Enhanced Protection virus

[Danbar]

I was hit a few nights ago with the Koobface virus from facebook. I read a few threads on here and thought I'd see if Essexboy could lead me to the promised land. This site won't allow more than 10000 word post so I don't know which part of the OTS to attach. Please provide more instructions.

Code: [Select]

OTS logfile created on: 8/22/2011 4:52:37 PM - Run 1
OTS by OldTimer - Version 3.1.44.3     Folder = C:\Users\Mich\Pictures\My Pictures\Mich misc
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.94 Gb Total Space | 395.94 Gb Free Space | 86.84% Space Free | Partition Type: NTFS
Drive D: | 9.72 Gb Total Space | 1.46 Gb Free Space | 15.05% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: MICH-PC
Current User Name: Mich
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Mich\Pictures\My Pictures\Mich misc\OTS.exe -> [2011/08/22 16:50:02 | 000,645,632 | ---- | M] (OldTimer Tools)
systemup.exe -> C:\Windows\systemup.exe -> [2011/08/22 06:04:40 | 000,137,728 | ---- | M] ()
svchostdriver.exe -> C:\Windows\update.7.1\svchostdriver.exe -> [2011/08/22 04:33:02 | 000,382,464 | ---- | M] ()
svchost.exe -> C:\Windows\update.2\svchost.exe -> [2011/08/22 04:31:47 | 000,634,880 | ---- | M] ()
svchost.exe -> C:\Windows\update.5.0\svchost.exe -> [2011/08/22 04:29:44 | 000,355,840 | ---- | M] ()
sysdriver32.exe -> C:\Windows\sysdriver32.exe -> [2011/08/22 04:26:41 | 000,258,048 | ---- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0-lnk\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
svchost.exe -> C:\Windows\update.1\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
firefox.exe -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe -> [2011/08/17 16:10:40 | 000,924,632 | ---- | M] (Mozilla Corporation)
phoenix.exe -> C:\Windows\phoenix\phoenix.exe -> [2011/06/14 15:51:54 | 006,962,815 | ---- | M] ()
armsvc.exe -> C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -> [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated)
toolbarupdaterservice.exe -> C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe -> [2011/05/20 10:03:34 | 000,210,144 | ---- | M] ()
hpdrvmntsvc.exe -> C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -> [2010/10/14 17:27:38 | 000,092,216 | ---- | M] (Hewlett-Packard Company)
sftvsa.exe -> C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -> [2010/04/24 01:10:34 | 000,209,768 | ---- | M] (Microsoft Corporation)
sftlist.exe -> C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -> [2010/04/24 01:10:28 | 000,483,688 | ---- | M] (Microsoft Corporation)
qbupdate.exe -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> [2010/02/02 01:32:46 | 000,984,352 | ---- | M] (Intuit Inc.)
qbcfmonitorservice.exe -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -> [2010/01/31 08:01:28 | 000,045,056 | ---- | M] (Intuit)
hp_remote_solution.exe -> C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe -> [2009/08/24 19:11:15 | 000,656,896 | ---- | M] (Hewlett-Packard)
picturemover.exe -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe -> [2009/06/03 13:35:16 | 000,430,080 | ---- | M] (Hewlett-Packard Company)
hpsysdrv.exe -> C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe -> [2008/11/20 11:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard)
 
[Modules - No Company Name]
systemup.exe -> C:\Windows\systemup.exe -> [2011/08/22 06:04:40 | 000,137,728 | ---- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0-lnk\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
svchost.exe -> C:\Windows\update.tray-8-0\svchost.exe -> [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] ()
mozjs.dll -> C:\Program Files (x86)\Mozilla Firefox\mozjs.dll -> [2011/08/17 16:10:40 | 001,846,232 | ---- | M] ()
system.management.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e9a08576157b4aeb91a3aaa452fcb00\System.Management.ni.dll -> [2011/08/10 18:46:14 | 001,051,136 | ---- | M] ()
presentationframework.aero.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7f94f6b13f92f1e093716d3e15bf86d1\PresentationFramework.Aero.ni.dll -> [2011/08/10 18:38:25 | 000,368,128 | ---- | M] ()
system.runtime.remoting.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\e3e3b399b69c569ab1ed3b0ace2c8c20\System.Runtime.Remoting.ni.dll -> [2011/08/10 18:38:12 | 000,771,584 | ---- | M] ()
system.data.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\b7d1c271ec6b4df64c95563fc81ffc2f\System.Data.ni.dll -> [2011/08/10 18:38:10 | 006,611,456 | ---- | M] ()
presentationframework.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c60906a715473ceccf93f0559527e84d\PresentationFramework.ni.dll -> [2011/08/10 18:38:03 | 014,339,072 | ---- | M] ()
system.drawing.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\9e87dd8fe5d0f925d80a6a6eaf74fdb9\System.Drawing.ni.dll -> [2011/08/10 18:37:45 | 001,587,200 | ---- | M] ()
presentationcore.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\5566b57732d9edea236f54d06149835a\PresentationCore.ni.dll -> [2011/08/10 18:37:43 | 012,234,752 | ---- | M] ()
windowsbase.ni.dll -> C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase


[Pondus]

have you tried Malwarebytes ?

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
make sure it is updated before you scan
click on the remove selected button to quarantine anything found

post the scan log here

[essexboy]

Yep tis the enhanced thingy

Alas there was insufficient data posted to stop it so....

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan  



On completion of the scan click save log, save it to your desktop and post in your next reply

[Danbar]

To Essexboy:

It wasn't showing my reply so I am doing it again. Sorry for any duplicates.

Danbar

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  PRC - [2011/08/23 08:09:38 | 000,636,416 | ---- | M] () -- C:\Windows\update.2\svchost.exe
  PRC - [2011/08/23 08:09:38 | 000,636,416 | ---- | M] () -- C:\Windows\update.2\svchost.exe
  PRC - [2011/06/29 12:20:24 | 000,743,936 | ---- | M] (Ufasoft) -- C:\Windows\ufa\ufa.exe
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O3 - HKU\S-1-5-21-84136863-795062345-1550129199-1001\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
  O3 - HKU\S-1-5-21-84136863-795062345-1550129199-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O4 - HKLM..\Run: [1977203.exe] C:\Windows\Temp\1977203.exe ()
  O4 - HKLM..\Run: [avgnt] File not found
  O4 - HKLM..\Run: [tray_ico] File not found
  O4 - HKLM..\Run: [tray_ico1] File not found
  O4 - HKLM..\Run: [tray_ico2] File not found
  O4 - HKLM..\Run: [tray_ico3] File not found
  O4 - HKLM..\Run: [tray_ico4] File not found
  O31 - SafeBoot: AlternateShell - services32.exe
  [2011/08/22 07:23:08 | 000,000,000 | ---D | C] -- C:\Windows\av_ico
  [2011/08/22 04:33:03 | 000,000,000 | -H-D | C] -- C:\Windows\update.7.1
  [2011/08/22 04:31:48 | 000,000,000 | -H-D | C] -- C:\Windows\update.2
  [2011/08/22 04:31:35 | 000,000,000 | ---D | C] -- C:\Windows\ufa
  [2011/08/22 04:31:35 | 000,000,000 | ---D | C] -- C:\Windows\rpcminer
  [2011/08/22 04:31:35 | 000,000,000 | ---D | C] -- C:\Windows\phoenix
  [2011/08/22 04:29:45 | 000,000,000 | -H-D | C] -- C:\Windows\update.5.0
  [2011/08/22 04:24:46 | 000,000,000 | -H-D | C] -- C:\Windows\update.1
  [2011/08/22 04:24:28 | 000,000,000 | -H-D | C] -- C:\Windows\update.tray-8-0-lnk
  [2011/08/22 04:24:28 | 000,000,000 | -H-D | C] -- C:\Windows\update.tray-8-0
  [2011/08/23 11:30:25 | 005,589,370 | ---- | M] () -- C:\Windows\phoenix.rar
  [2011/08/23 11:30:25 | 001,075,284 | ---- | M] () -- C:\Windows\rpcminer.rar
  [2011/08/23 11:30:25 | 000,246,272 | ---- | M] () -- C:\Windows\unrar.exe
  [2011/08/23 11:30:25 | 000,182,617 | ---- | M] () -- C:\Windows\ufa.rar
  [2011/08/23 08:09:39 | 000,000,202 | ---- | M] () -- C:\Windows\info1
  [2011/08/22 04:27:15 | 000,000,000 | ---- | M] () -- C:\Windows\loader2.exe_ok
  [2011/08/22 04:31:34 | 005,589,370 | ---- | C] () -- C:\Windows\phoenix.rar
  [2011/08/22 04:31:34 | 001,075,284 | ---- | C] () -- C:\Windows\rpcminer.rar
  [2011/08/22 04:31:34 | 000,182,617 | ---- | C] () -- C:\Windows\ufa.rar
  [2011/08/22 04:29:08 | 004,636,907 | ---- | C] () -- C:\Windows\geoiplist
  [2011/08/22 04:29:07 | 000,904,792 | ---- | C] () -- C:\Windows\geoiplist.rar
  [2011/08/22 04:29:07 | 000,246,272 | ---- | C] () -- C:\Windows\unrar.exe
  [2011/08/22 04:28:49 | 000,000,202 | ---- | C] () -- C:\Windows\info1
  [2011/08/22 04:27:15 | 000,000,000 | ---- | C] () -- C:\Windows\loader2.exe_ok
  [2011/08/23 08:09:38 | 000,636,416 | ---- | M] () MD5=5DCDE53F902E7BBBE5171E6A9E6B5B90 -- C:\Windows\update.2\svchost.exe
  [2011/08/22 04:11:52 | 001,213,440 | -H-- | M] () MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -- C:\Windows\update.tray-8-0-lnk\svchost.exe
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Malwarebytes' Anti-Malware[/b]
 
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]

[Danbar]

Here are the reports you asked for.

Thx,

Danbar

[DavidR]

You need to save your OTL log file in ANSI mode (image1) as you did for your first OTL log. See image2 extract of it when you try to view your attachment.

[Danbar]

Sorry about that. I think I changed it for you. Here are both logs again.

Thx,

Danbar

[essexboy]

Any further problems ?

[DavidR]

Sorry about that. I think I changed it for you. Here are both logs again.

Thx,
Danbar

No problem.

That's better, the previous MBAM attachment was fine only a problem with the OTL file format.

[Danbar]

To DavidR:

I don't know if the entire process is finished or not (I see Essexboy asked if there were any further problems), but my Avira Anti-virus program still is locked in the Enhanced Protection mode, my Windows defender is saying there is Adware:Win32/OpenCandy and my windows firewall is turned off. Just wondering what I should do now. I'll gladly wait for more instructions if there is more to do.

Thx,

Danbar

[Danbar]

To Essexboy:

A few issues still exist-

1. My Avira Anti-virus program is still locked in the Enhanced Protection mode.

2. My windows defender lists an Adware: Win32/OpenCandy threat.

3. My windows firewall is turned off.

I don't know if the process is entirely finished but was just wanting to know what I should do next.

Thx,

Danbar

[essexboy]

You will need to install Avira again as it has been corrupted

If you could run a fresh OTL log selecting all users I will remove the open candy (that is considered an either/or removal as some people instal it voluntarily )

For the firewall could you run the fixit on this page http://support.microsoft.com/mats/windows_security_diagnostic/en-us

[DavidR]

I don't know if the entire process is finished or not (I see Essexboy asked if there were any further problems), but my Avira Anti-virus program still is locked in the Enhanced Protection mode, my Windows defender is saying there is Adware:Win32/OpenCandy and my windows firewall is turned off. Just wondering what I should do now. I'll gladly wait for more instructions if there is more to do.

I was only commenting on the format of the attachments, essexboy is the malware removal specialist

[Danbar]

To Essexboy:

Should I run a full scan or quick scan of the OTL?

Danbar