Why me? please help!!

[evilfantasy]

This is actually very puzzling. You have an odd case of malware and I'm having a tough time pinpointing it. A good challenge....

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\DOCUME~1\CARLDA~1\My Documents\My Music\J-M\11 Time To Check My Crackhouse.wma
C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\DOCUME~1\CARLDA~1\APPLIC~1\Dcads Advanced Toolbar

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[cthis]

Got it. One question though, why the song about the crackhouse? I've never heard that song before
Do you think Llimewire would have anything to do with any of this?

[Saving space - attachment deleted by admin]

[evilfantasy]

Do you think Llimewire would have anything to do with any of this?

The last log said it was either infected or warez. Either way it's best to get rid of it until we figure out what's going on. You never can be sure what your downloading on Limewire...

Are the pop-ups still coming?

Install a new copy of ComboFix and post the log please.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[cthis]

Done. Yes there are still popups, the one in particular. Regestry defender. Also my yahoo search engine is still on the fritz. I can type something to look for and it gives me ten different sites that don't have a thing to do with what I'm looking for?.. Also when I click to open this forum, it gives me the windows cannot display this webpage... again. So I have to click refresh.

[Saving space - attachment deleted by admin]

[evilfantasy]

This is definitely a challenge, and that file came back.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\Lop SD

File::
c:\windows\system32\dispex32.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\34b80127509]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[cthis]

This seems to work pretty good. It does say file deleted on the log so fingers crossed! Question, when I restart my computer after it says Vaio and plays a little tune, it goes to a black screen for a split second and prompts me to start with windows xp, or something else, do you think this will stop?

[Saving space - attachment deleted by admin]

[evilfantasy]

One option is Win XP and the other is the Recovery Console right? The Recovery Console was installed by ComboFix. You now can recover your PC if something goes wrong.

This next scan will take a while, usually well more than an hour so if you want to wait until tomorrow then that's fine. I'll be around.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

[cthis]

I get off around six or so central time so I'll make sure and get that done. Your a life saver. I use my laptop for both work and home and have some very important client info on here that I can't afford to lose. Thanks again.

[cthis]

At the end of the scan it prompts me to select all and then four options. Cure, rename, move, or delete. What should I do?

[evilfantasy]

Either move or delete.

[cthis]

Okay, as it was going through the scan it deleted both sdfix and combofix. No big deal. It did find a trojan and several other malwares on my machine. I wonder why these weren't caught by all the other programs I've ran so far? Wierd huh. Here is the log.

ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Carl Dant\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Carl Dant\Desktop;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Carl Dant\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Carl Dant\Desktop;Archive contains infected objects;Moved.;
pifCrawl.exe;C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08};Trojan.Swizzor.based;Deleted.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\AOL Setup\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\AOL Setup\comps\coach;Archive contains infected objects;Moved.;
A0001873.EXE;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13;Program.PsExec.170;;
A0001922.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13\A0001922.exe;Program.PsExec.171;;
A0001922.exe;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13;Archive contains infected objects;Moved.;
A0001923.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13\A0001923.exe;Tool.Prockill;;
A0001923.exe;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13;Archive contains infected objects;Moved.;
A0001924.exe;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13;Trojan.Swizzor.based;Deleted.;
A0001925.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13\A0001925.exe;Adware.Gdown;;
A0001925.exe;C:\System Volume Information\_restore{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP13;Archive contains infected objects;Moved.;

[evilfantasy]

Actually all of that was either already in a quarantined folder or very low level adware, plus corrupted System Restore Points.

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

How is the computer running now?

[cthis]

Wow, looks like alot of people have problems. You guys are great! Well everything looks fine so far. Startup is a little slow, but it does say that it will be slow for a reboot or two, so we'll see. What do you know about DVD fab decrypter? Have you heard of it causing any trouble?

[evilfantasy]

I wouldn't trust it. See HERE

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.