Help with 800000.cb@ - OTL, Malwarebyte, aswMBR included

[Rust]

Hi,

Avast is continually warning me about a malware called 800000.cb@.

It seems to be operating as part of windows services.exe

I've attached the OTL, MBR, and MBAM scan results to this message.

Any help you can give me would be greatly appreciated.

Thanks for your time

[mikaelrask]

welcome to the forum. a malware expert will help you and give you instructions on how to proceed.

[SafeSurf]

After reviewing your logs, I am going to refer you to our Certified Malware specialist, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy or another malware removal specialist instructs you do to malware removal instructions; use a different machine to check email, sync your phone or other devices.

Let us know if you have any questions.  Thank you.

[Rust]

Thats great, thanks

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :Files
  ipconfig /flushdns /c
  C:\Windows\Installer\{04de65de-f984-a3db-b59e-e0b164f88e96}
  C:\Users\J\AppData\Local\{04de65de-f984-a3db-b59e-e0b164f88e96}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Rust]

Hi,

I followed your instructions and it seems to have gotten rid of the problem. One thing to note is that OTL froze after a few minutes 3 times when i ran it (including once on safe mode), after restarting the computer however and starting OTL i received a message telling me that files had been deleted so i assume that the freeze happened after the work was done. Regardless i've had no virus alert since.

Thanks a lot for your time and effort.

This is a great service,

Cheers

PS the log files are attached

[essexboy]

I still need to replace services to finish the job

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe|c:\windows\system32\Services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[Rust]

Ok, that's done as instructed above and new log attached.

Thanks again.

[essexboy]

OK that did not work..  Could you click the Globe under my Avatar, that will take you to my skydrive
Located there is a file named services.exe
Download that to your C drive i.e. C:\services.exe

Then we will try another swap

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\services.exe|c:\windows\system32\Services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

[Rust]

Hi,

I've tried that. Log attached

Thanks

[essexboy]

OK so Combofix decide to delete the file first... Obviously it is trying to rile me 

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe | c:\windows\system32\Services.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.