OK stop Combofix and reboot - I will use OTL to clear the remainder

Could I have a fresh OTL log please

Many thanks again.

somehow otl had got uninstalled. I reinstalled it and ran the quick scan. Log attached.

I managed to run a combofix scan. The log is attached.

OK you have a lot going on there, rootkits and a possible bootkit

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\drivers\bbcmwebo.sys
c:\windows\system32\drivers\ikrjlnlx.sys
c:\windows\system32\drivers\lzhpqlxq.sys
c:\windows\system32\drivers\oxxofpos.sys

Folder::
c:\program files\lmvvjpsi
c:\documents and settings\All Users\Application Data\eCmCpNn06511

Driver::
bbcmwebo
ikrjlnlx
lzhpqlxq
oxxofpos

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

.
FOLLOWED BY

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Hey essexdude,

If you get a minute, please take a look at the logs and let me know what I should do next.

Thanks a million

Cross posted ;D

I have set some instructions in the post two above this

Thanx for the new instructions Essexguy. I am partway thru them now. I will post the combofix log and then try to do the rest.

I have to download OTL yet again. Then I run the quick scan right?

No not yet, as combofix did not kill the drivers. Give me a few minutes whilst I decide what tool to use for this

OK skip OTL for the moment

1. Please download The Avenger2 by Swandog46 to your Desktop.
   [*]Right click on the Avenger.zip folder and select “Extract All…”
   [*] Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Drivers to delete:
bbcmwebo
ikrjlnlx
lzhpqlxq
oxxofpos

Files to delete:
c:\windows\system32\drivers\bbcmwebo.sys
c:\windows\system32\drivers\ikrjlnlx.sys
c:\windows\system32\drivers\lzhpqlxq.sys
c:\windows\system32\drivers\oxxofpos.sys

Folders to delete:
c:\program files\lmvvjpsi
c:\documents and settings\All Users\Application Data\eCmCpNn06511

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete” or “Drivers to Disable”, The Avenger will actually restart your system twice.)
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
   .
   THEN

Run TDSSKiller as previously stated

OK ran the avenger. Log attached. Now moving to the next part.

OK theoretically the drivers are now dead

I couldn’t log on to the forum for the last half hour or so. I can’t tell you how disheartened I got that I may have lost touch!

My browser got hijacked a few times, so I don’t think things are totally clear yet… Here is the log from the TDDSS killer.

OK - the drivers are dead and the MBR is now fixed

So lets clean up - how often are the redirects ? Are they in firefox, IE or both ?

Could you run me a fresh scan but with a slightly different programme

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - App Paths
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
File - Lop Check
File - Purity Scan

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thanks so much for persevering with this one. I am almost exhausted though!

Here is the OTS scan. I forgot to exit Forefront before running this, but I resisted the temptation to touch the machine while OTS was running.

It was IE that was getting hijacked earlier. So I downloaded Firefox and this was also not loading the forum page, though other sites were all working fine with both IE and Firefox! I was scared that perhaps the malware has worked out that I am getting great support from this forum so it is blocking me from visiting.

I’m paranoid now :

Also, my forefront still shows that there are threats (when it is running)

OK lets see if this is the last -

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< bas Startup Folder > -> C:\Documents and Settings\bas\Start Menu\Programs\Startup
YY -> ~EmptyValue -> C:\Documents and Settings\bas\Start Menu\Programs\Startup\tsniwscy.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit
YY -> C:\Program Files\lmvvjpsi\tsniwscy.exe -> C:\Program Files\lmvvjpsi\tsniwscy.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Files/Folders - Created Within 30 Days]
NY ->  lmvvjpsi -> C:\Program Files\lmvvjpsi
[Files - No Company Name]
NY ->  jfibbgwo.log -> C:\Documents and Settings\bas\jfibbgwo.log
NY ->  hjoeohsl.log -> C:\Documents and Settings\bas\hjoeohsl.log
NY ->  nqwbsppt.log -> C:\Documents and Settings\bas\nqwbsppt.log
NY ->  tsniwscy.exe -> C:\Documents and Settings\bas\Start Menu\Programs\Startup\tsniwscy.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Here is the OTS log with the Run fix option.

Will now d/load Mbam

On completion of the MBAM run could you let me know what problems remain

It seems MBAM thinks there are no further problems. I have attached the log.

Thanks for all your help the last two evenings. I guess you are done for the night so I’ll get some shut-eye as well now - it’s 23:40 here.

I’ll keep an eye on the situation tomorrow, but there probably is something still wrong, which is causing forefront to show security messages from time to time.

I don’t think my browser is getting hijacked, so that’s good.