Malware infection if anyone can help

Avast keeps popping up every 5 mintues with random virus info. TROJAN HORSE BLOCKED Win32:Malware-gen -
Ran MalwareBites, it says it deleted the files, but it keeps coming back upon restart. Also am
getting “Host Process For Windows Services has stopped working” pop up as well. This all started about the same time this afternoon. If anyone can help, it would be much appreciated. MWB and OTL files attached.

00000004.@
000000cb.@
80000032.@
80000000.@

Hi Dodgy,

Thank you for attaching the three logs. One more is needed: aswMBR.exe. Look here: http://forum.avast.com/index.php?topic=53253.0

Do not attempt to run Comobfix without expert guidance. This would be bad move, as it could remove legitimate (non-infected) system files.

There will not be a problem if an expert is on hand helping you through this. You will be in good hands.

Hi, :wink:
I will be working on your Malware issues

Step1
Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:files
C:\Windows\Installer\{9404964a-bb87-1b2b-177e-0d8c1dda8d21}
C:\Users\Dena Walker\AppData\Local\{9404964a-bb87-1b2b-177e-0d8c1dda8d21}
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Am so grateful for your help! Thank you so much!

The popups are gone. So happy!

Here are the logs you requested:

I ran the aswMBR, that Mchain requested “before” I ran OTL and Combo fix.

Hi, :slight_smile:

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: avast! Antivirus *Enabled/Updated
AV: Microsoft Security Essentials *Disabled/Updated

Running - more than one - antivirus program is not recommended because:[list=1]
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc I strongly suggest you uninstall one of them.
Which one, is your decision.

Step1

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[
]When the scan ends, notepad with the report will appears.

[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK

[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt


Step2

  • Temporaly disable your antivirus!
  • Open notepad and copy/paste the text present inside the code box below:

KillAll::

ClearJavaCache::

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe|c:\windows\system32\services.exe

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Last step

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Thank you for the information - I uninstalled micro essentials.

This morning I was also getting a pop up from malwarebytes - qoobox - Trojan oaccess - blocked.
I dont think I have received this pop up since doing the latest scans today.

Thank you for the time you have spent helping me work this issue out!

This is just QooBox Quarantine from Combofix. We will remove that in the end in post cleaning.

Open notepad and copy/paste the text present inside the code box below:



Firefox::
FF - ProfilePath - c:\users\Dena Walker\AppData\Roaming\Mozilla\Firefox\Profiles\70e6gsbj.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=112060&tt=120812_bandext_3312_2&babsrc=HP_ss&mntrId=524372ec00000000000000225f69eb7b

ClearJavaCache:: 

File::
c:\users\Dena Walker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk
c:\users\Dena Walker\AppData\Roaming\BrowserCompanion\tcbhn.exe



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

No popups all afternoon! Thank God for nice people like you!

here is the log…

Logs looks good.

  • Re-run AdwCleaner and click on Uninstall

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run OTL and click on CleanUp! button

Thats it…be safe :wink:

Hi Magna86,

THank you so much for all of your help.

I was wondering if you can help me with one more thing? Somehow I got babylon on my computer. And it keeps changing my search engine from google to babylon (in firefox). I have tried various fixes from the internet with no luck. Everytime I restart firefox, its back again. Thank you for any help you can provide.

This is what I tried already:

  1. click into the address bar in Firefox…Type “about:config”

  2. You will get a warning about your warranty…bypass this.

  3. In the next screen…type…“Babylon” in the Filter window (a search in the config)

  4. You are now in the guts of Firefox…and where Babylon did it’s dirty work. You will find about 5 or six places where Babylon shows up.

  5. Highlight each of these entries one at a time, right click and pick “reset”.

  6. When all have been reset…close the file.

Now test:

Open firefox

@Dodgy
This one will remove babulon settings.

[]Download AdwCleaner (by Xplode) on your desktop.
[*]Launch it, click on [Search] and wait for the scan.
[
]When the scan ends, notepad with the report will appears.

[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK

[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt

I ran adwCleaner and deleted everything - restarted. But when I reopened the firefox browser, babylon was still there in the search bar.

However, there is something called “babylonobjectinstaller” in the control panel in the list of installed programs. But It wont let me uninstall it. When I click it - or right click - it does nothing. I have even started in safe mode and tried to uninstall it, but no luck. I have uploaded the adwCleaner text file. Thank you so much for your time in assisting me.

Ok, lets check and remove it.

Download OTL from one of the following links:
[]Download link1
[
]Download link2

Remember to save it on your Desktop.

[*] Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

[*] Click on Scan All Users

[*] Click the QuickScan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*] Please attach OTL.txt in this thread.

I didnt see an Extras.Txt. file. I will run the scan again. But in the meantime, here is the OTL txt file.

Edit: ran a second scan and no extras file.

You didn’t get Extras.txt because you didn’t follow the last instructions that I gave you for uninstall tools.
And I really recommend that you uninstall all these toolbars, I really dont see the reason for their existence on yous systems.

Anyway…

Follow instrutions above for “ComboFix /Uninstall”

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{4360D7E3-2BAF-4B5B-B398-6CF4B52B266F}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{4360D7E3-2BAF-4B5B-B398-6CF4B52B266F}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2198144862-943221988-1318540489-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-2198144862-943221988-1318540489-1000\..\SearchScopes\{4360D7E3-2BAF-4B5B-B398-6CF4B52B266F}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?affID=112060&tt=120812_bandext_3312_2&babsrc=HP_ss&mntrId=524372ec00000000000000225f69eb7b"
FF - user.js - File not found
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No CLSID value found.

:files
C:\Users\Dena Walker\AppData\Roaming\Mozilla\Firefox\Profiles\70e6gsbj.default\searchplugins\search-the-web.xml

:commands
[Reboot]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Re-run OTL and click on QuickScan and attach here fresh OTL.txt
Is Babylon gone?

I apologize for not following the instruction. I assumed I could leave them installed until we were completely finished.
My apologies.

I do have a couple toolbars in my browser that I use sometimes, roboform - password generator and gamers unite for games. But babylon got there by accident, I got it from trying to download adwCleaner from another site. For some reason, when I clicked the download link that you provided for me, it would not work on my computer, it did this:

The connection was reset
PROBLEM LOADING PAGE:
The connection to the server was reset while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer’s network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

So I found adwCleaner from a different download site that wanted me to put a bunch of crap on my machine to install it. So I clicked to cancel the install…but I guess it was too late, babylon took over my computer anyway.
I ended up using my husbands computer to see if your download link for adwCleaner would work from a different computer and it did. I copied it to a USB stick and ran adwCleaner on my computer.

I uninstalled combofix.
and did as you instructed
and unfortunatly Babylon is still there, in my browser search bar and in the control panel in installed programs. If you dont want to spend anymore time on this, I will understand. Thank you for all the time you have spent assisting me, its been very much appreciated.

Hi,
In OTL log i see the same entrys that i wrote i scripts to be deleted. Will you re-run OTLFix one more time?
Then re-run OTL and attach here fresh OTL.txt to see are they gone.

Apparently we are having some communication problems, I apologize if I have wasted your time. I reran the fix again, with no luck in it solving the problem. So, after searching the internet all afternoon, I finally found a fixable work around for the issues with babylon. Thank you for your time Mr. Magna.