virus, trojans, malware oh my....

My gf's mom gave me her comp cuz it was infected and i cant get to download cc cleaner or hijack this or anything cuz of the problems. I had the same problem a cpl weeks ago on my comp and you guys were a miracle worker so i have returned. I read in a post about a program that allows you to get into task manager if a trojan disabled it but i cant remember what it was called or what post it was from. If I can get task manager to work i might be able to end task the programs so i can download everything i need and post the logs. If anyone knows the program plz help me..... i think it was something like infiltrate this or that dont remeber...

did you try downloading the programs onto a flash drive?

[Malware Removal Specialist]

Can you get anything to download to the desktop but not get the installer to run?

try to boot to safe mode with network and try downloading your programs you want again.

Also, download hijack this, run it and post the log that the program generates so evilfantasy can help you clean the computer 

Ok first i couldnt get explorer to open for more  than 3 secs so my first post came from my spare computer since my gf's mom is borrowing mine. I booted the comp in safe mode and am currently following the directions for the logs. only snag so far is that superantispy cant run in safe mode. im currently downloading HJT and will post the 2 logs in a few.

[Malware Removal Specialist]

Superantispyware can't update in safe mode but it can run.

It comes up with a box that starts with "Windows installer servied could not be accessed. Can not be run in safe mode".  So im gonna try and reboot to normal with all 3 programs downloaded to desktop and see if i can get them to run that way.

Ok back on the spare now, Im currently runing superantispyware on the infected comp. depending on how long it takes i might have to continue this thursday after i get off work, but i should have the logs for you then

Here my logs.....evil you the man

[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Go to add/remove programs and uninstall:

MyWebSearch Email Plugin
My Web Search Bar Search Scope Monitor
Viewpoint Toolbar or anything with Viewpoint in the name


----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- F3 - REG:win.ini: load=C:\WINDOWS\system32\mpreg.exe
- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mpreg.exe,
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
- O2 - BHO: (no name) - {C76D014D-9F8F-B804-A2D8-B3DECEB35CC0} - (no file)
- O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
- O3 - Toolbar: (no name) - {0CAA216D-B1AF-4C4A-8EDC-FB2D822570CB} - (no file)
- O4 - HKLM\..\Run: [Anti-Virus] C:\WINDOWS\system32\vpms.exe
- O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
- O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe" /m=0
- O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwssvc.exe (file missing)
- O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mpreg.exe (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Anti-Virus"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

----------

Go to Start > Run and type Notepad.exe then click OK.

Copy and paste the following text within the code box into the new Notepad file.

Code: [Select]

@ECHO OFF
sc stop COM+ Messages
sc delete COM+ Messages
sc stop nlc
sc delete nlc
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.

Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop.
Run CCleaner and then restart the computer.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

ok evil, how can i exit mcafee, the guide says right click and choose exit but that is not an option.

[Malware Removal Specialist]

Try to run ComboFix. If McAfee tries to block it just allow it to run.

here is the logs


[recovering disk space -- attachment deleted by admin]

[Malware Removal Specialist]

Found something new. You also have an AWF trojan. Easy enough to cure but it is a multiple step process.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
COM+_MESSAGES
MYWEBSEARCHSERVICE
COM+ Messages
MyWebSearchService

File::
C:\WINDOWS\SET64.tmp
C:\WINDOWS\SET61.tmp
C:\WINDOWS\SET70.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe by Noadfear to your Desktop.

• Double-click FindAWF.exe to start the tool.
  
  
• If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
  
• When the tool has completed, a report will open up in notepad.
• Please post the results of the awf.txt in your reply.

[Malware Removal Specialist]

Almost forgot an important step!!

You can do this after the other steps are complete but be sure to do it.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.safewebnavigate2008.com/index.php?sid=0&aid=0&pn=&said=0&pid=0

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer to register the changes made by HijackThis.