Solved Trojans/malware detected on computer. Popups in browser.

[SirCarnifex]

There is an AdBlockPlus and EasyList adds more domains to block.

Is this thread only for 1 computer?

AdBlockPlus + EasyList is what I meant.

Technically, yes. I posted the thing about the Flash Disinfector because of the notice I got on the alternate computer, plus I posted the MalwareBytes log on that bad proxy because it came up at the same time as the alert about Flash Disinfector. I was pretty sure it was a false alarm (obviously I remembered that note you posted subconsciously!) but I just mentioned it here just in case. I figure I'm dealing with a virus so it's best to be sure than not. But yeah, I'm just concerned about the one (original) computer at the moment, really, so sorry for the temporary distraction.

I'm going to go ahead with the steps you mentioned (finally!). Also, is there anything more I need to do with ComboFix after having run it?

Thanks!

 

[SirCarnifex]

I ran JavaRa and told it to remove older versions of Java. It appeared to do so, and then before a log file could come up, I got the standard Windows message that "JavaRa has encountered a problem and needs to close. Etc., etc.,". Because of that I didn't yet install the newest version of Java. Should I go ahead and install it anyway despite the message? Thanks!

 

[Bobbye]

Nothing for you to do except to run Combofix. The rest is up to me!

 

[SirCarnifex]

Nothing for you to do except to run Combofix. The rest is up to me!

Okay then. I'll just wait for further instructions then since I seem to have done everything except get Java going.

 

[Bobbye]

Okay, here's the deal: there 3 of these processes running:
c:\windows\system32\devldr32.exe

Added by an unidentfied malware. Note - this is not the legitimate Creative Labs process- malware is hiding under this process name. When non-Windows program files reside in the C:\Windows or C:\Windows\system32 folders, they're are not essential and are, malicious files. This is the case with Devldr32.exe. and the processes need to be removed:,

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

1. Log-on to the Administrative account.
2. Use Windows Explorer to access Computer> Double click on the Local Drive (C)
3. Scroll down to click on Windows> System 32
4. Scroll through the list of files and do a right click> Delete on Devldr32
5. Then look for the dllcache in the System 32 list
6. Find Devldr.exe and do a right click> Delete
   [*]Note: there are 3 entries of this same file in the same sections. Be sure to delete all 3

You will have to open the hidden files for the next part:

1. Open My Computer.
2. Go to Tools > Folder Options.
3. Select the View tab.
4. Scroll down to Hidden files and folders.
5. Select Show hidden files and folders.
6. Uncheck Hide extensions of known file types.
7. Uncheck Hide protected operating system files (Recommended).
8. Click Yes when prompted.
9. Click on Apply> Okay

------------------------------
Using the same path as you did above:

1. Now visible in the System 32 files: find the dllcache
2. Find the Devldr.exe file and do right click> Delete
3. Important: Go back to Folder Options> View tab and recheck 'don't shows hidden files and folders and recheck 'hide protected system files (Recommended(> Apply> OK
4. Close Windows Explorer. Reboot into Normal Mode.

=====================================
Empty the Recycle Bin
=====================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

File::
c:\windows\system32\PerfStringBackup.TMP
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\mfehidk.sys
c:\windows\system32\drivers\mfetdi2k.sys
c:\windows\system32\drivers\mfendisk.sys
c:\program files\common files\mcafee\systemcore\mfefire.exe
c:\windows\system32\drivers\cfwids.sys
c:\windows\system32\drivers\mfesmfk.sys
c:\windows\system32\drivers\mferkdk.sys
c:\windows\system32\drivers\mfendisk.sys

FileLook::
c:\windows\svcs.exe

DDS::
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

Clearjavacache::

Driver::
mfehidk
mfetdi2k
mfevtp
mfendiskmp
mfefire
cfwids
mferkdk
mfesmfk
mfendisk

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
================================
Be sure you have removed these from the Trusted Sites:
Trusted Zone: internet
Trusted Zone: mcafee.com
If you need help, let me know.
==============================
Open Firefox> Tools> Addons> Java Console> remove Javev6u13, v6u21, v6u22, v6u23, v6u26
==============================
Check Add/Remove Programs. If there are an Java versions except v6u31, remove them.

Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
==============================
Leave the new Combofix log that will be genearted after you run the CFFix.

Let me know how the system is doing when you have finished the above.

 

[SirCarnifex]

I ran into a little discrepancy in the following, so I thought I'd better check in first. Okay, I went into WinEx, sys32 as described. I found one Devldr32.exe which I deleted (after having to shut it down in the running processes). This was the only one of that name there. I can find no folder for dllcache, so I can't find all the extra copies of devldr32.exe in there.

Just continue on with the next steps, or am I missing something here?

EDIT: Just curious, what's svchost do? I have three of those running!

EDIT2: I just looked at hidden files to see what was there (yes, dllcache was there!) but there was no Devldr32.exe anywhere to be seen.

Thanks!

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

1. Log-on to the Administrative account.
2. Use Windows Explorer to access Computer> Double click on the Local Drive (C)
3. Scroll down to click on Windows> System 32
4. Scroll through the list of files and do a right click> Delete on Devldr32
5. Then look for the dllcache in the System 32 list
6. Find Devldr.exe and do a right click> Delete
   [*]Note: there are 3 entries of this same file in the same sections. Be sure to delete all 3

 

[Bobbye]

Okay, you can stop with the Devldr32 search for now. Be sure to re-hide the files and folders.

FYI:

"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. This process manages system services that run from dynamic link libraries (files with extension .dll). Examples for such system services are: "Automatic Updates", "Windows Firewall", "Plug and Play", "Fax Service", "Windows Themes" and many more.

At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

If the process svchost.exe uses high cpu resources, it is mostly due because the service "Automatic Updates" is downloading some new Windows update. But having a 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer. Some malware like the Conficker worm changes the Windows Registry so that svchost loads the malware .dll file.

Note: The svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm!

Courtesy Neuber

I have 9 entries of svchost.exe running most of the time> all legit, all clean.
==============================
Please go on with the remaining directions.

 

[SirCarnifex]

ComboFix Log:



ComboFix 12-03-06.01 - Christopher Aune 03/16/2012 12:54:43.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2756 [GMT -5:00]
Running from: c:\documents and settings\Christopher Aune\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christopher Aune\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\program files\common files\mcafee\systemcore\mfefire.exe"
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\system32\drivers\cfwids.sys"
"c:\windows\system32\drivers\mfehidk.sys"
"c:\windows\system32\drivers\mfendisk.sys"
"c:\windows\system32\drivers\mferkdk.sys"
"c:\windows\system32\drivers\mfesmfk.sys"
"c:\windows\system32\drivers\mfetdi2k.sys"
"c:\windows\system32\PerfStringBackup.TMP"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\veteboot.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-16 to 2012-03-16 )))))))))))))))))))))))))))))))
.
.
2012-03-06 21:21 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-03-06 21:10 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-06 18:44 . 2012-03-06 18:44 -------- d-----w- c:\documents and settings\Christopher Aune\Application Data\SUPERAntiSpyware.com
2012-03-06 18:43 . 2012-03-06 18:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-06 18:43 . 2012-03-06 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-02-25 02:04 . 2012-02-25 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-02-25 02:04 . 2012-02-25 02:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-18 05:56 . 2012-02-18 05:56 -------- d-----w- c:\documents and settings\Christopher Aune\Application Data\Avira
2012-02-18 05:55 . 2012-02-25 01:58 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-18 05:55 . 2011-09-16 05:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-02-18 05:55 . 2011-09-16 05:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-02-18 05:55 . 2012-02-18 05:55 -------- d-----w- c:\program files\Avira
2012-02-18 05:55 . 2012-02-18 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-02-18 04:35 . 2012-02-18 04:35 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-17 21:18 . 2012-02-17 21:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-02-16 18:14 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 18:14 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-25 08:43 . 2012-01-25 08:43 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-31 00:31 . 2011-12-31 00:34 286720 ----a-w- c:\windows\iun504.exe
2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-06_21.27.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-16 17:58 . 2012-03-16 17:58 16384 c:\windows\Temp\Perflib_Perfdata_554.dat
+ 2006-02-28 12:00 . 2012-03-12 19:35 90880 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2012-03-12 19:35 509496 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-10-27 1103216]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioHQ"="c:\program files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" [2000-05-11 205312]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2009-11-30 190024]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Christopher Aune\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\X-Chat 2\\xchat.exe"=
"c:\\Program Files\\WarZone\\LobbyClient.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\LucasArts\\Outlaws\\olwin.exe"=
"c:\\Program Files\\GOGcom\\Sid Meiers Alpha Centauri\\terran.exe"=
"c:\\Program Files\\MySQL\\MySQL Server 5.1\\bin\\mysqld.exe"=
"c:\\Program Files\\MySQL\\MySQL Server 5.5\\bin\\mysqld.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2/18/2012 12:55 AM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/18/2012 12:55 AM 86224]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
S4 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [1/7/2009 1:03 PM 80392]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
apache
vstor2-ws60
ati2mtaa
regspy
artdhcp
aswrdr
AtlsAud
wdm_au8820
CamAv
tosrfusb
SunkFilt39
wg5n
videoacceleratorengine
DCamUSBDXGTech
svcwmu
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.25.1
FF - ProfilePath - c:\documents and settings\Christopher Aune\Application Data\Mozilla\Firefox\Profiles\qy824k2u.default\
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-16 13:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB10740$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WININET.dll
c:\program files\MessengerPlus! 3\MsgPlusLoader.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\avira\antivir desktop\ipmGui.exe
.
**************************************************************************
.
Completion time: 2012-03-16 13:02:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-16 18:02
ComboFix2.txt 2012-03-06 21:31
.
Pre-Run: 378,992,762,880 bytes free
Post-Run: 378,985,099,264 bytes free
.
- - End Of File - - AF879E3634540A633CA055B9F4CAE53D

 

[SirCarnifex]

Okay. First, when I loaded back in normal mode, there was nothing in the recycle bin, so I couldn't quite empty what I had deleted in Safe Mode. Should I have gone back into safe mode to put it in the recycle bin? (I didn't)

ComboFix ran on reduced functionality because it said that I hadn't the latest version. It seemed to run okay though. The log is above.

I will proceed with the other steps now.

 

[SirCarnifex]

Okay, I removed the old Java and installed the new one. That should be it for the steps. While uninstalling the old versions of Java, Avira came up with a message:

A virus or unwanted program 'TR/Sirefef.BV.2' was found in file 'C:\WINDOWS\system32\pelmouse.dll'.

Access to this file was denied.

As far as the system, it's running well online and (so far) I haven't had any redirects, though I haven't used google for searches either (which is where I get most redirects). Devlrd isn't running anymore either, so I guess that's good. Still wondering if it's sitting in the Safe Mode admin recycle bin though.

 

[Bobbye]

Resident virus programs don't distinguish where an entry is. The entry might be in System Volume which is where the restore points are kept. It is no longer active in the system and I have you set new clean restore point and drop the old ones when we finish. Keep in mind that you have been instructed not to do a System Restore.

For instance, this is from Superantispyware:

Trojan.Agent/Gen-Sirefef
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP54\A0040296.SYS

The entry may also be in the Qoobox> this is where Combofix sends the quarantined files. Same as above> no longer avtive, will be removed when Combfix is uninstalled.

Long way to say ignore Avira for now.
======================================
But you do need to run this Eset Online Virus scan:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[SirCarnifex]

ESETScan said there was something found. Here's the complete "log":

Operating memory multiple threats

Avira keeps saying it finds stuff (two things this time) but I'm ignoring it for now as you directed.

As always, thanks for the help.

 

[Bobbye]

Please post entire Eset log.

Don't worry about Avira. Don't even run Avira while I'm helping you.

 

[SirCarnifex]

That WAS the entire log that it gave me. Word for word.

 

[Bobbye]

Please update and rerun the Eset scan. Hopefully there will be a bit more text to see. While the entry you left can be found, I have never seen it post as a single line with no other text.

 

[SirCarnifex]

Here is the scan from the second try. As always, thanks for the help.

C:\Qoobox\Quarantine\C\WINDOWS\system32\veteboot.dll.vir probably a variant of Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP56\A0043434.sys a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP57\A0043637.sys a variant of Win32/Rootkit.Kryptik.JM trojan
C:\System Volume Information\_restore{1D4535A7-6169-4EA1-A338-398DA62C6A68}\RP58\A0043977.dll probably a variant of Win32/Sirefef.ER trojan
C:\WINDOWS\system32\adobeactivefilemonitor4.0.dll probably a variant of Win32/Sirefef.ER trojan
C:\WINDOWS\system32\pelmouse.dll probably a variant of Win32/Sirefef.ER trojan
Operating memory multiple threats

 

[Bobbye]

I'd like you to run the following scan. There are two programs I'd like to check:

Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================

 

[SirCarnifex]

Alrighty, here's the list. I seem to notice a pattern with those files! :haha:

I know I'm not the expert, but off the top of my head, I'd say that the crazy bump file is potentially bad as I was working with that program a couple years ago and got some odd files. Had a virus at the time, though I can't confirm it had something to do with that or not.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\christopher aune\my documents\neverwinter nights 2\override\elmwood campaign overrides\item blueprints\cs_it_kneecracker.uti
c:\downloads\ultimate_ol_crack.zip
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\program files\zbrush trial\zbrush_3.5_r3\zbrush3.5r3_cracked_by_amrthabet.rar
c:\windows\prefetch\crack_crazybump11.45059.exe-05086444.pf
scanner sequence 3.BC.11.PMAPBU
----- EOF -----

 

[Bobbye]

Alrighty, here's the list. I seem to notice a pattern with those files!

The pattern is that they are Pirated files: Remove all to continue support:
c:\downloads\ultimate_ol_crack.zip
c:\program files\zbrush trial\zbrush_3.5_r3\zbrush3.5r3_cracked_by_amrthabet.rar
c:\windows\prefetch\crack_crazybump11.45059.exe-05086444.pf

 

[SirCarnifex]

Alrighty. Finished that.

 

[Bobbye]

Please rescan with Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================
Please give me an update on the system.

 

[SirCarnifex]

Here you go:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\christopher aune\my documents\neverwinter nights 2\override\elmwood campaign overrides\item blueprints\cs_it_kneecracker.uti
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
scanner sequence 3.LB.11.POAAXG
----- EOF -----

 

[SirCarnifex]

And an update on the system:

My computer seems to be working well. I haven't noticed any extra processes running, or existing ones doing so more than usual. The devlrd (or whatever that was) hasn't come back. I tried some google searches and I'm actually going to the right site now and no extra windows are popping up. All in all, it seems to be nothing but good news.

As always, thanks for the help!

 

[Bobbye]

Will you please rescan with the Eset scanner- update first, then scan. You had some processes in memory that I want to be sure are no longer active.

 

[SirCarnifex]

Once again I got the report that there was one infected file, but the only thing on the scan log is:

Operating memory multiple threats

Shall I rerun the scan like last time it happened?