Infected by trojan.

[chelseafan]

The same problem with ComboFix.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7206

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

10/01/2012 00:25:46
mbam-log-2012-01-10 (00-25-46).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 348034
Time elapsed: 47 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[jeffce]

Hi chelseafan,

This infection seems to be dug in. Thanks for your patience.
----------

Please download OTH.scr to your desktop

Double click the OTH file and select Kill All Processes, your desktop will go blank

Then select Start Misc Program and navigate to Malwarebytes. Update and run a Full Scan with Malwarebytes. When it completes save the log to post into your next reply.

Once Malwarebytes has been run press Start Misc Programs again and navigate to your newly named ComboFix on your Desktop (the one named svchost.exe) and attempt to run a scan. If it completes be sure to save the log to your Desktop.

Press the Reboot button. Your system will reboot and now please post the logs that are created by Malwarebytes and hopefully ComboFix.

 

[chelseafan]

Nothing happened when I clicked Kill All Processes.
I can't check for updates on Malwarebytes but I ran the scan and nothing detected.
The same problem with ComboFix.

 

[jeffce]

Hi chelseafan,

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure "Include All Files" option remains checked.
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[chelseafan]

There is no 'Include All Files' option...

 

[jeffce]

Hi,

Just go ahead and be sure to check all of the boxes and then press Scan.

Once the log is produced be sure to post that into your next reply.

 

[chelseafan]

I did that and it says 'Cannot find FSS.txt file'.

 

[jeffce]

Hi chelseafan,

Please try to run Farbar Service Scanner again. Post the log if it is created.

 

[chelseafan]

Doesn't work.

 

[jeffce]

Hi chelseafan,

What browser are you using to download your files?

 

[chelseafan]

Firefox. I'm having no problem downloading the files, when I open the file it doesn't work.

 

[jeffce]

Hi chelseafan,

Firefox. I'm having no problem downloading the files, when I open the file it doesn't work.

Oh I know. I wanted to be sure I gave you the correct set of instructions next.

Be sure to read through the following instructions first and then follow the instructions in order.

Open Firefox. Go to Tools >> Options >> General tab >> select Always ask me where to save files. This will allow you to properly rename ComboFix prior to downloading it to your system.
----------

We need to be sure hidden extensions are shown:
Go to Start
Click on Control Panel
Click on Folder Options
Click on View Tab

Check:
Show hidden files,folders, or drives

Uncheck the "hide extensions for know file types" boxes.

Press OK
======================================================

Now delete all copies of ComboFix on your system using right-click >> delete. Don't forget about the copy that we renamed svchost.com if it is still there.
-------------

I want for you to download a fresh copy of ComboFix to your Desktop. Before downloading you should be asked by Firefox where you want to save the file. Be sure to save it to your Desktop and rename it svchost.com

After it has downloaded to your Desktop I want you to right-click on the file and select properties. In the General tab I want you to be sure that the file is named svchost.com You can see this at the very top of the General tab next to the icon for the file. Be sure that it only says svchost.com and nothing else.

If that is what it says press ok and then attempt to run the newly named ComboFix and then post the ComboFix log into your next reply.

If it says anything else stop and let me know.

 

[chelseafan]

It says svhost.com.exe
Also, AFTER deleting ComboFix, I had to restart the computer for an Adobe update (a genuine one this time), upon restarting the ComboFix malfunction appeared again.

 

[jeffce]

I had to restart the computer for an Adobe update

:laugh: I had to do the same today.
---------

Since you have not run the new ComboFix please right-click on the ComboFix icon and select Properties. Where is reads svchost.com.exe delete the .exe and then press OK. Now attempt to run ComboFix again.

If it runs and there is a log created post that into your next reply. If it doesn't let me know what happens.

 

[chelseafan]

Same problem...

 

[jeffce]

Hi chelseafan,

We are going to do something different.

Click Start > Run and copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the ..X and the /U that needs to be there.)

----------

Reboot your system.
----------

Download Combofix from either of the links below, and save it to your desktop. Before downloading it please rename it Iexplorer.com before saving it to your Desktop.
Link 1
Link 2

Attempt to run ComboFix and post the log into your next reply. If there are any problems let me know.

 

[chelseafan]

Same problem.

 

[jeffce]

Hi,

You'll need a CD and a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have any problems with these steps please let me know. It may look complicated but it's fairly straight forward and for the most part automated.


Download GETxPUD.exe to your desktop

• Run GETxPUD.exe by double clicking it.
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
• Click on Start and follow the prompts to burn the image to your CD

Using FireFox, please download and save dumpit to your usb device.

You may want to print out this part as you will not be able to view these instructions once booted with the CD you just made.

• Leave the usb device attached to the computer
• Now boot your computer with the CD you just burned
  • with the CD in the computer, restart the computer
• The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
• Once you have the computer set to boot from the CD allow it to boot
• A Welcome to xPUD screen will appear
• Click on File
• Expand mnt
• sda1,or sda2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
  (you will be able to tell if it the right one as the screen will populate with your files)
• Locate the file you downloaded and saved earlier, dumpit
• double click it to run it
• a black window will open, follow the instructions to close the window when it's finished
• a file called MBR.zip should now be placed in the right hand panel
• Click the Home icon at top
• Remove the CD and click Power off
• Click restart

Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

 

[jeffce]

Are you still with me?

 

[chelseafan]

Hello, I didn't receive an email for that post. I'll follow your instructions tomorrow, it's late here.