Threat has been detected - Malicious URL Blocked

???

Object: Updateconnections.com/… etc…
Infection: URL:Mal
Action: Blocked
Processes: C:\WINDOWS\System32\svchost.exe

This popup from avast has been going off for about a week. Last week soon after the pop up started I was infected with the Windows Restore Virus. After a day of fighting the virus I was able to remove most of it, but if this pop up is still coming up I’m guessing I still have some evil code lurking in my computer.

Avast alerts me of it but gives no solutions for its removal.

Any suggestions?

Since you posted the aswMBR.txt file contents in the other topic, can you place it here in your own topic, so all information is together.

Since it was also inconclusive (in my limited experience of it) you can try another analysis and data gathering tool that will be helpful to other malware removal specialists.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

Hopefully essexboy can pick up on this topic.

Will do, and I apologize for the thread hijack.

I just ran another mbam scan two minutes ago and it found something else.

I’ve been running Avast, Avira, AVG, Spybot and MBAM scans for almost a week. The AV programs find something here and there then remove it. A dozen or so scans will go by with no sign of a virus and then they come back again.

Avira just found TR/CRYPT.XPACK.Gen2

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 14:39:25

14:39:25.609 OS Version: Windows 5.1.2600 Service Pack 2
14:39:25.609 Number of processors: 2 586 0x2302
14:39:25.609 ComputerName: GODMODE UserName: 64Xdual
14:39:26.609 Initialize success
14:39:29.171 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000032
14:39:29.171 Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152626MB BusType: 3
14:39:29.171 Disk 1 \Device\Harddisk1\DR1 → \Device\00000079
14:39:29.171 Disk 1 Vendor: ST3500630AS 3.AAK Size: 476940MB BusType: 3
14:39:29.171 Device \Device\00000077 → ??\IDE#DiskWDC_WD1600JS-22MHB0_____________________02.01C03#2020202057202D4443574E41314D353036373331#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:39:29.171 Disk 0 MBR read error 0
14:39:29.171 Disk 0 MBR scan
14:39:29.171 Disk 0 unknown MBR code
14:39:29.171 MBR BIOS signature not found 0
14:39:29.171 Disk 0 scanning sectors +312576705
14:39:29.171 Disk 0 scanning C:\WINDOWS\system32\drivers
14:39:38.625 Service scanning
14:39:39.765 Disk 0 trace - called modules:
14:39:39.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a4d5ecc]<<
14:39:39.781 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a48fab8]
14:39:39.781 3 CLASSPNP.SYS[ba8e8fcf] → nt!IofCallDriver → \Device\00000078[0x8a431ac0]
14:39:39.781 5 ACPI.sys[ba77f620] → nt!IofCallDriver → [0x8a48f030]
14:39:39.781 [0x8a409748] → IRP_MJ_CREATE → 0x8a4d5ecc
14:39:39.781 Scan finished successfully
14:39:47.781 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\64Xdual\My Documents\Downloads\MBR.dat”
14:39:47.781 The log file has been saved successfully to “C:\Documents and Settings\64Xdual\My Documents\Downloads\aswMBR-2.txt”

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/20/2011 2:32:19 PM
mbam-log-2011-05-20 (14-32-19).txt

Scan type: Quick scan
Objects scanned: 239703
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\64Xdual\2gweorjqjutp92vjy9gake (Malware.Trace) → Quarantined and deleted successfully.

I don’t surf porn or hacker sites. Primarily I read the news and real estate related material. This machine has been running more or less virus free since 2006.

My log file was so long for OTS I had to break it into two attachments.

Attachment 1

Attachment 2

The machine has two physical internal hard drives and one external drive.

Please excuse the long list of firefox profiles. I build websites and have a different profile for each site.
local host is full of bad sites that probably have something to do with the redirects.

Thank you!

Hi first a question - did you create this task to run daily ?
C:\WINDOWS\tasks\rptp.job

If you did not I will add that to the fix I am creating, also I would recommend uninstalling two of the three antiviruses you have installed

I will await your reply before I create the fix

Well having multiple scanners installed isn’t going to help as they will conflict with each other which could leave you less well protected rather better. Even if you disable their resident protection the low level drivers will be present.

The only way this could work would be bay uninstalling an AV before installing the next, but even then there are possibilities of remnants after an uninstall. So you haven’t been doing yourself any favours, on-line scanners are an option for a backup second opinion type scan. All but avast should be uninstalled (MBAM is fine it isn’t an AV).

One of the biggest problems is down to the number of legit sites which can get hacked, the avast web shield is very hot on these, but if you have multiple AVs also checking what avast is conflict could let something through.

deleted AVG, Spybot and Avira Anti Virus and restarted the machine. All that remains is Avast and MBAM.

Avast is going nuts with “A threat has been detected” every minute and a half.

I did not set C:\WINDOWS\tasks\rptp.job to run daily. I’m not sure what it is.

What is my next step?

Thank you!

That has to be answer essexboy’s question, which is what he is waiting for, so he can compile the script to fix what has been found.

If you do find it is a job that you created you will have to recreate it, but I feel it is bad

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  vpreekim.sys -> C:\WINDOWS\System32\drivers\vpreekim.sys
NY ->  rptp.job -> C:\WINDOWS\tasks\rptp.job
NY ->  Elaheqimezo.bin -> C:\WINDOWS\Elaheqimezo.bin
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  ~16637732r -> C:\Documents and Settings\All Users\Application Data\~16637732r
NY ->  ~16637732 -> C:\Documents and Settings\All Users\Application Data\~16637732
NY ->  16637732 -> C:\Documents and Settings\All Users\Application Data\16637732
NY ->  Tvanexizo.dat -> C:\WINDOWS\Tvanexizo.dat
[Files - No Company Name]
NY ->  vpreekim.sys -> C:\WINDOWS\System32\drivers\vpreekim.sys
NY ->  ~16637732r -> C:\Documents and Settings\All Users\Application Data\~16637732r
NY ->  ~16637732 -> C:\Documents and Settings\All Users\Application Data\~16637732
NY ->  16637732 -> C:\Documents and Settings\All Users\Application Data\16637732
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

User: Administrator

User: administrator.PENINSULA

User: All Users

User: Default User

User: Kelly West
->Flash cache emptied: 0 bytes

User: LocalService

User: martin
->Flash cache emptied: 0 bytes

User: mike
->Flash cache emptied: 0 bytes

User: NetworkService

User: tony
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05202011_160725

Files\Folders moved on Reboot…
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_bot[8352].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_top[8353].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_bot[8357].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_top[8358].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_bot[8360].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_top[8362].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_bot[8393].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_top[8395].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_bot[8396].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_top[8398].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_bot[8401].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_top[8404].png not found!
File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Are the alerts still coming ?

Could you attach the entire report please as the main part I need to see is the file deletions at the top

Sorry about that, Here’s all of it.

Yes, still receiving the “Threat has been Detected” alerts.

All Processes Killed
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\System32\drivers\vpreekim.sys not found!
C:\WINDOWS\tasks\rptp.job moved successfully.
C:\WINDOWS\Elaheqimezo.bin moved successfully.
C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q moved successfully.
C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q moved successfully.
C:\Documents and Settings\All Users\Application Data~16637732r moved successfully.
C:\Documents and Settings\All Users\Application Data~16637732 moved successfully.
C:\Documents and Settings\All Users\Application Data\16637732 moved successfully.
C:\WINDOWS\Tvanexizo.dat moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\drivers\vpreekim.sys not found!
File C:\Documents and Settings\All Users\Application Data~16637732r not found!
File C:\Documents and Settings\All Users\Application Data~16637732 not found!
File C:\Documents and Settings\All Users\Application Data\16637732 not found!
File C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q not found!
File C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q not found!
[Empty Temp Folders]

User: 64Xdual
->Temp folder emptied: 813388 bytes
->Temporary Internet Files folder emptied: 33602 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2284567576 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 129228319 bytes
->Flash cache emptied: 3703 bytes

User: Administrator
->Temp folder emptied: 823 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: administrator.PENINSULA
->Temp folder emptied: 61 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 2637339 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Kelly West
->Temp folder emptied: 5041136 bytes
->Temporary Internet Files folder emptied: 71915238 bytes
->Java cache emptied: 286971 bytes
->FireFox cache emptied: 20505813 bytes
->Flash cache emptied: 11478 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: martin
->Temp folder emptied: 67091 bytes
->Temporary Internet Files folder emptied: 10936431 bytes
->Java cache emptied: 392822 bytes
->FireFox cache emptied: 16255099 bytes
->Flash cache emptied: 1020 bytes

User: mike
->Temp folder emptied: 12755720 bytes
->Temporary Internet Files folder emptied: 9862313 bytes
->Java cache emptied: 3187771 bytes
->FireFox cache emptied: 62255637 bytes
->Apple Safari cache emptied: 4882432 bytes
->Flash cache emptied: 6935 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: tony
->Temp folder emptied: 699 bytes
->Temporary Internet Files folder emptied: 254830 bytes
->Java cache emptied: 123079 bytes
->FireFox cache emptied: 8393212 bytes
->Flash cache emptied: 348 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3261509 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 705618 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 7200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 196446 bytes
RecycleBin emptied: 17656261 bytes

Total Files Cleaned = 2,543.00 mb

[EMPTYFLASH]

User: 64Xdual
->Flash cache emptied: 0 bytes

User: Administrator

User: administrator.PENINSULA

User: All Users

User: Default User

User: Kelly West
->Flash cache emptied: 0 bytes

User: LocalService

User: martin
->Flash cache emptied: 0 bytes

User: mike
->Flash cache emptied: 0 bytes

User: NetworkService

User: tony
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05202011_160725

Files\Folders moved on Reboot…
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_bot[8352].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_top[8353].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_bot[8357].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_top[8358].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_bot[8360].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_top[8362].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_bot[8393].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_top[8395].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_bot[8396].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_top[8398].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_bot[8401].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_top[8404].png not found!
File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

OK it is not seeing the sys file to delete

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Wow, that took a long time.

First trial it found a rootkit and rebooted.

Here’s the log file: See Attached

The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (10000 characters).

Still more going on though

On completion of this combofix run (it should be faster this time ) rerun aswMBR please

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\System32\drivers\jbpii.sys

Driver::
sphnn

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]New aswMBR log.

Both scans attached.

Thank you Thank you Thank You for taking the time to help with this.

When Essexboy is done with you, we need to have you update your machine to SP3 and IE8 as well as check your other software since this puts you at great risk for getting malware. We will let Essexboy finish his malware removal first.

@ Essexboy, Nice job on that Combofix. :wink:

Not overly happy about the MBR - what is the make of your computer i.e. Dell Hp etc

Also what are your current problems ?

CF does the work - I just tell it what to do ;D

I built the computer many years ago.
Gigabyte Motherboard.
AMD Athlon 62 Dual Core Processor 3800
Two SATA drives
3GB RAM

She was a rally fast machine 6 years ago…

Not experiencing any problems now but Combofix is still detecting a rootkit every time it runs.

I turned it off yesterday when you logged off.

I don’t use IE at all unless I’m making sure a website looks ok in older versions. I’m primarily a Firefox/Opera/Safari user.

If I can’t get rid of the rootkit I may just wipe the drive & switch to Ubuntu

Please let me know if there is more I should do.