Malware infection if anyone can help

[Dodgy]

Avast keeps popping up every 5 mintues with random virus info.  TROJAN HORSE BLOCKED Win32:Malware-gen -
Ran MalwareBites, it says it deleted the files, but it keeps coming back upon restart.  Also am
getting "Host Process For Windows Services has stopped working" pop up as well.  This all started about the same time this afternoon.  If anyone can help, it would be much appreciated.  MWB and OTL files attached.

00000004.@
000000cb.@
80000032.@
80000000.@

[mchain]

Hi Dodgy,

Thank you for attaching the three logs.  One more is needed:  aswMBR.exe.  Look here:  http://forum.avast.com/index.php?topic=53253.0

Do not attempt to run Comobfix without expert guidance.  This would be bad move, as it could remove legitimate (non-infected) system files. 

There will not be a problem if an expert is on hand helping you through this.  You will be in good hands.

[magna86]

Hi, 
I will be working on your Malware issues



Step1
Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:files
C:\Windows\Installer\{9404964a-bb87-1b2b-177e-0d8c1dda8d21}
C:\Users\Dena Walker\AppData\Local\{9404964a-bb87-1b2b-177e-0d8c1dda8d21}
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

****************************

Step2


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[Dodgy]

Am so grateful for your help!  Thank you so much! 

The popups are gone.  So happy!

Here are the logs you requested:

I ran the aswMBR, that Mchain requested "before" I ran OTL and Combo fix.

[magna86]

Hi, 

Multiple Antivirus Programs

You are running more than 1 Antivirus program!


AV: avast! Antivirus *Enabled/Updated
AV: Microsoft Security Essentials *Disabled/Updated



Running - more than one - antivirus program is not recommended because:[list=1]

• They can conflict with each other.
• Report the other antivirus software as malicious.
• Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
• Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc

I strongly suggest you uninstall one of them. 
Which one, is your decision.


Step1

• Download AdwCleaner (by Xplode) on your desktop.
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, notepad with the report will appears.
• Click on the [Delete] Wait for the programme completes his work.
  The program will close all active programs. Click OK to confirm that.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
• Save the notepad report on the Desktop
• Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]

****************************

Step2

- Temporaly disable your antivirus!
- Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::

ClearJavaCache::

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe|c:\windows\system32\services.exe

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

*******************************

Last step


> Check USB storage devices / removable drives


Download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

• Double click MCShield-Setup to install the application.
  
• Wait a few seconds to MCShield finish initial scan.

Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.

• Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start -> All Programs -> MCShield -> Logs

Attach here -> AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[Dodgy]

Thank you for the information - I uninstalled micro essentials.

This morning I was also getting a pop up from malwarebytes  - qoobox - Trojan oaccess - blocked.
I dont think I have received this pop up since doing the latest scans today.

Thank you for the time you have spent helping me work this issue out! 

[magna86]

This morning I was also getting a pop up from malwarebytes  - qoobox - Trojan oaccess - blocked.

This is just QooBox Quarantine from Combofix. We will remove that in the end in post cleaning.



Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Firefox::
FF - ProfilePath - c:\users\Dena Walker\AppData\Roaming\Mozilla\Firefox\Profiles\70e6gsbj.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=112060&tt=120812_bandext_3312_2&babsrc=HP_ss&mntrId=524372ec00000000000000225f69eb7b

ClearJavaCache::

File::
c:\users\Dena Walker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk
c:\users\Dena Walker\AppData\Roaming\BrowserCompanion\tcbhn.exe




Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[Dodgy]

No popups all afternoon!  Thank God for nice people like you! 

here is the log...

[magna86]

Logs looks good.

- Re-run AdwCleaner and click on Uninstall

It is necessary to uninstall the ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.



>>  Re-run OTL and click on CleanUp! button


Thats it...be safe  ;)

[Dodgy]

Hi Magna86,

THank you so much for all of your help.

I was wondering if you can help me with one more thing?   Somehow I got babylon on my computer.  And it keeps changing my search engine from google to babylon (in firefox).  I have tried various fixes from the internet with no luck.  Everytime I restart firefox, its back again.   Thank you for any help  you can provide.

This is what I tried already:

1. click into the address bar in Firefox.......Type "about:config"

2. You will get a warning about your warranty.....bypass this.

3. In the next screen....type......"Babylon" in the Filter window (a search in the config)
 
4. You are now in the guts of Firefox.....and where Babylon did it's dirty work. You will find about 5 or six places where Babylon shows up.
 
5. Highlight each of these entries one at a time, right click and pick "reset".

6. When all have been reset.....close the file.

Now test:

Open firefox

[magna86]

@Dodgy
This one will remove babulon settings.


• Download AdwCleaner (by Xplode) on your desktop.
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, notepad with the report will appears.
• Click on the [Delete] Wait for the programme completes his work.
  The program will close all active programs. Click OK to confirm that.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
• Save the notepad report on the Desktop
• Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]

[Dodgy]

I ran adwCleaner and deleted everything - restarted.  But when I reopened the firefox  browser, babylon was still there in the search bar.

However, there is something called "babylonobjectinstaller" in the control panel in the list of installed programs.  But It wont let me uninstall it.  When I click it - or right click - it does nothing.  I have even started in safe mode and tried to uninstall it, but no luck.  I have uploaded the adwCleaner text file.  Thank you so much for your time in assisting me. 

[magna86]

Ok, lets check and remove it.



Download OTL from one of the following links:

• Download link1
  
• Download link2
  

Remember to save it on your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Scan All Users
  
     
  
• Click the QuickScan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
         
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
             
    
  • Please attach OTL.txt in this thread.

[Dodgy]

I didnt see an Extras.Txt. file.  I will run the scan again.  But in the meantime, here is the OTL txt file.   

Edit: ran a second scan and no extras file. 

[magna86]

I didnt see an Extras.Txt. file.  I will run the scan again.  But in the meantime, here is the OTL txt file.   

You didn't get Extras.txt because you didn't follow the last instructions that I gave you for uninstall tools.
And I really recommend that you uninstall all these toolbars, I really dont see the reason for their existence on yous systems.

Anyway...
>> Follow instrutions above for "ComboFix /Uninstall"

>> Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{4360D7E3-2BAF-4B5B-B398-6CF4B52B266F}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKLM\..\SearchScopes\{4360D7E3-2BAF-4B5B-B398-6CF4B52B266F}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2198144862-943221988-1318540489-1000\..\URLSearchHook:  - No CLSID value found
IE - HKU\S-1-5-21-2198144862-943221988-1318540489-1000\..\SearchScopes\{4360D7E3-2BAF-4B5B-B398-6CF4B52B266F}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?affID=112060&tt=120812_bandext_3312_2&babsrc=HP_ss&mntrId=524372ec00000000000000225f69eb7b"
FF - user.js - File not found
O2 - BHO: (no name) - {2EECD738-5844-4a99-B4B6-146BF802613B} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No CLSID value found.

:files
C:\Users\Dena Walker\AppData\Roaming\Mozilla\Firefox\Profiles\70e6gsbj.default\searchplugins\search-the-web.xml

:commands
[Reboot]




• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

>> Re-run OTL and click on QuickScan and attach here fresh OTL.txt
>> Is Babylon gone?