Last week Kestrel and ChasLang helped me with this - and it's caused more trouble

Last week Kestrel and ChasLang helped me with an incorrect .dll that was giving me an error message.

After running the appropriate scans everything seemed to be in order.

I created a new limited user account so as to begin fresh after having the problem located here: http://forums.majorgeeks.com/showthread.php?t=231204

Since January 21, 2011 – two days after being fixed I haven’t been able to access the internet.

McAfee AV turns off; MBAM protection is disabled; the computer absolutely freezes completely; couldn’t run ComboFix, MGTools, or SuperAntiSpyware; zero connectivity to internet; TaskManager was totally frozen.

I rebooted in SafeMode, ran all scans and that produced nothing. Then I remembered to change account settings to Admin rights, and rescanned in normal startup, this is what I got:

SAS and MBAM would not load. I saved ComboFix under another name and it ran. Then I was able to run SAS. I then ran MBAM and it only ran halfway and froze (Not Responding). BUT, that half scan detected 2 instances of Trojan.zbot (see screen shot). I ran MBAM again and it found both .zbot’s again. This time I aborted scan and it asked me to quarantine, delete and restart machine. I did that.

Since then I have run all the procedures again in the user account in which the Trojans were detected. The logs come up clean. My AV seems to be working fine (BUT, I said that same thing a week or so ago and it wasn’t fine like I thought it was). I ran SpyBot after all the requested scans and it produced no detections.

I would like to ask MG: do I have a rootkit infection? Is there another scan I can run to make sure my machine is infection-free?

I would like to ask MG: which FireFox extension was infected by Trojan.zbot? or, how can I identify which extension is responsible from the profiles’ extensions folder? This will help me to uninstall the extension so it doesn’t ask me for an update. Could it be RockMelt causing the infection?

I would like to ask MG: is it possible this banking virus has comprised the integrity of my computer either temporarily or permanently?

I would like to ask MG: how can the administrator account get infected when I didn’t even access it, and I only used the new limited user account I created a week ago? Is it possible this carried over from the infection I had two weeks ago that MG fixed for me?

I am attaching the most recent logs from scans I ran after MBAM deleted both Trojan.zbot infections.

I am also attaching a screen shot of the MBAM screen when it found the problems files.

I am also attaching a copy of the MBAM log from when the infection was detected.

If you would like, I can attach copies of the logs I ran in SafeMode, if you think they can help to show what was happen while I was infected, before MBAM found the Trojans. Again, SAS and MBAM netted nothing while I was infected, but maybe MajorGeeks can get more information from said logs than myself.

Thanks again for your help.

 

remaining logs as per Read and Run Me First

 

Since posting a few minutes ago, Windows Defender has asked me to allow the following to run:

PEVsystemsmart (screenshot attached) and Hosts Files modifications (screenshot attached).

 

Yes Kestrel!

I use No-Script,

I also addon: KeyScrambler, AdblockPlus, WOT, and BetterPrivacy for more secure interfacing with websites.

When MBAM identified this as an FF extension problem I disabled all addons (for now).

Also, I literally just opened MBAM two minutes ago and it detected Hijack.ControlPanelStyle, despite having given me a clean report earlier this afternoon and I haven't used the internet since then. Unfortunately I did not take a screen shot before deleting the Hijack Trojan...

Thanks Kestrel

 

Thanks Kestrel.

You know after having the first infection I'm edgy now about every little quirk my comuter has.

I, like you, will wait for Chas' view on this.

 

Since posting a couple of hours ago I tried accessing the other user accounts on my machine, but the other administrator account, as well as the two limited accounts have AntiVirus and MBAM disabled, and completely freeze-up.

I'll clean them as best as I can. I don't believe that posting logs will help with this.

I have uninstalled NoScript, and hope that solves the problems.

Thanks again Chas and Kestrel.

After all accounts return clean MBAM and SAS scans and AV works in all accounts would that be the best time to toggle System Restore?

 

Kestrel I never knew how to report false positives to MBAM. I'll report it this morning because my computer is totally freezing up, and it disables McAfee and MBAM. I can't run a McAfee scan at all - the program looks like it begins executing, but it doesn't progress beyond 0% of the scan. I couldn't run MGTools this morning it had to be renamed so it would run. Then, running a MalwareBytes scan - MBAM scans for 20 minutes or so and then enters "Not Responding" status with the harddrive sounding like it is really laboring to get the scan moving.

Kestrel, I already purchased McAfee until next january, so I'll continue to use it for the next year. After that I'll probably switch to Comodo. But, for now, should I get rid of Defender b/c I have a paid-for version of McAfee AV already installed?

Despite my current problems, you folks at MajorGeeks are MajorGreat for the patient and consistent help you offer us plebes.

I'll let you know of any developments I make with this task.

Thanks again Kestrel.

 

Kestrel:

Everything seems to be better now.

MBAM says they'll include this in the next update

I'm not sure I was having software problems, after the scans were re-run this morning everything seems to be fine. ComboFix sent the questionable files to Qoobox quarantine (as .VIR files) and now it is all good. I had to run ComboFix in each user account separately to stop the AV from being disabled in each account.

I just followed the final steps, and all programs load normally.

My AV works fine, MBAM is no longer disabled, and I have fluid connectivity to internet.

Thanks again, Kestrel and ChasLang. C

Cheers!

Now it's time to get some rest :zzz