Wow...at this point...I just don't understand!

Late last year I decided to do a reformat because of spyware. Now granted, that infection was totally my fault as I was dumb enough to be running my system with no protection other than the Windows Firewall. Believe me, I know it was BEYOND boneheaded.

But, after starting over with a fresh reformat, I went to great lengths to protect my system this time. I bought Outpost Firewall Pro 2009 as my new firewall. I also bought Avast! 4.8 Pro (both of which came highly recommended by Major Geeks, so I knew I could trust them). And since then I've kept all of these updated, as well as updating and running Windows Update, Spybot, CCleaner and Disk Defragment as my regular monthly maintenance program.

And of course, after all this, the other night a start getting virus alerts for files located in my system32 folder.

For example, here is a screen cap of one of the warnings Avast! gives me:

http://j8son.ironnerd.com/Misc./avast_warning.jpg

Then it tells me it found a virus in memory and wants to perform a boot scan:

http://j8son.ironnerd.com/Misc./avast_warning2.jpg

Thing is, I have let Avast! run a boot scan, then a full system scan on its highest sensitively level with archive scanning enabled, I've run a full system scan with Outpost, a standard scan with Spybot...yet not a single virus was found during these scans. The only physical files/threats that have been detected were: RN.TMP, NTOS.EXE and ~.EXE, all of which Avast! prompted me to "Delete Now" and were removed.

So I once again followed the Malware removal guide and ran the remaining scans with apps like Combofix and MGtools. But I assure you I have NOT downloaded anything remotely dangerous and the websites I visit aren't anything risqué (well, if you call eBaumsWorld and TMZ risqué). Which is why I am so utterly confused and frustrated at this point. Does this mean that, no matter the level of protection, I just have to except that at some point an infection of some kind is inevitable? I'd just like to know what to expect.

In the mean time, I thank the Major Geeks for taking a look at these logs in advanced and verifying if I am currently free of threats. My current scans say no but I only take the word of the Majors!

 

Were you able to run MBAM & SAS? If not, please download, install, update and run them now attaching the logs once complete.

Also, as a reference I will post our initial instructions below.

 

Sorry for the extended delay in following up. Right after posting this I had some home renovations problems and my systems have been down for a week or so.

Attached are the remaining logs you require. Please reference my first post for the additional logs (FYI, both still say nothing was detected).

Anything else I need to run? Hopefully I'm clean but I'll do any additional work suggested.

Thanks!

 

There have been major updates since my last post, please download the updated versions below.

Run ComboFix first, once complete run MGtools.exe. Be sure you download MGTools to your C:\ drive and ComboFix.exe to your desktop.

Attach the new logs once complete.

Using MGtools

ComboFix

 

Thanks for following up with me bjgarrick.

Here are the new logs you requested. Any furthering clean required?

 

FYI:

After posting the above logs, I surfed a trusted site about 15 minutes later and got this warning/block from Avast:

http://j8son.ironnerd.com/Misc./warning2.jpg

Could be nothing but I thought in the interests of transparency of my system, you should know about all activity.

Thanks!

 

Step 1:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 2:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 3:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 4:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Ran the scans and posted the updated logs. Please note to ignore the _.txt and _-_.txt because those are text files I created to use as "separators" for some other files I was working on and the malware removal apps.

So how do my logs look? Am I clean? Also, is it normal for the CFscript.txt to delete itself from my desktop after scanning when I drag and drop it onto combofix? Now it's gone.

Thanks!

 

Update:

I'm still getting notices from my firewall saying it's blocking hosts from accessing ever so often. This could be normal as I've never used this app before but I thought I should mention it.

Most recent logs still posted above for your review.

Thanks!

 

Your logs are clean. Can you attach a sceenshot?

 

Great, glad to see the logs are now clean.

Here is the screen shot you requested:

http://j8son.ironnerd.com/Misc./warning4.jpg

This is just an example of a similar block notice, not the exact one. Here you'll see this is a site that's on the black list (I get this whenever I play a video from the eBaum's World main site).

Which brings me back to my original question in the first post. I am 110% certain this system has not come across any malicious sites, I have a great firewall / anti-virus running, yet I still had (although a minor) infection.

So, is it just unavoidable to a certain extent?

 

It could be one of the ads on the site trying to load or something similiar. If your antivirus and firewall stays updated then you should be fine.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks for the help. Incidentally, while I was on MySpace of all places I got the actually block notice I was referring to:

http://j8son.ironnerd.com/Misc./warning5.jpg

But your right as this is probably more general in nature as opposed to a direct threat.

Thanks!

 

You can also try Comodo Firewall to see if it does the same thing. I'm not familiar with Outpost as I use Comodo. If you do use Comodo be sure you uninstall Outpost first.

 

Thanks for the info. Since you mentioned ComboFix.exe, could you take a look here and let me know what you think?

http://forums.majorgeeks.com/showthread.php?p=1281064#post1281064

Thanks!

 

Chaslang is right that it does modify things it should not however the majority of them are easy to set back.

 

Agreed. I was just wondering that, if over time, people have compiled a list of everything it resets.

 

Well, we could suggest things but the author will more than likely do what he wants with it since it's his utility.

Surf Safely!