Another victim of the Network Shield/Malicious Malware warning

[essexboy]

Download  bitsadmin.exe to your desktop
Run the programmme and reboot on completion

Then dowload the dial-a-fix zip file and extract then run the programme

Select WU/WUAU fix windows update
 

[bigp76460]

Downloaded bitsadmin and got an error message when I went to run it (bitsadmin.exe is not a valid Win32 application).

[essexboy]

OK mayhap I missed something - lets check

Download and Install CombofixDownload ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[bigp76460]

As far as I can tell, everything seems to be running okay.  Combofix addressed the issue with automatic updates, after a reboot after the Combofix scan the updates are now on and running.  Here is a log of what Combofix did.

[essexboy]

Let it run for a day and if there are still no problems I will remove my tools and tidy you up

[bigp76460]

Great, thanks for all of your help. You are a lifesaver, or at least a laptop saver.

[essexboy]

 

[bigp76460]

Potentially some bad news here, was just readinmg some reviews on Comicbook Resources and the Malicious URL warning started back up again. 
The listing on the warning reads like this

Object:  91.217.153.48/.../mJKV_1aeRPYfQdcaaTEWYObOURQTddObRlblQE-6XE
Infection: URL:Mal
Process: C:\WINDOWS\system32\gimf3232.exe

Given my problems originally started with these types warnings the first time around (before getting worse) this is probably something I should mention here.

[essexboy]

I think that site is badly infected

Run a fresh OTL scan and I will see what it has dropped, and we will want a copy of that file 

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[bigp76460]

Maybe it was something I did, though I wasn't on the computer when the scan was running, but the only notepad that popped up was the OTL report, which I have attached.  I did not get a Extras.txt file.  I checked in case it had save without me knowing it,. but the only Extras.txt I have is the one form the original scan on 8/16.  Here is the OTL report however.

[essexboy]

I would recommend that you stay away from that site for a while

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  PRC - [2011/08/19 19:18:46 | 000,705,024 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\glmf3232.exe
  PRC - [2011/08/19 19:18:46 | 000,705,024 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\avicap3232.exe
  SRV - [2011/08/19 19:18:46 | 000,705,024 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\glmf3232.exe -- (upnphost32)
  IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 7E 78 FA 01 60 49 AE 43 8B 42 93 FD CA 88 DE A3 [binary data]
  IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 7E 78 FA 01 60 49 AE 43 8B 42 93 FD CA 88 DE A3 [binary data]
  IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 7E 78 FA 01 60 49 AE 43 8B 42 93 FD CA 88 DE A3 [binary data]
  IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 7E 78 FA 01 60 49 AE 43 8B 42 93 FD CA 88 DE A3 [binary data]
  IE - HKU\S-1-5-21-1693297055-2874526332-239285772-1005\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 7E 78 FA 01 60 49 AE 43 8B 42 93 FD CA 88 DE A3 [binary data]
  O20 - AppInit_DLLs: (C:\WINDOWS\system32\odbccu3232.dll) - C:\WINDOWS\system32\odbccu3232.dll (People Can Fly)
  O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\quu.exe" -a "%1" %*
  O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Documents and Settings\LocalService\Local Settings\Application Data\quu.exe" -a "%1" %*
  [2011/08/19 19:19:03 | 000,705,024 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\avicap3232.exe
  [2011/08/19 19:18:59 | 000,155,648 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\odbccu3232.dll
  [2011/08/19 19:18:58 | 000,705,024 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\glmf3232.exe
  [2011/08/19 19:19:03 | 000,000,102 | ---- | M] () -- C:\WINDOWS\System32\1712679816
  [2011/08/19 19:18:59 | 000,155,648 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\odbccu3232.dll
  [2011/08/19 19:18:46 | 000,705,024 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\glmf3232.exe
  [2011/08/19 19:18:46 | 000,705,024 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\avicap3232.exe
  
  :Reg
  [HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  [HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  [HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  [HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  [HKU\S-1-5-21-1693297055-2874526332-239285772-1005\SOFTWARE\Microsoft\Internet Explorer\Main]
  XMLHTTP_UUID_Default=-
  
  :Files
  ipconfig /flushdns /c
  C:\Documents and Settings\LocalService\Local Settings\Application Data\quu.exe
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[bigp76460]

Here is the next log after running both the fix and the quick scan after reboot.

[essexboy]

OK lets now sweep for any orphans

Could you zip the following folder please and upload to mediafire and post the sharing link
C:\_OTL

Please download Malwarebytes' Anti-Malware[/b]
 
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]

[bigp76460]

Hopefully I did this correctly in uploading, but here is the link to the upload on mediafire

http://www.mediafire.com/?nu229shmbyddz47

Going to run Malware now.

[bigp76460]

And here is the MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7520

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2011 3:41:34 PM
mbam-log-2011-08-20 (15-41-34).txt

Scan type: Quick scan
Objects scanned: 153498
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\localservice\application data\020000005685e7cb1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000005685e7cb1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000005685e7cb1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\020000005685e7cb1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005685e7cb1406c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005685e7cb1406o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005685e7cb1406p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005685e7cb1406s.manifest (Malware.Trace) -> Quarantined and deleted successfully.