Help with malware!

Hi I’ve followed some of the instruction about removing…

C:\explorer.exe (Worm.AutoRun) →
C:\WINDOWS\system32\cffmon.exe (Backdoor.Bot) →

Avast keeps sending alerts about it. I also run the scan but I’m kind lost as to what to do next. I tried to look up some threads to see what people do about it but i’ve i haven’t found anything… there is too much info! :-\

I’ve attached the logs files for anyone to look at.
Would appreciate some feedback thanks
I ran malwarebytes and OTL

your Malwarebytes scan was done with an old database (3930) Latest database is 4046
MBAM is updated several times a day so always run update before you scan

First of all thank you for responding so quick didn’t think it would be so quick. As i’m typing this I’m updating Malwarebytes at this very instant! So I guess I have to run a scan again. I’ll attach the log as soon as so you can have a look if it’s no biggy I understand that you guys have alot to do so I’ll be patient. thank you again
BTW I’m not tech person but I do know some basics.

Hi lets try this

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [WindowsDefender] C:\WINDOWS\system32\vcmxqbd.exe ()
O4 - HKCU..\Run: [Com32] C:\WINDOWS\system32\vcmxqbd.exe ()
O4 - HKCU..\RunServicesOnce: [LogServ] C:\WINDOWS\system32\vcmxqbd.exe ()
F3 - HKCU WinNT: Load - (C:\windows\system32\vcmxqbd.exe) - C:\WINDOWS\system32\vcmxqbd.exe ()
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\vcmxqbd.exe) - C:\WINDOWS\system32\vcmxqbd.exe ()
O33 - MountPoints2\{6c6d5b2b-3e2d-11de-9cb2-0018de98dc40}\Shell\AutoRun\command - "" = FILES\REMOVED\BEST.exe
O33 - MountPoints2\{6c6d5b2b-3e2d-11de-9cb2-0018de98dc40}\Shell\open\command - "" = FILES\REMOVED\BEST.exe
O33 - MountPoints2\{6c6d5b2c-3e2d-11de-9cb2-0018de98dc40}\Shell\AutoRun\command - "" = FILES\REMOVED\BEST.exe
O33 - MountPoints2\{6c6d5b2c-3e2d-11de-9cb2-0018de98dc40}\Shell\open\command - "" = FILES\REMOVED\BEST.exe
[2001/08/23 11:30:00 | 000,434,176 | RHS- | M] () -- C:\explorer.exe

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\vcmxqbd.exe"=-

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks alot for feedback but Avast is still giving me an alert about the explorer.exe Unfortunately.

OK OTL was not quite strong enough for this one

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OK so I ran the combofix.exe but I don’t get a Combofix.txt instead I a got folder combofix and like 26.6mb it contains more folders exactly if I opened up ‘My Computer’ I see the same I’ve attached a picture of it and microsoft message as well.

Can the log be anywhere else it does’nt show in C/:
Oh there is another folder called Qoobox containing 5 folders -Back env -Lastrun -Quarantine - Test - Test C

Qoobox contains the quarantined files and various backups

Could you delete your current copy of Combofix, download a fresh version and then run it

Sorry got the same thing again.

OK different tool time ;D

Download avz4.zip from HERE

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://perplexus.geekstogo.com/avz-update-button.png

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis with malware removal mode enabled” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png

[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[
] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa.png

[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.
Upload both zip files to Mediafire and post the sharing link.

Hi so I’ve uploaded the files was having trouble uploading one of them(virusinfo_syscheck.zip) so I have to unzip put it in a new folder and zip it back hope there no prob.
Here’s the link for both files

http://www.mediafire.com/?sharekey=5de6cccaad38e92c6787958b30ba21400080192828272345a9a26c4ed87536eb

On completion of this retry Combofix please

AVZ FIX

[*] Double click on AVZ.exe

[*] Click File > Custom scripts

[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 TerminateProcessByName('c:\windows\system32\vcmxqbd.exe');
 BC_DeleteFile('c:\windows\system32\vcmxqbd.exe');
 DeleteFile('c:\windows\system32\vcmxqbd.exe');
 BC_DeleteFile('C:\windows\system32\vcmxqbd.exe');
 DeleteFile('C:\windows\system32\vcmxqbd.exe');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','WindowsDefender');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Com32');
 RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\RunServicesOnce','LogServ');
 BC_DeleteFile('C:\explorer.exe');
 DeleteFile('C:\explorer.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

[*] Note: When you run the script, your PC will be restarted

[*] Click Run

[*] Restart your PC if it doesn’t do it automatically.

I ran avz and combofix again. Go tthe log. I’ve attached for you.

OK that does not look to bad - what problems do you have now ?

Hi sorry for the delay in my reply. So far haven’t gotten any alerts from avast! yaye! The only issue I was issue i’m experiencing or was experiencing is some delay in windows sometimes it just freezes up for a 5 seconds but then goes back to normal after but lately I haven’t had that happened yet I have an pdate if anything comes up

One more thing don’t know if iths related but Internet Explorer is having problems loading I continuously get "Internet explorer cannot display the webpage »
didn’t have that problem before but I’m looking into some solutions some people suggested. Any suggestions?

Thanks alot for your help Essexboy Glad to know there’s help out there.
There people who appreciate you taking the time.

In that case then lets tidy you up and see if we get an improvement - let me know how it goes

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AVZ and select standard script 6. (delete drivers and reg keys) then delete the AVZ file/folder

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u20-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586-p.exe and select “Run as an Administrator.”)

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete
You are now done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Hi sorry havent able to reply cuz im out of the country, so i won’t be able do therest of stuff.

However i am dealing with another problem unrelated to this one. I am using my bro pc which is running windows 7 and he hasd broadband connection. Recently some websites i have visited previously aren’t loading or just loading slowly. It happens on all browsers not just one so i know its not the website or just one.
i’ve tried alot of things but can’t seem to find a good solution
I truned of AVast and all the add ons reset the router power on and power of just incase (as was sugessted by some)
Any tips?

Have you tried cleaning the temp files and defragging ?

Hi thanks will try that!