Virus Problem

[Jtaylor83]

At User Access Control (UAC), Click Allow.

[Chris Weimer]

OK, done. What should I do now? Is the threat entirely removed?

By the way, thank you very much for this help. Hadn't had a virus in years, not sure what caused it this time. I appreciate walking me through this.

[Jtaylor83]

There's a hidden file that needs to be removed and it appears that there are MBR rootkit hooks in the drivers, they maybe modified by a possible TDSS/TDL3/Alureon infection.

Download TDSS Killer by Kaspersky and extract the file onto desktop.

* Run TDSSKiller.exe

Wait for the scanning and disinfection process to be over. You do not have to reboot the PC.

Type this command while using TDSS Killer to create the log (excluding the word code).

Code: [Select]

TDSSKiller.exe -l report.txt

[essexboy]

There is no MBR and TDSSKiller should not be required - you have two jobs running which are spawning the infections - plus there is one suspect file

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:Files
C:\Windows\tasks\At*.job
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
  
• Copy and paste the following file path into  the  "Suspicious files to scan" box on the top of the page:
  
  
  • C:\Windows\System32\saferun.exe
    
• Click on the Upload button
  
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  
• Paste the contents of the Clipboard in your next reply.

[Chris Weimer]

OK, here are the logs. The file was detected a trojan - does that mean I can just delete it and all is well?

[essexboy]

Yes then run MBAM and let me know what problems remain

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[Chris Weimer]

After I posted last, I lost internet connection. So here's what transpired until I regained it.

I did a full Malwarebytes scan with runsafe.exe in Recycling Bin. It found something: "C:\Windows\Fonts\60EM0.com (Malware.Generic) -> Quarantined and deleted successfully." After this, I took the
 runsafe.exe out of recycling bin to check it with Malwarebytes. It didn't find anything, but I put it back in the bin. I never ran it.

I then noticed I was able to get back on the internet, where I promptly checked this. I emptied out recycling. I tried first to do a Win. update or even check its website - still a no go (in fact, I can't even spell out the website on here, or search for it in Google). I'm also getting the symptom I had before, i.e. I'm getting a bunch of svchost.exes pop up and get caught by Avast as viruses and are promptly quarantined. I did a quick scan this time with Malwarebytes and found nothing. But the problem must exist. Did I reinfect myself by checking the runsafe trojan even though I didn't run it? Here are the Malwarebytes logs.

[essexboy]

Hmm lets look at the drivers and services

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Lonerx]

Hello I got this Win32:Malob-bk. I downloaded Avira and ran it. It did catch the malware and I deleted it. I have had no further issues thus far and did not see any final solutions on this topic. So I thought I'd post what I did and tell you all about the fact that the malware found was not Win32:malob-bk.

I assume this temp file hide the real malware or the definition might have been bad information. I hope this works for you if you are still having problems. The file that was deleted, I lost the name of it and uninstalled the avira before I could go back and locate the file. I do know it was not the file above. Sorry. I'm sure if someone repeats these steps they can report their findings.