Some concerns in your HJT log sadly

Try these easy steps first

CCleaner (some strange Temp stuff needs to be removed)
Norton removal tool (unless you have symantec stuff installed, but it's running anyway)
Restart
Malwarebytes (Yes I know its been run already, but trust me, update it, and run it again)

 

Done and done. Thanks a million. Here are new logs. Perhaps I'm inching my way forward?

 

Update both below even if you did it already to day, and Run

1st SAS we have no log
2nd MABM get new log to confirm it is in fact clean now and finds nothing else.
3rd After above new HJT log.

Mike

 

Any guess as to why I can't seem to update Malwarebytes (or SAS, for that matter) from using the software's update tab? It just won't connect to either of the offered mirror sites (tried taking down my Windows Firewall to see if that made a difference -- no dice).

Yesterday I updated the database at gt500.org, but it's a version 1442 that's up there now and some Googling suggested to me there's already a 1443...

 

Special case where after installing MBAM and SAS they will not update or run
Read here: https://www.techspot.com/vb/topic116603.html

 

Nice. Mom always told me I was special. For the record, I can run both programs, just can't seem to update without separately downloading and installing the new ones. Still cool for me to follow the procedure on the link?

Thanks thanks thanks...

Hmm... Followed through with the instructions re: TDSSserv.sys. It's disabled, I've restarted, double-checked it. Still unable to update MBAM or SAS using the their respective Update tabs.

 

Well that "read here" link above should work
But I've had users also say that they needed to rename Malwarebytes executable (mbam.exe), like to MBAM2 or something
It's found here: Start->Run-> C:\Program Files\Malwarebytes' Anti-Malware

 

Yeah, no dice. I click "Check for Updates," I get a window telling me "Looking for SecurityWonks.net (or Malwarebytes.org)" ... then nothing. The window stays for as long as I care to leave it open with no movement in the status bar. SAS tells me, "There was an error trying to retrieve definitions. Make sure your firewall is not blocking SUPERANTISPYWARE.exe from accessing the Internet." But I'm running no firewall at the moment. This is maybe related to why I can't download the Java Installer?

Again, though, I was able to separately download each of the most recent definitions databases just fine, then run and install them from the desktop. Just can't seem to connect from "inside" either program.

 

Hmm

That special link above, also has a reply by another member
And in his big reply you should see some blue writing, this is clickable
Please click it, then locate the "Fixit" file
Download it, and run it

No it's not the Firewall off issue

 

Check. It gave me the attached two logs and two shortcuts that don't lead anywhere when I try to proceed with the instructions on that page (runmbam.exe and sas.exe).

 

Now do they update

 

Aha. No, Fixit had no effect, but I'm getting somewhere. I opened Internet Explorer (which I usually don't do --- been conducting this through Safari and Firefox) and I was told I was offline. Was prompted to connect or remain offline (despite an otherwise functioning wireless connection). I chose connect, and I can now update both piece of software properly (and install Java).

As an added symptom, though, I now notice that embedded images are not appearing at all in Explorer. I don't use Explorer anyway, but that's probably not normal, huh?

I'm running the requested (above) scans again, and I'll post the logs shortly...

 

Enter the Fixes folder and attach the bfu.log.

Mike

 

Here are the three logs asked for above.

BFU.exe (the "Brute Force Uninstaller") did run when I extracted the FixIt folder and followed Fixit.cmd, but no such bfu.log appears in here now. The BFU restarted Windows when it was through, and when I returned to my desktop, it had on it the two logs and the two shortcuts I mentioned above. That's it, though (unless this bfu.log could be elsewhere, but I ran a search for it with no results).

Sorry this is turning out to be so complex. For what it's worth, images are still not appearing in Explorer, though other browsers seem to be having no trouble.

 

For what it's worth, I just ran another SAS --- just for fun --- and found another handful of infections. So here's that log, too.

 

Hi Brian

OK you are getting some where at least.

Do the below steps and post the logs, if one don't run and the other does then after the one that does go back to the first after a reboot.
----------------------------------------------------------------------------------------------------------------------------------
ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall
----------------------------------------------------------------------------------------------------------------------------------

When above is complete

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

 

Thanks Mike, et al. Here are some logs.

I checked in on Internet Explorer, and for what it's worth, it's displaying images again. I've decided that's probably a good thing.

 

OK run HJT Scan Only select and remove the below entries

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: anfhoa.dll

Then Combofix again to confirm clean. Post that log then.....

UPDATE SAS and run it again. It should be clean this time! Post me a clean log!

Mike

 

>> Post me a clean log!

I'm trying, brother, I'm trying. So close. SAS found two tracking cookies, but no more rootkits.

 

Looks like you did it!

So lets take one more deep look at the system.

Download RSIT
http://images.malwareremoval.com/random/RSIT.exe

Run it, when finished it will open a log Maximized on the screen, copy/paste the contents of this log back here then close that log.

Then the 2nd log is Minimized so Max it and post it also.
The logs will contain a HighJackThis log also so no need to paste anothe.

Mike

 

Oh, this is exciting. Okay, here they are (attached instead of pasted, since they far surpass the character count).

 

You are so clean you squeak!

Great job!

Browse here and delete this: C:\Documents and Settings\All Users\Application Data\NortonInstaller

Might want to look at: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Below are some cleanup of the tools we used to clean up as they need to be re downloaded if needed again.

Thread closing-------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------
The issues found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

If they find something they can not clean then get back to us.

Additionally run CCleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

A Disk scan and Defrag are in order.

Mike

 

Beautiful! I owe it all to you and kimsland. Name a favorite charity for me, and I'll make a modest donation in your honor. I will follow all of the above steps and keep up with Avira, SAS, and MBAM religiously for a couple weeks. Big, big thanks again!

 

:grinthumb .