0000008.@/ 80000032.@ etc malware problem

[awesomemansikes]

Here you go.

[oldman]

Hi awesomemansikes,

Please open Farbar Service Scanner.

In the search box copy and paste the following

BITS

• Click the Export Service button
  
  Please post the log.
  

[awesomemansikes]

Here's the log.

[oldman]

Hi awesomemansikes,

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  
• to ensure you get it all click the [select]

Code: [Select]

:Services

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:00000774
"Last Counter"=dword:00000784
"First Help"=dword:00000775
"Last Help"=dword:00000785
"Object List"="1908"
"1008"=hex(b):bc,81,53,b3,1d,d9,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security]
"Security"=hex:01,00,14,90,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum]
"0"="Root\\LEGACY_BITS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

:Commands
[createrestorepoint]
[reboot]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Please post the  OTL fix log

Next OTL should have rebooted your computer after the above fix. If it didn't please reboot the computer.

Click your start button and copy and paste the following into the search box and hit enter.

services.msc

• Locate Background Intelligent Transfer Service
  
• click on it
• in the left panel you should see "start the service"
  
• click the underlined blue start

Did the service start? If not what if any error message did you recieve?

[awesomemansikes]

The service was already started when I looked it up.  Also after I ran the OTL fix and restarted there were to files on the desktop that were slightly transparent that were not there before.  Both named desktop.ini, one of which is locked.

[oldman]

Hi awesomemansikes,


First we'll rehide those 2 files then a couple of more scans to see if we missed anything.

Open Windows Explorer

• click Organize
  
• click Folders and Search options
  
• Click the View tab
  
• Make sure Don't show hidden files, folders or drives and Hide protected system files (recommended) are checked
  
• Click apply, click ok
  

Next

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



One more scan to check our handiwork.

As a Vista/Win7 user you will need to right click your browser icon and select "Run as Administrator" in order to run this scan.

• Do not use this instance of your browser for anything besides doing this scan
• When the scan is complete and the results saved, close that instance of your browser
• Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
  
• Click Start
  
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is  Checked.
  
• Click Scan.
  
• Wait for the scan to finish.
• When the scan completes, click List of found threats
  
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  
• Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

• Push the back button.
  
• Push Finish
  
• Re-enable your Antivirus software.
  

Please post back with

• MBAM log
• ESET log if there was one.

Any problems?

[awesomemansikes]

I have the MBAM log.

I got ahead of myself and didn't make sure the remove threats box was unchecked.  ESET did in fact find 6 threats.  One of which was named Siref or something like that.  The others were labeled as malgen.  I redid the scan they way I was supposed to and this time it found no threats.  Which I guess isn't a bad thing.

[oldman]

Hi awesomemansikes,

Do you recall the location of the detections?

Everything else looks good so we'll clean up the tools now.

From your desktop, please delete, if present

• any notepads/logs that we created
• aswMBR.exe
• mbr.zip
• Farbar Recovery Scan Tool 64-Bit
• Farbar Service Scanner

Next

Click the Start button. Copy and paste the following line into the search box and click OK


Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates or upgrades

You have an older version of Adobe Reader.  You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources. If you choose to install FoxIt reader decline the FoxIt tool bar offered during the install.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 9.5.1
first. Be sure to move any PDF documents to another folder first though.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .

You should also use Spyware Blaster to help immunize your computer.

 - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.
 
OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  

Next press the Apply button and then the OK to exit the Internet Properties page.

- Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

 Please post back if you have any problems.

Take care

[awesomemansikes]

Alright everything installed has been removed now and I ran an Avast scan and everything seems to be in order.  Thank you so much for the help.  This has been a long three or so days.

[oldman]

Hi awesomemansikes,

You're welcome. Take care.