Your Computer is infected

[Mark2MR2]

Hi peoples,

I have a computer that has a warning message on a sub account.

Your computer is infected!

Your computer has been stopped due to a serious malfunction.
Spyware activity has been detected.

(This is in a black box with red writing and light blue writing on the desktop.)

I am thinking this may be some virus that my virus protection is not picking up.

I have enclosed the files that were asked for on the first thread.

Please help.
Aaron



DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 21:28:26.99 on Tue 07/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.107 [GMT -4:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Trend Micro AntiVirus *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Apoint2K\Apntex.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [hpWirelessAssistant] "c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [CanonMyPrinter] "c:\program files\canon\myprinter\BJMyPrt.exe" /logon
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243542067859
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2006-9-27 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2006-9-27 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2006-9-27 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2006-9-27 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-9-27 26787]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-4-8 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-12-16 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-12 24652]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-4-8 648456]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2006-9-27 108360]
S2 CAISafe;CAISafe; [x]
S2 VETMSGNT;VET Message Service; [x]

=============== Created Last 30 ================

2009-07-28 21:11 812,344 a------- c:\program files\HJTInstall.exe
2009-07-11 18:10 162 a------- c:\windows\system32\delself.bat
2009-07-11 18:08 2,794,496 a------- c:\windows\system32\AVR09.exe
2009-07-11 18:08 28,672 a------- C:\myacngu.exe
2009-07-11 18:07 191 a------- c:\windows\3456665.bat
2009-07-11 18:07 831 a------- c:\windows\system32\critical_warning.html
2009-07-11 18:07 93,184 a------- c:\windows\system32\winupdate.exe
2009-07-11 15:51 28,672 a------- c:\windows\system32\dllcache\figaro.sys
2009-07-11 15:51 2 a------- c:\windows\0101120101464849.dat
2009-07-11 15:51 2 a------- c:\windows\010112010146118114.dat
2009-07-11 15:50 0 a------- C:\gfub.exe
2009-07-11 15:50 23,552 a------- c:\windows\ld12.exe
2009-07-11 15:50 7,680 a------- c:\windows\system32\braviax.exe68
2009-07-11 15:48 135,680 a------- c:\windows\msa.exe
2009-07-11 15:48 212,996 a------- c:\windows\system32\msxml71.dll
2009-07-10 19:42 19,327 a------- c:\docume~1\alluse~1\applic~1\ojyqypaga.com
2009-07-10 19:42 17,575 a------- c:\windows\izujyhepu.inf
2009-07-10 19:42 17,144 a------- c:\windows\afocu._dl
2009-07-10 19:42 16,749 a------- c:\docume~1\alluse~1\applic~1\bibimyq.pif
2009-07-10 19:42 16,691 a------- c:\windows\gesajataj.exe
2009-07-10 19:42 16,324 a------- c:\windows\yfupig.db
2009-07-10 19:42 15,700 a------- c:\windows\system32\kydas._dl
2009-07-10 19:42 14,874 a------- c:\program files\common files\ymyre.scr
2009-07-10 19:42 13,785 a------- c:\windows\lewus._dl
2009-07-10 19:40 <DIR> --d----- c:\program files\PC_Security2009
2009-07-10 19:40 240,644 a------- c:\windows\system32\wisdstr.exe
2009-07-10 19:23 0 a------- C:\clynbqef.exe
2009-07-10 19:20 11,264 a------- c:\windows\system32\braviax .exe
2009-07-09 17:43 <DIR> --d----- c:\docume~1\owner\applic~1\RegistryPC
2009-07-09 17:16 2,944 a------- c:\windows\system32\drivers\null.sys
2009-07-09 17:16 97,484 a------- c:\windows\system32\drivers\OLDE7.tmp
2009-07-09 17:13 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-07-09 17:13 4,224 a------- c:\windows\system32\dllcache\beep.sys
2009-07-09 17:13 97,484 a------- c:\windows\system32\drivers\OLDE4.tmp
2009-07-09 12:32 <DIR> --d----- c:\program files\sFX
2009-07-09 12:31 1 a------- c:\windows\934fdfg34fgjf23
2009-07-09 12:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\10205464
2009-07-09 12:28 2 a------- C:\2063459834
2009-07-09 12:28 93,184 a------- C:\khkha.exe

==================== Find3M ====================

2009-07-17 07:49 2,298 ac------ c:\docume~1\owner\applic~1\wklnhst.dat
2009-07-11 10:42 18,782 a------- c:\program files\common files\lotowaxi._dl
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 15:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-05-07 11:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2006-09-27 22:50 7,088 ac------ c:\docume~1\alluse~1\applic~1\ypinfo.bin

============= FINISH: 21:29:25.77 ===============

[mas_pogi]

hi.

Welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------------------------------------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Mark

[Mark2MR2]

Thank you for your help, Mark.
Here is the document you requested:

Malwarebytes' Anti-Malware 1.39
Database version: 2528
Windows 5.1.2600 Service Pack 2

7/29/2009 6:36:10 PM
mbam-log-2009-07-29 (18-36-10).txt

Scan type: Quick Scan
Objects scanned: 111727
Time elapsed: 30 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 92

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean and trevor\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean and trevor\Start Menu\Programs\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
C:\Program Files\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\data (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\Microsoft.VC80.CRT (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\ld12.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\AVR09.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winupdate.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wisdstr.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\OLDE4.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\OLDE7.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\khkha.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\myacngu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-1801524161-2601544908-734365411-5632\wnzip32.exe (Malware.Packer) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\BN1.tmp (Malware.Packer) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\BN2.tmp (Malware.Packer) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\BN5.tmp (Malware.Packer) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\BNB2.tmp (Malware.Packer) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\bucksnet.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\c.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\debug.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\e .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\maccsnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\mdm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\notepad .exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\notepad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\A2.tmp (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\A3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\A4.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\3903878062.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\login .exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\lsass .exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\2137965864.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\2645778364.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\2983311068.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\3188220358.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\3900753062.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\spoolsv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\system.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\taskmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\installb[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\installb[2].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\1826123700.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\19C.tmp (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\19D.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\4081690562.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\768772570.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\812177542.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\860927542.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TM1A2.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TM25.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TM47.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TM48.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TM54EA3A.TMP (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TM81EC3F.TMP (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\Temp\~TMDC.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\local settings\temporary internet files\Content.IE5\WE3LY0SE\AntivirusBESTInstaller[4].exe (Rogue.AntiVirusBEST) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\start menu\Programs\Startup\ihaupd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\start menu\Programs\pc_security2009\PC_Security2009.lnk (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\documents and settings\sean and trevor\start menu\Programs\pc_security2009\Uninstall.lnk (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\htmlayout.dll (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\PC_Security2009.cfg (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\pthreadVC2.dll (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\Uninstall.exe (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\data\daily.cvd (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\microsoft.vc80.crt\Microsoft.VC80.CRT.manifest (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\microsoft.vc80.crt\msvcm80.dll (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\microsoft.vc80.crt\msvcp80.dll (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
c:\program files\pc_security2009\microsoft.vc80.crt\msvcr80.dll (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
C:\clynbqef.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Delete on reboot.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Program Files\sFX\sfX.sYs (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\sFX\SfX.DlL (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean and trevor\Desktop\PC_Security2009.lnk (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean and trevor\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Security2009.lnk (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
C:\gfub.exe (Trojan.Dropper) -> Quarantined and deleted successfully.


Thanks again,
Aaron

[mas_pogi]

hi.

Let's continue.

Quote:

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

Are you familiar with this one?

--------------------------------------------------------------------------
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark

[Mark2MR2]

Thanks again,

Looking forward to your reply.

ComboFix 09-07-29.04 - Owner 07/30/2009 9:15.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.263 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix1.exe
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sean and trevor\Application Data\bcrypt.html
c:\program files\sFX
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\recycler\S-1-5-21-1801524161-2601544908-734365411-5632
c:\recycler\S-1-5-21-3409437372-7699536250-281649793-1140
c:\recycler\S-1-5-21-3834097768-656449494-3125478954-1003
c:\recycler\S-1-5-21-7067861205-8197792332-685834324-3063
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\run.log

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-30 12:42 . 2009-07-30 12:42 -------- d-----w- c:\windows\LastGood
2009-07-29 21:40 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 21:40 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 21:40 . 2009-07-29 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 01:11 . 2009-07-29 01:11 812344 ----a-w- c:\program files\HJTInstall.exe
2009-07-12 19:33 . 2009-07-15 03:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-07-12 19:33 . 2009-07-12 19:33 34062 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
2009-07-11 23:48 . 2009-07-12 02:23 -------- d-----w- c:\program files\RegCure
2009-07-11 23:02 . 2009-07-11 23:02 -------- d-----w- c:\documents and settings\sean and trevor\Local Settings\Application Data\Downloaded Installations
2009-07-11 22:07 . 2009-07-12 00:00 191 ----a-w- c:\windows\3456665.bat
2009-07-10 23:42 . 2009-07-10 23:42 19327 ----a-w- c:\documents and settings\All Users\Application Data\ojyqypaga.com
2009-07-10 23:42 . 2009-07-10 23:42 16749 ----a-w- c:\documents and settings\All Users\Application Data\bibimyq.pif
2009-07-10 23:42 . 2009-07-10 23:42 16691 ----a-w- c:\windows\gesajataj.exe
2009-07-10 23:42 . 2009-07-10 23:42 16396 ----a-w- c:\documents and settings\sean and trevor\Local Settings\Application Data\jotazuqi.com
2009-07-10 23:42 . 2009-07-10 23:42 14874 ----a-w- c:\program files\Common Files\ymyre.scr
2009-07-10 23:42 . 2009-07-10 23:42 14601 ----a-w- c:\documents and settings\sean and trevor\Application Data\nugiqosu.bat
2009-07-10 23:42 . 2009-07-10 23:42 14071 ----a-w- c:\documents and settings\sean and trevor\Local Settings\Application Data\kesysapoc.scr
2009-07-10 23:42 . 2009-07-10 23:42 11711 ----a-w- c:\documents and settings\sean and trevor\Local Settings\Application Data\oboxu.pif
2009-07-10 23:20 . 2009-07-10 23:20 11264 ----a-w- c:\windows\system32\braviax .exe
2009-07-10 04:03 . 2009-07-10 04:03 -------- d-----w- c:\documents and settings\sean and trevor\Application Data\Malwarebytes
2009-07-10 04:02 . 2009-07-10 04:03 -------- d-----w- c:\documents and settings\sean and trevor\Application Data\RegistryPC
2009-07-09 21:43 . 2009-07-09 21:44 -------- d-----w- c:\documents and settings\Owner\Application Data\RegistryPC
2009-07-09 21:16 . 2004-08-04 13:00 2944 ----a-w- c:\windows\system32\drivers\null.sys
2009-07-09 21:13 . 2004-08-04 13:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-09 21:13 . 2004-08-04 13:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-07-09 16:30 . 2009-07-15 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\10205464

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 13:33 . 2009-07-19 13:33 3597824 ----a-w- c:\windows\system32\SET16.tmp
2009-07-19 13:32 . 2009-07-19 13:32 6067200 ----a-w- c:\windows\system32\SET1F.tmp
2009-07-17 11:49 . 2006-10-10 00:37 2298 -c--a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-07-11 14:42 . 2009-07-11 14:42 18782 ----a-w- c:\program files\Common Files\lotowaxi._dl
2009-06-29 08:33 . 2009-06-29 08:33 2452872 ----a-w- c:\windows\system32\SET22.tmp
2009-06-28 21:28 . 2009-06-28 19:42 -------- d-----w- c:\program files\Common Files\Uninstall
2009-06-28 21:02 . 2009-06-28 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-28 21:02 . 2009-06-28 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-16 14:55 . 2004-08-04 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-10 20:20 . 2007-03-28 23:55 1900 -c--a-w- c:\documents and settings\sean and trevor\Application Data\wklnhst.dat
2009-06-08 15:05 . 2009-06-08 15:05 -------- d-----w- c:\program files\AIM6
2009-06-03 19:27 . 2004-08-04 08:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 13:47 . 2009-05-26 13:47 991232 ----a-w- c:\windows\system32\SET1E.tmp
2009-05-22 05:02 . 2007-12-16 09:56 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 05:00 . 2007-12-16 09:56 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 04:45 . 2007-12-16 09:56 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-05-07 15:44 . 2004-08-04 08:00 344064 ----a-w- c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-04-13 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-7-21 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/8/2008 6:12 PM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/16/2007 5:56 AM 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2007 12:02 AM 24652]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/8/2008 6:12 PM 648456]
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
SafeBoot-svcWRSSSDK


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
LSP: c:\windows\system32\VetRedir.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 09:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(1396)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-07-30 9:26
ComboFix-quarantined-files.txt 2009-07-30 13:26

Pre-Run: 42,317,598,720 bytes free
Post-Run: 43,715,477,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

157 --- E O F --- 2009-07-30 12:49

[mas_pogi]

hi.

Quote:

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
Are you familiar with this one?

You didn't answer this one.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

----------------------------------------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/399633-your-computer-infected.html#post2266689

COLLECT::
c:\documents and settings\All Users\Application Data\ojyqypaga.com
c:\windows\3456665.bat
c:\documents and settings\All Users\Application Data\bibimyq.pif
c:\windows\gesajataj.exe
c:\documents and settings\sean and trevor\Local Settings\Application Data\jotazuqi.com
c:\program files\Common Files\ymyre.scr
c:\documents and settings\sean and trevor\Application Data\nugiqosu.bat
c:\documents and settings\sean and trevor\Local Settings\Application Data\kesysapoc.scr
c:\documents and settings\sean and trevor\Local Settings\Application Data\oboxu.pif
c:\windows\system32\braviax .exe
c:\program files\Common Files\lotowaxi._dl

FILE::
c:\windows\system32\SET1F.tmp
c:\windows\system32\SET16.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET1E.tmp

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, it pops out with the CF log and this message box:



Clicking OK will begin the auto-upload of the zipped file.




-----------

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file.[/quote]

-------------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

Foistware:

Viewpoint Manager (Remove Only)
Viewpoint Media Player
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

Please also delete this folder.

c:\program files\Viewpoint


Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

Java(TM) 6 Update 6

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

-------------------------------------------------------------------------


Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

------------------------------------------------------------------------

How's your computer now?


In your reply, please post

C:\combofix.txt
ESET scan result
Answer to my questions

Mark

[Mark2MR2]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
Are you familiar with this one?

How would I disable this?

[mas_pogi]

hi.

Seems provided by your Internet Service provider. Let just ignore that one and proceed with the remaining instruction.

Mark

[Mark2MR2]

hello,

OK, to start, I re-ran combo fix with the quoted text transfered, and it ran like clockwork. Just like you said. No problems.

I removed all of the View Point software per request.

I removed the Java and reinstalled the newer version.

Ran ESET software - found 41 issues.

The message on the desktop is now gone (Your computer is infected.)

Now...

I searched the computer for anything having to do with SBC, Yahoo, and ATT and deleted an Yahoo side bar and an application suite. I even searched the C:\, through all folders looking for anything that had to do with Anti-virus and only ran across a couuple of .dll files under program files. The installed for the Virus app was still on the desktop but it was a broken link to the .exe file. I am unsure I can turn this off, I looked around on the internet for this same problem, but nobody had a solution ( I would have checked with you first before executing any procedure).

Anyways, Here are the files you requested; I hope this helps.

Thanks again for all of your help,
Aaron

[mas_pogi]

hi.

Quote:

I searched the computer for anything having to do with SBC, Yahoo, and ATT and deleted an Yahoo side bar and an application suite. I even searched the C:\, through all folders looking for anything that had to do with Anti-virus and only ran across a couuple of .dll files under program files. The installed for the Virus app was still on the desktop but it was a broken link to the .exe file. I am unsure I can turn this off, I looked around on the internet for this same problem, but nobody had a solution ( I would have checked with you first before executing any procedure).

That SBC Yahoo is related to AT&T Yahoo! Applications in your ADD/REMOVE PROGRAMS. It is like an extra bundle given by your ISP. You may uninstall it or keep it.


ESET flagged some files as infected. Those in Qoobox are harmless. Qoobox is our Tool quarantine folder. Those in System restore are harmless too unless we will manually restore them. We will purge them by the end of this thread.

The rest will be deleted.

Open Notepad and copy/paste the contents in the code box below, into Notepad.

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in ( 
"C:\Documents and Settings\sean and trevor\Application Data\Microsoft\Internet Explorer\Desktop.htt"
"C:\Documents and Settings\sean and trevor\Local Settings\Application Data\Downloaded Installations\{F9B9ED60-8ABE-4008-A452-AC24A7B0AE52}\AntivirusBEST.msi"
"C:\Documents and Settings\sean and trevor\My Documents\My Videos\Setup-041_02002-8.exe"
"C:\WINDOWS\system32\braviax.exe68"
) do (
del /a/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt"
) else echo.Deleted Successfully! 
echo. 
pause 
del %0

Save this as deleteme.bat in your desktop. Choose to "Save type as - All Files"

It should look like this:

Double-click deleteme.bat to run it.

Tell me what it says in your next reply.

How's your computer in general?

Mark

[Mark2MR2]

Good Day,

Deleteme.bat said:

Deleted sucessfully!
Press any key to continue.

Overall, the computer seems to be running quicker and has also not had anymore annoying pop-ups.

I could not locate the ATT & Yahoo Application in the ADD/REMOVE PROGRAMS, so I will let it go.

Thanks,
Aaron

[mas_pogi]

hi.

Congratulations! You now appear clean!

We Need to Clean Up Our Mess

1. Uninstall ComboFix
   Remove Combofix now that we're done with it.
   • Click on your Start Menu, then Run....
   • Now copy and paste this one in the runbox. Then HIT enter.
     
     
     Code:

     ComboFix /u

     
     
     
   Uninstalling ComboFix will do the following:
   1. Delete ComboFix and its components from your computer.
   2. Delete other tools commonly used during the malware removal process.
   3. Resets clock settings to standard format.
   4. Re-hides file extensions and hidden/system files.
   5. Clears System Restore cache and creates new restore point.
   
   
2. Please also delete the DDS.scr located at your desktop.
3. Please also delete the deleteme.bat located at your desktop.

-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
   
   
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
   
   
3. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   
4. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
   
   
5. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark

[mas_pogi]

hi.

It is my pleasure to help you.

Surf safely.

Since the problem appears to be resolved, it will now be archived.


Mark