So the other weekend I got infected with something. I am not sure if it has to do with me turning off the web shield to be able to play Battlefield (Battlelog) better and be able to join parties through their web service.

At first I noticed it because avast was going crazy with warnings. I then checked the task manager and their were many processes with a random assortment of letters and numbers originated in the local app data (I believe). Also in local/temp and windows/sysWOW64. I did a scan with avast, malware anti bytes and super anti-spyware. All bringing up a few things. Some notable things –

C:/progamdata/privacy.exe
C:/windows/System32/consrv.dll
E:/pagefile.sys
C:/windows/sysWOW64/ping.exe

Object: C:\Windows\assembly\temp\U\80000032.@

At first there was a fake anti-virus that popped up, can’t remember the name but something like ** Security 2011 (or maybe 2012 can’t remember). But I have since been able to get rid of that.

But things started coming back still (except for the numerous processes [thus far])

I have ran rkill and done all of the above again – yet they seem to keep coming back.

Thanks!

Follow this to get started>>http://forum.avast.com/index.php?topic=53253.0

When the tools get finished, post the resulting logs back here as attachments, Essexboy will give them a look when he is online and then tell you what to do next.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8186

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

11/18/2011 12:16:30 AM
mbam-log-2011-11-18 (00-16-30).txt

Scan type: Quick scan
Objects scanned: 173951
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\DuSchi\AppData\Local\Temp\ms0cfg32.exe (Exploit.Drop.Gen) -> Quarantined and deleted successfully.

The OTL.txt was too big to attach.

So here is a link to my it from my dropbox – http://dl.dropbox.com/u/4510363/OTL.Txt

Hi there!

Download ComboFix. It’s important that you save it to Desktop and run it from there.
Follow the instructions and don’t touch anything. Combofix will delete the infected files and reboot your system if something was found.

http://www.combofix.org/

To uninstall combofix press Windows key+R and type combofix /uninstall

Then download Malwarebytes Antimalware and do a deep scan with it. If it doesen’t find anything you should be good.

Let me know how it turned out!

EDIT:
You should also check your registry so there isn’t something thats executed to run on startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Search on how to handle registry!

//Sweden

corpseworm as this is your first post it is not recommended that you reply to posts in the viruses and worms section.
We have qualified malware specialists that handle any issues in here.

Thankyou

Ah, okej!

Well I got rid of this last night so I just thought I could help. Sorry!

Adios!

//

quote Bleepingcomputer

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

So wait for Essexboy

he is usually in here around 08:00pm - 11:59pm UK time

That is what I figured to do.

But thank you for the help anyway corpseroom

Hi there unfortunately dropbox shows as a comntinuous stream of text could you upload the text file to mediafire and I will collect it from there. We may need to use combofix, but first I will need to confirm what we are up against

Sure. Sorry about that.

http://www.mediafire.com/?gqan8nao1lg5amw

OK we will need to do this as three seperate elements

First I will run Combofix to kill the main bad boy, then I will run an OTL fix to kill the backup copies, and finaly another combofix run to do a sweep

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Location will be C:\ComboFix.txt.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

.

THEN

OTL run - as this is a large fix I will upload to mediafire - sharing link http://www.mediafire.com/?fs553ey65xxgcd3. Download it to your desktop

Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

[*]Run OTL
[*]Press the Run Fix button
[*]A dialogue will open asking for the location of the fix
[*]Browse to fix.txt on the desktop and select
[*]Press Run Fix again

After the system reboots then re-run Combofix please, posting the log generated by this run and a fresh OTL scan. Both logs should attach now

Done.

However it still seems there is some stuff wrong.

http://www.mediafire.com/?xkxnu76up4va72f

I noticed as I was running the fix in OTL something popped up and said that windows encountered an error and will restart in 1 minute – maybe it did not completely finish and something happened?

Thanks again!

That may have happened due to the unexpected termination of svchost.exe…essexboy will be back at night to assist you…

Ok still more to remove but we are now getting there

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

File:: c:\windows\system32\drivers\ktbuhssj.sys c:\windows\SysWow64\fcccS22ibD.exe

Folder::
c:\users\DuSchi\AppData\Roaming\eCCeekIIVrO
c:\users\DuSchi\AppData\Roaming\h333pmmG5aQ6dK8
c:\users\DuSchi\AppData\Roaming\pP00yccA1
c:\users\DuSchi\AppData\Roaming\IOOONtxxAucSib3
c:\users\DuSchi\AppData\Roaming\H333onFF4aH5sJd
c:\users\DuSchi\AppData\Roaming\QeellOBtzP0yA1v
c:\users\DuSchi\AppData\Roaming\qNNNtxPP0uS1iDo
c:\users\DuSchi\AppData\Roaming\XbbFF3pnG5aQ6dK
c:\users\DuSchi\AppData\Roaming\YBBttzP0ycA1v
c:\users\DuSchi\AppData\Roaming\KS22obbF3pmGaJ6
c:\users\DuSchi\AppData\Roaming\JppmmH5J7
c:\users\DuSchi\AppData\Roaming\nyyccA1ivD2oF4m
c:\users\DuSchi\AppData\Roaming\uBBrzPPNyxAuv2b
c:\users\DuSchi\AppData\Roaming\WggTTZqhY
c:\users\DuSchi\AppData\Roaming\c1iivvD3o
c:\users\DuSchi\AppData\Roaming\WllIBBtzN
c:\users\DuSchi\AppData\Roaming\eQQQH6ddWKfRLg
c:\users\DuSchi\AppData\Roaming\vwwjjUVVelBtzNc
c:\users\DuSchi\AppData\Roaming\VzzONNyxA0uv2iF
c:\users\DuSchi\AppData\Roaming\UqjjUCCekIBrONx
c:\users\DuSchi\AppData\Roaming\YsssQJJ7dEKgR9h
c:\users\DuSchi\AppData\Roaming\t444ammH5WJ7E8g
c:\users\DuSchi\AppData\Roaming\oYYYXwwkUVe
c:\users\DuSchi\AppData\Roaming\uJ66ddWK8fRLhTq
c:\users\DuSchi\AppData\Roaming\ljjUUVeelBtzPyA
c:\users\DuSchi\AppData\Roaming\JtP00ucS1ibDon4
c:\users\DuSchi\AppData\Roaming\N22iibD3nGa
c:\users\DuSchi\AppData\Roaming\buuucSS1ibDon4a
c:\users\DuSchi\AppData\Roaming\p999gTXqjYekIrz
c:\users\DuSchi\AppData\Roaming\nggTTXqqjYekIrz
c:\users\DuSchi\AppData\Roaming\eddWKK7fRLg
c:\users\DuSchi\AppData\Roaming\S66ddWK7fR
c:\users\DuSchi\AppData\Roaming\liiibFF3pnGaQ6d
c:\users\DuSchi\AppData\Roaming\kWWWK77fRL9
c:\users\DuSchi\AppData\Roaming\edWWK77fL9g
c:\users\DuSchi\AppData\Roaming\eddWWK7ffL9
c:\users\DuSchi\AppData\Roaming\u666dEEK8fZ9TwU
c:\users\DuSchi\AppData\Roaming\SdEEK8fRZ9TwjCl
c:\users\DuSchi\AppData\Roaming\kKKK8ffRZ9hXwUC
c:\users\DuSchi\AppData\Roaming\HQQJJ6dEK8RZ9Tw
c:\users\DuSchi\AppData\Roaming\PggTTZqhhCwUVrO
c:\users\DuSchi\AppData\Roaming\wbbFF3ppmGaQJdK
c:\users\DuSchi\AppData\Roaming\nGG44amH6sWJ7E8
c:\users\DuSchi\AppData\Roaming\vCCeekIVrzONxAu
c:\users\DuSchi\AppData\Roaming\zxxPP0ycS1ivDoF
c:\users\DuSchi\AppData\Roaming\XyyxxA1uvS2ob3m
c:\users\DuSchi\AppData\Roaming\Z6ssWWK7f
c:\users\DuSchi\AppData\Roaming\uQQQJ66dWK8RLhT
c:\users\DuSchi\AppData\Roaming\zyyccA11uv2ob
c:\users\DuSchi\AppData\Roaming\UuuccS1ibD3oG4
c:\users\DuSchi\AppData\Roaming\Y000uvvS2ib3pGa
c:\users\DuSchi\AppData\Roaming\qxxAA0uvS2ib3pG
c:\users\DuSchi\AppData\Roaming\iiiibF33pn
c:\users\DuSchi\AppData\Roaming\bbbbF33pnGa
c:\users\DuSchi\AppData\Roaming\zH55ssWJ7dELgRq
c:\users\DuSchi\AppData\Roaming\jjjjYCCwkIVlO
c:\users\DuSchi\AppData\Roaming\QAA1ivvD2on
c:\users\DuSchi\AppData\Roaming\bllOONttxPucSi
c:\users\DuSchi\AppData\Roaming\PiivvD33on4am5
c:\users\DuSchi\AppData\Roaming\OffRLhhTXqUCeIr
c:\users\DuSchi\AppData\Roaming\cyyycSS1iv3oF4m
c:\users\DuSchi\AppData\Roaming\cyyycSS1ivDon4m
c:\users\DuSchi\AppData\Roaming\K999hTTXqjUekBr
c:\users\DuSchi\AppData\Roaming\OjjYYCwkkVrlOtP
c:\users\DuSchi\AppData\Roaming\YKK77fRL9gTXjYe
c:\users\DuSchi\AppData\Roaming\RlOBtzP0yAiDoFp
c:\users\DuSchi\AppData\Roaming\AdddWK8fRLTXjUe
c:\users\DuSchi\AppData\Roaming\NCCelIBrzPyx1v2
c:\users\DuSchi\AppData\Roaming\PSS11bb3on4aHs
c:\users\DuSchi\AppData\Roaming\TmG55QQ6d
c:\users\DuSchi\AppData\Roaming\JQQJJ6dWK8fR9hX
c:\users\DuSchi\AppData\Roaming\RjUUCeekIBrONx
c:\users\DuSchi\AppData\Roaming\V55aaQJJ6dK8fLh
c:\users\DuSchi\AppData\Roaming\sKKK8ggRZ9hXwUV
c:\users\DuSchi\AppData\Roaming\qKK77fEL9gTZjYk
c:\users\DuSchi\AppData\Roaming\uQ68qezxvbGHKfL
c:\users\DuSchi\AppData\Roaming\TtttxP00yc1i
c:\users\DuSchi\AppData\Roaming\syyycAA1uvD
c:\users\DuSchi\AppData\Roaming\T333ppnG5aQHdW7
c:\users\DuSchi\AppData\Roaming\plllONNtxP0cS1b
c:\users\DuSchi\AppData\Roaming\QCCCwwkIVrlOtx
c:\users\DuSchi\AppData\Roaming\jaaamHH6sWJfE8g
c:\users\DuSchi\AppData\Roaming\uyyyxAA1uvSob3p
c:\users\DuSchi\AppData\Roaming\O00yycAA1iD2oF4
c:\users\DuSchi\AppData\Roaming\upppnnG4aQH6WKf
c:\users\DuSchi\AppData\Roaming\kKK77fRRL9TXqY
c:\users\DuSchi\AppData\Roaming\fZZZ9hhYXwjVelB
c:\users\DuSchi\AppData\Roaming\FttxxA00uc2i
c:\users\DuSchi\AppData\Roaming\iJJ66dWWK8fL9TX
c:\users\DuSchi\AppData\Roaming\LPPP0yycA1iD2nF
c:\users\DuSchi\AppData\Roaming\xbbbF33pmG5aJ6
c:\users\DuSchi\AppData\Roaming\RA000uvS2ibF3n5

Driver::
ktbuhssj

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Done.

Could you run another OTL scan please - selecting all users. There will be just one log

http://www.mediafire.com/?qub6eofwlb6089k

I must admit I have never seen this many folders created by malware before

Same as before please download the fix.txt from mediafire
http://www.mediafire.com/file/wy9tikc9c1t4lau/fix.txt

Run OTL
Press run fix
Select the fix.tx in the the dialogue and press run fix again

If the NT Authority tries to shut it off again then retry the fix in safe mode

Once done re-run Combofix allowing it to update if it asks

At least it fits in attachments now

Could I see a fresh OTL log please after the last fix run