Finally got ComboFix to work (title updated as of ~Mar4th11pmEST)

Alright, I’m planning to dig through the majority of my computer’s data, my portable drives, and my thumb drives, deleting years worth of information, everything from an image collection likely to be in the tens of millions (at least) programs I no longer use, anime I’ve downloaded and ripped off of the DVDs I’ve had to store with family when I moved, and in all, hundreds of gigs worth of generic crap I either don’t want, don’t know what it is anymore, or don’t need. I will likely keep alot of it too, but I’m actually going to go through it and look for corrupted files and stuff I don’t want.

I also plan to run various scans, replace or improve protection programs, and ask for expert advice here to guide me through this process.

This project will likely take weeks, as I have lots of data to crawl through.

My first question though, is this: Should I go through the data first? Or should I ask for assistance in running full scans on my computer and portable drives before I go deleting everything?

If you have avast as resident, I will do housekeeping before scanning.
Why would you scan a file that you will delete further?

Just in case there’s a bomb lol…

Anyways, I’m having more issues than I thought I was… I won’t have the time for housekeeping at this rate…

MBAM found an infection in svchost.exe, one that keeps going up to 400000k or higher sometimes (I keep forcing it to shut down… and since it’s been doing issues I’m uninstalling some things and scanning like crazy… thought MBAM caught it, guess not…)

Anyways, here’s screenies of the avast warnings. I’m gonna run another MBAM scan on safe mode… for some reason I can’t find the log, but this will be mainly for a fresh log to upload here.

I'm gonna run another MBAM scan on safe mode
MBAM vill work in SafeMode but it is designed to work best in normal mode
for some reason I can't find the log, but this will be mainly for a fresh log to upload here.
click log tab at the top, and if there is many the newest log is at the bottom

The reason I ran it in safe mode is because the problem keeps starting back up, online or offline, when I do anything in normal mode. Hell, it shut down my firefox just a few minutes ago and it shuts down MBAM usually too…

Here’s the newest log though… Yeah, this is becoming a major problem here… Especially since I can’t even keep up wit my work with this crap killing my computer every so often…

can you do this ?

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt )

hi, i used to have some of u r problems,what i got was malcious URl blocked and process was svchost.exe every 1 min , so i tried malwarebbytes ,superantimalware, even TSDDkiller(kaspersky),after i lost hope i contact to Microsoft live chat tech. (as svchost.exe is a file part of windows) ,so Tech used remote assistance and search windows task manager ( processes tab) he found svchost.exe and name of user was the name of my computer (he told me the user name of svchost.exe always should take name contribute with windows like local… ,network…,system ),so he end task svchost.exe (username of my PC)and scan my PC by going to site “onecare.live.com” and it start to download files and ten it sccaned my whole PC from then i didn’t get the alert again

BTW this happened 3 days ago

i hope i explained it well and helped you

GOOD LUCK

Whitesmoke by the look of it

Avast asked to run a boottime scan during my last MBAM scan (a new one scanned during normal mode with internet shut off) so I let it do that, it found 5 PUPs, all from Gamevance, and I had them sent to the chest. I can post a screenshot of the log if you want, but not in this one, tried posting the txt logs and the pic altogether and it said it was too big.

Most recent MBAM log and OTL logs attached.

Your malwarebytes log show that you scanned with database 5935.
Latest is 5947, always click the update button before you scan as malwarebytes can have up to 10 updates a day

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 O2 - BHO: (no name) - {2804caed-1d99-4a3d-833c-c552f986b75c} - No CLSID value found. O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - No CLSID value found. O2 - BHO: (WhiteSmoke Toolbar) - {52794457-af6c-4c50-9def-f2e24f4c8889} - C:\Program Files\whitesmoketoolbar\whitesmoketoolbarX.dll () O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll () O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No CLSID value found. O2 - BHO: (no name) - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No CLSID value found. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKLM\..\Toolbar: (WhiteSmoke Toolbar) - {52794457-af6c-4c50-9def-f2e24f4c8889} - C:\Program Files\whitesmoketoolbar\whitesmoketoolbarX.dll () O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll () O3 - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-3942227701-1679884542-3315011257-1006\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WhiteSmoke 2011.lnk = File not found [2011/03/03 16:46:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.DORISAI1\Application Data\whitesmoketoolbar [2011/03/03 16:43:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\whitesmoketoolbar [2011/03/03 16:43:16 | 000,000,000 | ---D | C] -- C:\Program Files\whitesmoketoolbar [2011/03/03 12:46:41 | 000,000,000 | ---D | C] -- C:\Program Files\Drop Down Deals [2011/03/03 12:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer [2011/03/02 15:21:50 | 000,000,000 | ---D | C] -- C:\Program Files\Search Toolbar [2011/03/03 12:46:41 | 000,000,000 | ---D | C] -- C:\Program Files\Drop Down Deals [2011/03/03 12:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer [2011/03/03 16:43:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\whitesmoketoolbar [2011/03/03 16:46:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.DORISAI1\Application Data\whitesmoketoolbar

:Files
ipconfig /flushdns /c
C:\Program Files\Search Toolbar
C:\Program Files\whitesmoketoolbar

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here it is. Also, I’m still having issues with svchost.exe… its at 210000 and rising fast…

EDIT: Ok, this time that one topped out at around 250000k and now it’s gone back down to around 86500k and it’s hovering now, rising and falling by a little bit at a time.

OK I have taken out all I can see - lets get the big boy on the job to ensure that I have missed nothing

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Neither link is working, I continue to get corrupted downloads. I even set my firefox to download it directly to my desktop, and tried from both links. At first it was asking me to update them, now it’s simply saying they’re corrupted.

EDIT: I’m going to restart and try to download it again.
EDIT2: Tried downloading through internet explorer and firefox after restarting. The first link won’t even load in internet explorer, the second downloaded but required an update and then was corrupted again. Both links in firefox worked however they either needed an update or were corrupted. Only once did the blue box even show up, and that needed an update and then was corrupted when it updated and restarted. Whatever I have it’s keeping me from downloading ComboFix.
EDIT3: Tried running an updated MBAM scan, ran for a few minutes, found at least 3 problems (I opened this to update and then suddenly it had to close) and avast popped up again with a repelled notification… I wasn’t fast enough to screenshot it though… I’ll try running MBAM again and post any log I get. Should I also run an OTL scan again since I can’t get ComboFix to download?

I apologize for the doublepost, but I want to make sure people know there’s new information here… This is getting out of hand. MBAM froze for over a half hour, took me another fifteen minutes just to abort the scan and quarantine the three objects it already found, three more Whitesmoke files! I’m running another scan to finish the D partition which was where it was when I aborted. On top of that, I have another Avast Url Repelled warning, citing svchost.exe yet again as the problem. Seriously, I REALLY need help here before this thing takes over everything, and I’m only available in the evenings for the next few days because I have to work!

EDIT: I also keep having a process called Sf.bin that’s popping up and vanishing randomly, literally, by the time I click on it it’s vanished and reappeared again… I don’t remember ever seeing it before, but I’m not sure.
Anyways… I’m sorry if I’m starting to sound impatient… but my computer is my life, and I know it’s not the best, but if I lose it before I can replace it… IDK… Please help… I’ve never been worried this much about my computer… It’s never been this bad…
EDIT2: Finished scanning the D partition, found two more Whitesmoke registry keys, and another fake ms file… Attached is the log, restarting again as per MBAM’s request.

EDIT2: FINALLY got a successful ComboFix download AND scan. Log is posted, had to restart because it found Rootkit TDL3… Lets see… had to run MBAM a few times, restart repeatedly, download probably 20 times, and run with internet disconnected after manually killing svchost.exe three times (it seems to calm down a little after killing it three times… takes a bit to start back up after the third…) Anyways… log attached (last one), see if you guys can figure out if anything else needs doing… I’m a little relieved that ComboFix finally worked… lol

It was actually TDL4 in the MBR - did Avast alert you to this ? - Ahh no I see you are using V5 and not V6

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

Whitesmoke can be a right pig to get rid of despite the authors claims that it is a good programme

Alright, definitely no proxy. And I updated Avast’s program and double-checked the database actually just after I successfully ran ComboFix.

What problems are you experiencing now ?

Nothing seems to be having any issues, though Avast has been notifying me about potentially dangerous programs starting up, I normally cancel them…

Is there a way to check and record all running processes, including their file paths and preferably usage? If so, that is something I’d like to be able to do regularly so I can double check everything, might help in finding fake processes lol…

There are two ways of doing that using either process explorer from Sysinternals or running OTL and looking at the processes

========== Processes (SafeList) ==========

PRC - [2011/03/03 16:37:59 | 000,581,120 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Owner.DORISAI1\Desktop\OTL.exe
PRC - [2011/01/13 03:47:34 | 003,396,624 | ---- | M] (AVAST Software) – C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/01/13 03:47:33 | 000,040,384 | ---- | M] (AVAST Software) – C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/06/12 22:45:46 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) – C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\explorer.exe
PRC - [2006/11/03 10:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) – C:\WINDOWS\Philips\SPC610NC\Monitor.exe
PRC - [2006/05/23 21:22:36 | 000,573,440 | ---- | M] (Motorola Inc.) – C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2006/01/02 19:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) – C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/12/27 12:20:14 | 000,413,696 | ---- | M] (SigmaTel, Inc.) – C:\WINDOWS\stsystra.exe
PRC - [2004/11/05 09:47:00 | 000,098,394 | ---- | M] (Synaptics, Inc.) – C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

========== Modules (SafeList) ==========

MOD - [2011/03/03 16:37:59 | 000,581,120 | ---- | M] (OldTimer Tools) – C:\Documents and Settings\Owner.DORISAI1\Desktop\OTL.exe
MOD - [2011/01/13 03:47:35 | 000,189,728 | ---- | M] (AVAST Software) – C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) – C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2004/11/05 09:47:00 | 000,069,722 | ---- | M] (Synaptics, Inc.) – C:\WINDOWS\system32\SynTPFcs.dll


I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 24.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u24-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u24-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: