# Please check my logs - persistent malware re-appearing

Feb 14, 2010
1. I've run the 8-steps several times now, and a piece of malware keeps reappearing:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

What more needs to be done to stop this from reoccuring?

Attached are my logs.

Kevin

#### Attached Files:

• ###### mbam-log-2010-02-13 (19-04-52).txt
File size:
1,022 bytes
Views:
6
File size:
465 bytes
Views:
4
File size:
11.2 KB
Views:
5
2. ### BobbyeHelper on the FringePosts: 16,392   +36

• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
• Double click on the setup file on the desktop to run
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• Query- Recovery Console image

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
Notes:

• 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

There are several malware entries in the HijackThis log. Combofix will help with that. Autoruns have also been disabled. Please rescan with HijackThis after Combofix.

Attach the Combofix report and the new HijackThis log to your next reply.

3. ### QuasiChameleonTS RookieTopic Starter

Here's my logs for ComboFix and HijackThis again, as requested.

Kevin

File size:
19.9 KB
Views:
4
File size:
10.6 KB
Views:
1
4. ### BobbyeHelper on the FringePosts: 16,392   +36

Please reopen HijackThis to 'do system scan only.' Check the following if present: Note: Optional removals are in green.
Read the Option descriptions before checking

O2 - BHO: (no name) - AutorunsDisabled - (no file)>>See Option 1
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)>> See Option 1
O9 - Extra button: (no name) - AutorunsDisabled - (no file)>> See Option 1
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\>> See Option 1

---------
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\IE\1.1.2\pdfforgeToolbarIE.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\pdfforge Toolbar\SearchSettings.exe

Option 1: Have you intentionally disabled Autoruns or are you aware that they have been disabled? This can be a potential protocol hijacker. If yes, leave. If not, please check these for removal.

Option 2: Foistware> Askbar, PDF Toolbar
Foistware is not a virus or malware. It is installed with another unrelated program without your knowledge or permission. I recommend you remove it.
The Pdfforge Toolbar installed with PDFCreator - is it considered as PUP/WidgiToolbar (a potentially unwanted program) due to it's questionable privacy policy. But is came with a Trojan so it needs to be removed.

Close all Windows except HijackThis and click on "Fix Checked."

If you checked the Askbar and Pdfforge Toolbar for removal:
Go to Add/Remove programs in the Control Panel and uninstall both.
Use Windows Explorer> Navigate to C:\Programs and do a right click> Delete on both of the program folders.

Using Windows Explorer: Windows key + E: Click on to My Computer> double click on the Local Drive (C)> Navigate to> C:\WINDOWS. Right-click on MailSwitch.ocx and select Rename. Please rename it to MailSwitch.vir.

If you do not see the file: Go to Tools> Folder Options> View tab> Check 'show hidden files & folders'> Uncheck 'hide protected operating system files-Recommended'> Apply> OK

Exit Windows Explorer and hide the files & Folders.

Please update and scan again with Malwarebytes.

Kaspersky Online Scanner in Internet Explorer

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
[o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
[o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
[o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

5. ### QuasiChameleonTS RookieTopic Starter

The Kaspersky options were not as described, and it returned an HTML document for the report.

I zipped these logs to get the HTML file to upload.

Thanks!

Kevin Crosby

File size:
2.3 KB
Views:
3
6. ### BobbyeHelper on the FringePosts: 16,392   +36

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
:Processes

:Services

:Reg

:Files
C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177382499-2
C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177463384-2
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{B84C0813-2E3D-4E9F-B632-D014A0734A45}\Microsoft\Outlook Express\_Unsure.dbx
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Kein, please copy the HijackThis log again. The entire middle section is missing. If you compare it to the original log, entries from R1 through 020 are all missing =9.2KB.

7. ### QuasiChameleonTS RookieTopic Starter

I don't know why my earlier hijackthis.log was so short.

Here are the new logs from OTM and HijackThis.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177382499-2 moved successfully.
C:\Documents and Settings\Owner\Application Data\SpamBayes\Proxy\pop3proxy-spam-cache\1177463384-2 moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{B84C0813-2E3D-4E9F-B632-D014A0734A45}\Microsoft\Outlook Express\_Unsure.dbx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 3369781 bytes

User: All Users

User: Clean
->Temp folder emptied: 99191094 bytes
->Temporary Internet Files folder emptied: 28267603 bytes
->Java cache emptied: 1747918 bytes
->FireFox cache emptied: 49264417 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 59726333 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 83543470 bytes
->Apple Safari cache emptied: 1510178 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5473 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4962 bytes

Total Files Cleaned = 314.00 mb

OTM by OldTimer - Version 3.1.9.0 log created on 02202010_221515

Files moved on Reboot...

Registry entries deleted on Reboot...

File size:
10.8 KB
Views:
2
8. ### BobbyeHelper on the FringePosts: 16,392   +36

Questions:

1. You are running Blue Coat® K9 Web Protection which is a content filtering allowing you to allow or block some websites.

2. You also have O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

3. Are these related security features for your system and did you set them?

4. You also have this Service running O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe This is for "Cygwin/Redhat run as service" Are you using this?

5. How is the system running now? Have the original problems been resolved? Are there any new related problems?

9. ### QuasiChameleonTS RookieTopic Starter

1. Yes. I'm running K9.

2. I have just deleted the O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file) with HijackThis.

3. I did not set the O18, but I did install the K9 Web Protection.

4. I was unaware that a Cygwin server was running. I have deleted this from HijackThis. Cygwin was developed by Redhat to be a UNIX emulator for the PC.

5. I'm still investigating whether or not the malware is gone for good. Throughout this process, Malwarebytes has intermittently kept coming back with this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I'll have to double check that it is gone for sure, as it keeps coming back.

Will keep you updated.

10. ### QuasiChameleonTS RookieTopic Starter

Unfortunately, after doing all of that Malwarebytes still occasionally reports

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Furthermore, entries that I previously deleted in HijackThis has reappeared, specifically the O2 and O18 AutorunsDisabled. I have deleted them again.

Does it matter which Admin account I run these programs from? I have two admin accounts.

11. ### BobbyeHelper on the FringePosts: 16,392   +36

Quasi, are you using a flash drive? Or did you use a flash drive before this began?

12. ### QuasiChameleonTS RookieTopic Starter

Although I do own a flash drive, I have not been using it in this computer while trying to fix these problems.

Also, my O2, O18, and O20 AutorunsDisabled keeps reappearing in my HijackThis scan, after I keep deleting them.

13. ### BobbyeHelper on the FringePosts: 16,392   +36

Sorry- didn't get the email that there was a reply.

About the 2 Administrator accounts. Are you actively using both of these? I would think that could be a problem and also that any changes you want to make are going to have to be done under the account of that particular user.

Please delete the Combofix log from the desktop, then run Combofixx again.

Follow with new scan using the Eset online scan, then new HijackThis scan.
Please include all the reports and logs.

14. ### QuasiChameleonTS RookieTopic Starter

One admin account is for my regular use, and the second one has a minimal set of programs running upon login. I am in control of both accounts.

Attached are the Combofix and HijackThis logs. The ESET scanner reported everything was fine, but I did not see where it offered a report. I also ran Kaspersky again, and nothing new, except the quarantined items from Symantec and the trojans that OTM moved from my SPAM filters.

However, upon running Malwarebytes again, the same thing keeps reappearing about every other login: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter).

This is the same problem I came to this board for.

File size:
17.3 KB
Views:
2
File size:
10.6 KB
Views:
2
15. ### BobbyeHelper on the FringePosts: 16,392   +36

I advise you to only run one Administrative account. Why do you need a second one set up with fewer programs? Administrative Accounts have higher permissions. Please read the Microsoft Description of User Accounts HERE.

Administrator does not have all the privileges of root because some (superuser) privileges are assigned to the Local System account in Windows NT. The user may gain access to the Local System account by making Task Scheduler start a command prompt. Since Task Scheduler starts programs as Local System, the user can run any program as Local System.

Have you checked the security center manually- under both of those accounts?:
Control Panel> Security Center> check AV, firewall and auto-update settings.

Local System Account: http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter).

The LocalSystem account has the following privileges: The service can open the registry key HKEY_LOCAL_MACHINE\SECURITY.

Edit: As I mentioned previously, you are running the "Cygwin Run As Service" program. Cygserver is a program which is designed to run as a background service. It provides Cygwin applications with services which require security arbitration or which need to persist while no other cygwin application is running.
It is still running: To remove it:

• [1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\cygwin\bin\cygrunsrv.exe
Folder::

Registry::

Driver::
BrlAPI


Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

http://www.cygwin.com/cygwin-ug-net/using-cygserver.html

16. ### QuasiChameleonTS RookieTopic Starter

Ok. I've removed Admin privileges to my secondary account, and rescanned with ESET, ComboFix twice (both before and after your script), and HijackThis.

Logs attached.

I do think that my secondary admin account wasn't able to access files in my primary admin account.

After I send this, I'll rescan with Malwarebytes to see if the problem went away for good.

Kevin

File size:
435 bytes
Views:
2
File size:
19.9 KB
Views:
0
File size:
17.9 KB
Views:
1
File size:
12 KB
Views:
1
17. ### BobbyeHelper on the FringePosts: 16,392   +36

Look at the screen sot and read through the settings> decide on how you want your set. The entry AutorunsDisabled- no CLSID is still on the HJT log.
e
Leave the Mbam log when you're finished. And I'd like you to rescan with the Eset online scanner. Please follow the line: Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

If they're clean and the problems have been resolved, I'll have you remove the cleaning tools and old restore points.

18. ### QuasiChameleonTS RookieTopic Starter

Here's the logs from eset and malwarebytes, with the options you mentioned.

I have deleted the O18 from HijackThis several times, and it keeps coming back.

I've already been using the autoruns to turn off certain services from loading upon startup, but am unsure what you mean by "installing" it, as it seems to be a stand-alone executable with no installer.

File size:
868 bytes
Views:
1
File size:
284 bytes
Views:
1
19. ### BobbyeHelper on the FringePosts: 16,392   +36

These logs are both clean. It is most likely that a Windows Update has disabled the autoruns.

Are you having any problems with the system now> Did you check the Security Center and make sure all three sections are running? Please keep in mind that until recently, your system had 2 'bosses'- Administrators.

Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Remove all of the tools we used and the files and folders they created
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
• Go back and follow the path to > System Tools.
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please let me know of you need help in the future. Understand that the user can disable the Security Center and/or the Service that runs the update section.

20. ### QuasiChameleonTS RookieTopic Starter

The Eset log did not look clean to me:

C:\System Volume Information\_restore{111027AC-0595-426C-ACE4-306EAD09DEE0}\RP1123\A0394087.exe a variant of Win32/FenomenGame application

The Malwarebytes has come back with "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)" about every other login.

How can I be sure it won't come back this time?

All three sections in the Security Center are running, with the exception that I purposely disabled my firewall and anti-virus temporarily for the purpose of running the various scanning software programs.

Kevin

21. ### BobbyeHelper on the FringePosts: 16,392   +36

Kevin, the reason we have you leave the logs from programs is so we can check what is found and what is removed and in part, where those files are. The System Volume shown in the Eset log are system restore points. Malware can get into these restore points. But when malware is removed from the rest of the system, malware in the restore points is only a threat if you do a system restore and chose a point that happens to have malware.

System Restore is a protected folder in the operating system. So although 'System Volume' can show up in a scan, the files there will not be removed until end of cleaning, when we have you remove the old restore points and create a new clean one. Keep in mind though that the malware is not active on the system when only found here.

We do not have you disable the security programs for these preliminary scans> Malwarebytes, Superantispyware and HijackThis. If we ask you to run Combofix,then you are instructed to disable the security.

It is most likely that what you're seeing is the result of your intentional disabling of the processes when it wasn't required. Please follow the instructions I left for you to remove the cleaning tools and old restore points. Then be sure the parts of the Security Center are enabled. I have my Security Center disabled and when I run Spybot Search & Destroy, it brings up a notice that the Security Center is disabled. (I am not recommending this, only using it for example.)

Reboot the computer and be sure to Empty the Recycle Bin. And unless you have evidence of malware problems, I suggest you stop using Malwarebytes as a 'checking' program. The last scans do not indicate an active malware on your system.

Topic Status:
Not open for further replies.