Trojans, Root-kit, loss of firewall.

Last night while looking for information on how to export iphone contacts to my computer my avira gave a pop up message saying a trojan had been found. I clicked quarantine and it removed a file named ipsec.sys from the system 32 drivers folder. I then received a pop up telling me windows firewall was deactivated and noticed avira had been as well. After reactivating avira it took around 2 minutes to work, and on trying to reactivate my firewall i got the message that it couldn't as the ipsec.sys file was missing. Also lost internet connection.

After reading about ipsec online and trying to extract it from the i386 folder and the setup disc with no success I did a repair install in order to get internet access back, purely to upload some important work files.

I've run all the usual scans, the logs of which i've attatched, apart from root repeal. I've never used this one before and note that it can take a long time to complete. I tried it and left it for two hours before coming back and noticing it was still saying "Initialising, please wait" and my hard drive light was constantly on with no breaks in useage. Also saw no effect from moving my mouse and leaving it five minutes to see if it was just heavy usage. Is this the normal behaviour of this program? If so, I will run it again for however long it takes.

Please help, I literally use my pc online only for work so without it I can't make any money. Which is why i opted to only use the windows firewall. I thought the fact I only visit four or five sites (apart from last night) led me to believe windows firewall was ample. Looks like i was wrong...

Anyway, any help is greatly appreciated. Mbam found and removed 4 viruses and 1 trojan, if I remember right; SAS found 8 trojans with 7 of them being in system restore points (i have this turned off currently, should it be on until the system is cleaned and then toggled?); and combofix found a rootkit in the tp/ip thing and deleted some ntuninstall things. Is it clean or still riddled?

Many thanks in advance for any help given.

 

The installed version of Firefox on this compter is out-dated. Install the current version of FireFox from: Mozilla Firefox

-----------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 29.
• Click the "Download JRE" button to the right.
• Accept the license agreement.
• Click on the download link for your system and save it to your desktop.
  Windows x86 Offline (jre-6u29-windows-i586.exe)
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following, if neccessary:

Code:

Java(TM) 6 Update 22
Mozilla Firefox (3.6.18)
Mozilla Firefox 5.0 (x86 en-GB)

-----------------------------------------------------------

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

Code:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KillAll::

Driver::
kzqmbebs

File::
g:\windows\SETF8.tmp
g:\windows\SETEC.tmp
g:\windows\SETE9.tmp
g:\windows\system32\drivers\kzqmbebs.sys
G:\WINDOWS\TEMP\EBGWFU\SETUP.EXE

Folder::
G:\WINDOWS\TEMP\EBGWFU

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

All instructions carried out with no problems, combofix log attatched below.

I never use firefox so i guess i should've deleted those outdated versions long ago. Also, is there any way you know of to keep the java automatically updated or of being informed when the version you have installed becomes outdated?

Thank you for your help!!

 

Your ComboFix log look just fine. How are things running?

 

Thank you so much, i know you hear it all the time but what you do on here is really outstanding. You make a huge difference to people, so thank you.

After two days of normal running it seems fine, i've had no problems with internet access and have now installed comodo firewall which immediately looks far more substantial than the windows one.

One thing happened today which meade me wonder if everything is 100% though. My windows live messenger program, which i had minimised on my taskbar, maximised by itself and logged me in. As far as i can remember this has never happened before and i'm wondering if it's something associated with a particular issue?

 

Let's take a look at what is going on.

Download -->> OTL <<-- to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Attach both logs with your next reply.

 

Logs attached

 

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  Code:

  :OTL
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  [5 G:\WINDOWS\*.tmp files -> G:\WINDOWS\*.tmp -> ]
  [1 G:\WINDOWS\System32\*.tmp files -> G:\WINDOWS\System32\*.tmp -> ]
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [ResetHosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Ok it ran with no problems and rebooted automatically when it finished. The log doesn't mean much to me but it looks like it wasn't able to run the first four commands in the text you gave me and only did the empty temp command?

 

There was a format error in the OTL fix. Run the fix again, in my previous post.

 

New log attached.

 

Windows Live Messenger still logging you in by itself?

 

It hasn't happened at all today, i'll run my pc for a couple of days and let you know.

Is there anything else you recommend i run and attach logs of in the meantime or is it just a case of me seeing how it goes now?

Also, i've been reading up on here about how to back up my registry to the root of the C drive, the files i want would be the ones modified half an hour ago by OTL correct? There are a couple of bigger versions of them in the folder called eg SAM.bak, those would be the old ones i'm guessing and would i want to delete them?

 

There is nothing else I need you to run. Monitor how things are working and if everything seems fine then let me know.

The stuff you see in the OTL folder are backups created by OTL. Just in case something goes wrong during a fix, you can use the backups to restore the system. Though backing up your registry is a good idea, in general; it isn't really necessary as long as System Restore is enabled and you have restore points being created at reasonable intervals.