Win32 download virus/Rogue Agent/Gen-Nullo - Spybot & SAS not succeeding in removal

[pashatemur]

[attachment=5228]Win32 downloader virus/Rogue Agent/Gen-Nullo detected by Spybot S and D and Superantispyware, which both programs “fix,” but the virus(es) regenerates on reboot.

I have scanned and removed cookies, temp files, other files and uninstalled applications that were considered lesser threats and some which I read could be associated with malware/spyware.

I keep receiving alerts from Windows System 32 that “an illegal command has been made.” I use Firefox as my browser and it is redirected to fake surveys requesting my personal information and what look like coupon offers.

I have downloaded and purchased Malwarebytes only to have it’s setup blocked by System 32 with alerts that the there is a “runtime error.”


The most recent SUPERAntiSpyware Scan Log:
Generated 07/27/2013 at 11:43 AM

Application Version : 5.6.1020

Core Rules Database Version : 10644
Trace Rules Database Version: 8456

Scan type : Complete Scan
Total Scan Time : 01:03:46

Operating System Information
Windows Vista Home Premium 32-bit (Build 6.00.6000)
UAC On - Limited User

Memory items scanned : 681
Memory threats detected : 0
Registry items scanned : 41037
Registry threats detected : 0
File items scanned : 69113
File threats detected : 1

Rogue.Agent/Gen-Nullo[EXE]
C:\WINDOWS\SYSTEM32\REGSVR32.EXE

I would dearly appreciate advice and aid.

Thank you,
Pash

 

[kuttus]

Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />




STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL
MOD - [2013/07/29 16:11:16 | 000,128,512 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\_elementtree.pyd
MOD - [2013/07/29 16:11:16 | 000,044,032 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\_socket.pyd
MOD - [2013/07/29 16:11:15 | 000,557,056 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\pysqlite2._sqlite.pyd
MOD - [2013/07/29 16:11:15 | 000,320,512 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32com.shell.shell.pyd
MOD - [2013/07/29 16:11:15 | 000,098,816 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32api.pyd
MOD - [2013/07/29 16:11:15 | 000,070,656 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._html2.pyd
MOD - [2013/07/29 16:11:15 | 000,026,624 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\_multiprocessing.pyd
MOD - [2013/07/29 16:11:15 | 000,022,528 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32ts.pyd
MOD - [2013/07/29 16:11:14 | 001,022,416 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\windows._cacheinvalidation.pyd
MOD - [2013/07/29 16:11:14 | 000,805,888 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._gdi_.pyd
MOD - [2013/07/29 16:11:14 | 000,011,264 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32crypt.pyd
MOD - [2013/07/29 16:11:13 | 000,364,544 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\pythoncom27.dll
MOD - [2013/07/29 16:11:13 | 000,087,040 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\_ctypes.pyd
MOD - [2013/07/29 16:11:13 | 000,017,408 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32profile.pyd
MOD - [2013/07/29 16:11:12 | 000,735,232 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._misc_.pyd
MOD - [2013/07/29 16:11:11 | 001,175,040 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._core_.pyd
MOD - [2013/07/29 16:11:11 | 000,110,080 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\PyWinTypes27.dll
MOD - [2013/07/29 16:11:11 | 000,108,544 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32security.pyd
MOD - [2013/07/29 16:11:10 | 001,153,024 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\_ssl.pyd
MOD - [2013/07/29 16:11:09 | 000,711,680 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\_hashlib.pyd
MOD - [2013/07/29 16:11:09 | 000,035,840 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32process.pyd
MOD - [2013/07/29 16:11:09 | 000,025,600 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32pdh.pyd
MOD - [2013/07/29 16:11:08 | 000,811,008 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._windows_.pyd
MOD - [2013/07/29 16:11:08 | 000,122,368 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._wizard.pyd
MOD - [2013/07/29 16:11:08 | 000,119,808 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32file.pyd
MOD - [2013/07/29 16:11:08 | 000,038,912 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32inet.pyd
MOD - [2013/07/29 16:11:02 | 001,062,400 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\wx._controls_.pyd
MOD - [2013/07/29 16:10:45 | 000,018,432 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\win32event.pyd
MOD - [2013/07/29 16:10:39 | 000,127,488 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\pyexpat.pyd
MOD - [2013/07/29 16:10:36 | 000,686,080 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\unicodedata.pyd
MOD - [2013/07/29 16:10:27 | 000,010,240 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\temp\_MEI50482\select.pyd
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298566&CUI=UN22724320467942079&UM=2
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://www.plusnetwork.com/?sp=lintbie&q={searchTerms}&dp=MessengerPlus
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.plusnetwork.com/?publisher=MessengerPlus&dpid=MessengerPlus&co=TJ&userid=06c6ab3b-10f4-49fe-a03a-683f7aac540a&sp=addr&q={searchTerms}&t=b0125
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.plusnetwork.com/?publisher=MessengerPlus&dpid=MessengerPlus&co=TJ&userid=06c6ab3b-10f4-49fe-a03a-683f7aac540a&sp=addr&q={searchTerms}&t=b0125
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.plusnetwork.com/?publisher=MessengerPlus&dpid=MessengerPlus&co=TJ&userid=06c6ab3b-10f4-49fe-a03a-683f7aac540a&sp=addr&q={searchTerms}&t=b0125
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.plusnetwork.com/?publisher=MessengerPlus&dpid=MessengerPlus&co=TJ&userid=06c6ab3b-10f4-49fe-a03a-683f7aac540a&sp=addr&q={searchTerms}&t=b0125
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.plusnetwork.com/?publisher=MessengerPlus&dpid=MessengerPlus&co=TJ&userid=06c6ab3b-10f4-49fe-a03a-683f7aac540a&sp=addr&q={searchTerms}&t=b0125
IE - HKCU\..\SearchScopes\{547EEAAC-3665-4e6c-B326-C622D698543A}: "URL" = http://www.bing.com/search?FORM=WLETDF&PC=WLEM&q={searchTerms}&src=IE-SearchBox
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298566&CUI=UN22724320467942079&UM=2
[2011/03/17 17:07:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\pashatemur\AppData\Roaming\Mozilla\Extensions\celtx@celtx.com
[2013/07/22 11:22:20 | 000,000,000 | ---D | M] (MixiDJ V30) -- C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\Extensions\{1122b43d-30ee-403f-9bfa-3cc99b0caddd}
[2013/06/26 07:35:03 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/06/20 09:56:43 | 000,091,584 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2012/06/20 09:56:44 | 000,091,584 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
CHR - default_search_provider: Babylon (Enabled)
CHR - default_search_provider: search_url = http://search.babylon.com/?q={searchTerms}&babsrc=SP_ss_din2g&mntrId=8EBD001C26DD9F39&affID=119351&tt=040713_ifrmful&tsp=4937
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.3.0.11\AVG Secure Search_toolbar.dll (AVG Secure Search)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Define) - {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\pashatemur\AppData\Local\DefineExt\temp.dat ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
[2013/04/27 14:25:50 | 001,514,496 | ---- | C] (Softwareentwicklung Yuschuk) -- C:\Users\pashatemur\AppData\Local\ollydbg.exe
[2010/11/15 16:49:57 | 011,336,456 | ---- | C] (Mozy, Inc.) -- C:\ProgramData\Tempmozy-update-a31217e595a1463492ad999467f8f0a1.exe
[2013/07/26 23:39:50 | 000,000,224 | ---- | M] () -- C:\Windows\System32\9B13A86D.plf
[2013/07/13 20:36:54 | 000,332,086 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\census.cache
[2013/07/13 20:36:15 | 000,262,915 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\ars.cache
[2013/07/13 20:18:19 | 000,000,036 | ---- | M] () -- C:\Users\pashatemur\AppData\Local\housecall.guid.cache
[2013/07/08 16:36:10 | 000,000,005 | ---- | C] () -- C:\Users\pashatemur\AppData\Roaming\WBPU-TTL.DAT
[2013/04/29 12:58:00 | 000,001,542 | ---- | C] () -- C:\Users\pashatemur\AppData\Local\Plot Control 2.0.udd
[2013/04/27 14:26:23 | 000,010,883 | ---- | C] () -- C:\Users\pashatemur\AppData\Local\ollydbg.ini
[2010/10/03 13:18:15 | 000,004,105 | ---- | C] () -- C:\ProgramData\mnjemahv.gza
[2010/04/15 01:14:19 | 000,032,346 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/04/15 01:14:19 | 000,032,346 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/03/03 13:46:07 | 005,961,648 | ---- | C] () -- C:\Users\pashatemur\R182249.exe
[2010/03/01 09:13:24 | 000,004,922 | ---- | C] () -- C:\ProgramData\xqkcebzs.dik
[2010/03/01 09:13:23 | 000,004,998 | ---- | C] () -- C:\ProgramData\rugqgaaw.ekm
[2009/10/28 07:35:14 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/08/07 18:20:00 | 000,004,096 | -H-- | C] () -- C:\Users\pashatemur\AppData\Local\keyfile3.drm
[2008/07/18 14:02:44 | 000,008,484 | ---- | C] () -- C:\Users\pashatemur\AppData\Local\d3d9caps.dat
[2007/10/30 06:59:13 | 000,027,810 | ---- | C] () -- C:\Users\pashatemur\AppData\Roaming\nvModes.001
[2007/10/29 16:20:12 | 000,027,810 | ---- | C] () -- C:\Users\pashatemur\AppData\Roaming\nvModes.dat
[2007/10/23 08:11:10 | 000,044,544 | ---- | C] () -- C:\Users\pashatemur\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/04/29 12:58:00 | 000,001,542 | ---- | C] () -- C:\Users\pashatemur\AppData\Local\Plot Control 2.0.udd
[2013/04/27 14:26:23 | 000,010,883 | ---- | C] () -- C:\Users\pashatemur\AppData\Local\ollydbg.ini[2013/07/12 21:48:56 | 000,000,000 | ---D | M](C:\ProgramData\?g?g?????????????????????????) -- C:\ProgramData\䓠ğ䊠ğ浡䘠汩獥䵜䅣敦⁥敓畣楲祴匠慣屮⸳⸰ㄳ尳瑦潣普杩椮楮
[2013/07/12 21:48:56 | 000,000,000 | ---D | M](C:\ProgramData\?g?g?????????????????????????) -- C:\ProgramData\䓠ğ䊠ğ浡䘠汩獥䵜䅣敦⁥敓畣楲祴匠慣屮⸳⸰ㄳ尳瑦潣普杩椮楮
[2013/07/12 21:48:56 | 000,000,000 | ---D | C](C:\ProgramData\?g?g?????????????????????????) -- C:\ProgramData\䓠ğ䊠ğ浡䘠汩獥䵜䅣敦⁥敓畣楲祴匠慣屮⸳⸰ㄳ尳瑦潣普杩椮楮
[2013/07/12 17:27:02 | 000,000,000 | ---D | M](C:\ProgramData\?-?-?????????????????????????) -- C:\ProgramData\䓠-䊠-浡䘠汩獥䵜䅣敦⁥敓畣楲祴匠慣屮⸳⸰ㄳ尳瑦潣普杩椮楮
[2013/07/12 17:27:02 | 000,000,000 | ---D | M](C:\ProgramData\?-?-?????????????????????????) -- C:\ProgramData\䓠-䊠-浡䘠汩獥䵜䅣敦⁥敓畣楲祴匠慣屮⸳⸰ㄳ尳瑦潣普杩椮楮
[2013/07/12 17:27:02 | 000,000,000 | ---D | C](C:\ProgramData\?-?-?????????????????????????) -- C:\ProgramData\䓠-䊠-浡䘠汩獥䵜䅣敦⁥敓畣楲祴匠慣屮⸳⸰ㄳ尳瑦潣普杩椮楮



:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

 

[pashatemur]

Thanks Kuffu.

I have run OTL with the code you posted to me and have attached the resulting log . After the reboot, I have to restart the computer as it did not bring up my desktop for a very long time. I had a black screen with just the cursor showing. After the reboot, I had to open OTL.exe as administrator to retrieve the log. I also received alerts from "System 32" again.

Also, in saving the log to my desktop so that I could attach it to this reply, I had to save it without the dot between the numbers and the word, "log."[attachment=5239]

 

[kuttus]

Okay Cool......

STEP 1: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>

STEP 2: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

---

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

---

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---

 

[pashatemur]

I downloaded and ran scans and cleanup. Malwarbytes Anti-Malware would not setup properly. I received messages from System 32 "error runtime 0" etc. The scan logs from ADWcleaner, Junkware Removal Tool, and Malwarebytes Anti-Rootkit are attached/pasted in this message.

[attachment=5251]

[attachment=5252]

[attachment=5253]

[attachment=5254]

[attachment=5255]

 

[kuttus]

STEP 1: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />

STEP 2: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />

STEP 3: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />

 

[pashatemur]

Hello Kuttus,

I am still getting Win Sys 32 alerts about illegal commands and I am still being redirected when I click links on internet though my computer is running much faster. Kasperky ran and found no threats yet ESET indicated there were threats remaining out of the 20 it found and addressed. Here are the logs requested:

An alert tells me the Hitman log which is saved as a txt file is not allowed so I am pasting the log minus its head and tail mark up of "

" and "

":

HitmanPro 3.7.6.201
www.hitmanpro.com

Computer name . . . . : PASHATEMUR-PC
Windows . . . . . . . : 6.0.0.6000.X86/2
User name . . . . . . : pashatemur-PC\pashatemur
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2013-07-31 20:57:32
Scan mode . . . . . . : Normal
Scan duration . . . . : 5m 57s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 49
Traces . . . . . . . : 1286

Objects scanned . . . : 2,010,327
Files scanned . . . . : 35,828
Remnants scanned . . : 561,681 files / 1,412,818 keys

Malware _____________________________________________________________________

C:\Users\pashatemur\Downloads\Download.exe
Size . . . . . . . : 301,408 bytes
Age . . . . . . . : 62.5 days (2013-05-30 08:22:14)
Entropy . . . . . : 7.9
SHA-256 . . . . . : BF696DDD8FD2CC52D422DD8B231E32FA27E9F93B03D911D6ACE90CF3CFA5D07D
Product . . . . . : StarApp
Publisher . . . . : StarApp
Description . . . : Installer for StarApp
Version . . . . . : 2013.5.19.1709
Copyright . . . . : Copyright © 2012 StarApp
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> G Data . . . . . . : Adware.Generic.543756
Fuzzy . . . . . . : 101.0

C:\Users\pashatemur\Downloads\Final_Draft.exe
Size . . . . . . . : 111,080 bytes
Age . . . . . . . : 550.8 days (2012-01-28 00:37:07)
Entropy . . . . . : 7.3
SHA-256 . . . . . : 3B1400CBAE580E7D9DEDCD98D1453BD653B2909D06E8E975575785935E6BADDE
Product . . . . . : Final Draft
Description . . . : Final Draft
Version . . . . . : 2.1.249.0
Copyright
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> G Data . . . . . . : Gen:Variant.Adware.Solimba.1
Fuzzy . . . . . . : 100.0

C:\Users\pashatemur\Downloads\Setup(1).exe
Size . . . . . . . : 1,065,256 bytes
Age . . . . . . . : 17.5 days (2013-07-14 09:09:33)
Entropy . . . . . : 6.9
SHA-256 . . . . . : 2B218AFA79ADBC00326E55813B2FBBEEA38F586E1D805E8A4E736DB36A8AD738
Needs elevation . : Yes
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> HitmanPro . . . . : not-a-virus:AdWare.Win32.Agent.aece
Fuzzy . . . . . . : 100.0

C:\Users\pashatemur\Downloads\Setup-Trelby-2.0.exe
Size . . . . . . . : 9,443,756 bytes
Age . . . . . . . : 555.8 days (2012-01-23 01:48:30)
Entropy . . . . . : 8.0
SHA-256 . . . . . : 2F8AB0C5FD00CEEA5E903E5561F795EDE0F5AD0DF61121410443E24131EABF65
Product . . . . . : Trelby
Publisher . . . . : Trelby.org
Description . . . : Trelby 2.0.0.0-dev installer
Copyright . . . . : Trelby.org
> Emsisoft . . . . . : Trojan-Clicker.Win32.NSIS!A2
Fuzzy . . . . . . : 106.0


Potential Unwanted Programs _________________________________________________

HKU\S-1-5-21-3160253956-3066026-1946907609-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro)
HKU\S-1-5-21-3160253956-3066026-1946907609-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC} (Claro)

Cookies _____________________________________________________________________

C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:247realmedia.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:2o7.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:a1.interclick.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ad.360yield.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ad.mlnadvertising.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ad.wamnetwork.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ad.yieldmanager.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ads.advertdigital.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ads.p161.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ads.pointroll.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ads.pubmatic.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ads.undertone.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ads.us.e-planning.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:adtech.de
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:adtechus.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:advertising.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:amazonlocal.122.2o7.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:apmebf.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:at.atwola.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:atdmt.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:burstnet.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:casalemedia.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:collective-media.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:doubleclick.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:fastclick.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:googleads.g.doubleclick.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:interclick.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:invitemedia.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:kontera.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:media6degrees.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:mediaplex.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:network.realmedia.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqliteointroll.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqliteool-eu-ie.creative-serving.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:questionmarket.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:realmedia.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:revsci.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:ru4.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:serving-sys.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:specificclick.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:stats.paypal.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:stats.snacktools.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:tacoda.at.atwola.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:track.adform.net
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:track.prd.inpwrd.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:tribalfusion.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:www.burstnet.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:www.googleadservices.com
C:\Users\pashatemur\AppData\Roaming\Mozilla\Firefox\Profiles\dyb5q4k4.default-1369022461324\cookies.sqlite:zedo.com

[attachment=5261]

I ran AVG anti rootkit scan and AVG found 20 mid level threats in the operating system all Sys 32 related and it said it fixed them. I could not copy and paste the resultant log. Here is what the log said:

Service Function NtUserSetWinEvent Hook hook (arrow symbol here) 8653904drv.sys + 0x3F2A0 ... C:\Windows\System 32\DRIVERS\8653904drv.sys - AVG says it is "secured" and "healed."

 

[pashatemur]

Hello again, Kuttus. I ran Esetscan again and the new report says I have 29 problems/infections. The scan is attached. I have not taken action regarding the problems. I wanted to show you the log first.[attachment=5262]

 

[pashatemur]

One more thing. I can not run Malwarebytes. I keep getting runtime error alerts from win32 .

 

[kuttus]

Okay.


Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix

Please read and follow very carefully the below instructions​

Download ComboFix from one of the following locations:

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2 (This link will automatically download Combofix on your computer)
----------------------------------------------------------------
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

<ul>
<li>Close any open browsers.</li>
<li>Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
<>Very Important!</> Temporarily <>disable</> your <>anti-virus</>, <>script blocking</> and any <>anti-malware</> real-time protection <em><>before</></em> performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause <em>"unpredictable results"</em>.</li>
<li><>WARNING: Combofix will disconnect your machine from the Internet as soon as it starts</>.Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.</li>
</ul>
-----------------------------------------------------------------

How to run the Combofix scan :

1. Double click on ComboFix.exe & follow the prompts.
2. Accept the disclaimer and allow to update if it asks
3. When finished, it shall produce a log for you.
   [*]Please include the C:\ComboFix.txt in your next reply.

Additional notes:
<ol><li> Do not mouse-click Combofix's window while it is running. That may cause it to stall.</li>
<li> Do not "re-run" Combofix. If you have a problem, reply back for further instructions.</li>
<li> If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.</li></ol>



<hr />

 

[pashatemur]

Here is the combofix log in attachment.

[attachment=5267]

 

[kuttus]

Okay........

All this seems good only...... How's everything working now?

 

[pashatemur]

Okay........

All this seems good only...... How's everything working now?

I could not access malwaretips.com and I restarted my computer. I again got an alert from windows32\regsvr.exe..... "illegal command... NTVDM CPU..." and the same alert when I tried to run malwarebytes antivirus.

 

[kuttus]

Could you please send me a Screen shots of what you are getting?

To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[pashatemur]

Here you go.. Interestingly, when I tried to save one as "sys 32 error message for MalwareTips" it said it was not allowed. Malware + 3 letters put in an address bar or file name is blocked.

[attachment=5274]

 

[pashatemur]

Also, here is a report generated by Rogue Killer in attachment. Maybe that might be of some assistance. I did not take any action, just scanned.

[attachment=5275]

 

[pashatemur]

Also, here is a report generated by Rogue Killer in attachment. Maybe that might be of some assistance. I did not take any action, just scanned.

I forgot to mention that I am now getting lines of black across my screen at start up just as the user options icons are being displayed and then they resolve and the screen image is stable.

 

[kuttus]

Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.


To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[pashatemur]

Here is a combined screen shot of autorun containing the 3 tabs Scheduled Tasks, Win Logon, and Internet Explorer:

[attachment=5281]

 

[pashatemur]

I was away from my computer only to find that a tab had been opened (not by me) and a setup box for a "setup.exe" opened. The page had "java" written on it in a font not usual for a java update etc. This is not the first time this has happened either. Two days ago, my browser navigated to three different pages in a row and sometimes I will find a new tab has opened to a page for internet gaming or what proports to be internet gaming.