

It happens and is not a problem

Could you run me a fresh OTL scan please selecting all users

19

Here it is.

20

What error do you get when you try to go to normal mode ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKLM..\Run: [wxpdrv] File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.