"Vista Internet Security 2010", Virus Protection Popups

[cyncity]

Earlier today i tried to download a file of mediafire called Justin Vernon Self-Record
As soon as I downloaded it my computer freaked out, my default internet browser was changed from Flock to Internet Explorer. I just got a popup that says "Vista Internet Security 2010 - Unregistered Version" it says I have 22 critical system objects and lists what could happen to my system then gives me the options to register my copy of vista internet security 2010 or remind me later. I also got a pop up from the same company that "scanned" my computer, I've attached a screenshot.

About three boxes popped up, that screenshot, another one with a red bar on top saying my system was infected and Windows Security Center or something like that which says my  firewall and malware protection are off, to be honest I'm not sure it was ever on but I'm 98% sure it was because I've never had a problem with it before. When i type in Security in the Start Search bar it says theres a Windows Firewall and Advanced Security and Security Center which is the one i have problems with. I've attached another screenshot of this. Every time i open a program, it always ends up the last program listed in my start bar and for some reason Security Center does not end up on that list but Windows Firewall and Advanced Security does. When I try and click anything in Security center, whether it be "System Restore and Backup" or "Turn on now" it just pops up with that scan again

My sister had a similar thing happen last week except it progressed and she wasn't able to open anything. It would say the application could not be executed (Please look at my previous thread), so we were told to do a system restore, we did except now none of the programs will open because it can't be associated with something.

The same virus program just gave another pop up saying sensitive data may be sent over my internet connection right now. It lists the IP it was attacked from, port number, the thread (Lemena.3544) But i had also gotten this earlier and it was called Worm something.

I have Norton Internet Security and have been running a full system scan, it hasn't caught anything.

I was just about to post this when suddenly this tab closed. All three of my other tabs stayed open except for the one I was about to post. Maybe I'm just paranoid, but it makes me think that it KNOWS what I'm saying and doing. I don't mean to sound frank or rude, I'd just like to get this done before this tab randomly closes.

Please, if you have any suggestions or answers, I'm open to anything however I am a newbie and am hesitant to inflict any further damage

[Saving space, attachment deleted by admin]

[Dr Jay]

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[cyncity]

I really hope I did this right 





ComboFix 10-02-24.01 - Cynthia 02/24/2010  19:18:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.3002.1805 [GMT -8:00]
Running from: c:\users\Cynthia\Downloads\ComboFix.exe
AV: ResolutionsMSP *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2819002435-850761837-2018973860-500
c:\$recycle.bin\S-1-5-21-506404324-59653650-1567083677-500
c:\users\Cynthia\AppData\Local\av.exe

.
(((((((((((((((((((((((((   Files Created from 2010-01-25 to 2010-02-25  )))))))))))))))))))))))))))))))
.

2010-02-25 03:28 . 2010-02-25 03:28   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-02-25 03:28 . 2010-02-25 03:28   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-02-25 01:56 . 2010-02-13 01:41   558448   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-25 01:34 . 2010-02-03 09:00   1324720   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVEX15.SYS
2010-02-25 01:34 . 2009-08-25 08:00   177520   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVENG32.DLL
2010-02-25 01:34 . 2009-08-25 08:00   1647984   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVEX32A.DLL
2010-02-25 01:34 . 2010-02-03 09:00   84912   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\NAVENG.SYS
2010-02-25 01:34 . 2009-08-26 08:00   102448   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\ERASER.SYS
2010-02-25 01:34 . 2009-09-22 08:00   259440   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\ECMSVR32.DLL
2010-02-25 01:34 . 2009-08-26 08:00   371248   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\EECTRL.SYS
2010-02-25 01:34 . 2009-12-09 09:00   2747440   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100224.035\CCERASER.DLL
2010-02-25 01:30 . 2010-02-25 01:30   --------   d-----r-   c:\program files\Norton Support
2010-02-20 01:35 . 2009-10-28 22:37   811896   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 01:35 . 2009-10-28 22:37   329592   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-20 01:35 . 2009-10-28 22:37   343088   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 01:35 . 2009-10-28 22:37   488312   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 01:35 . 2009-10-28 22:37   466992   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-18 08:22 . 2010-02-18 08:22   --------   d-----w-   c:\program files\iPod
2010-02-18 08:10 . 2010-02-18 08:10   72488   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-10 15:09 . 2009-12-11 12:07   301568   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-02-10 15:09 . 2009-12-11 12:07   98304   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-02-10 15:08 . 2009-12-08 20:52   3597912   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-10 15:08 . 2009-12-08 20:52   3546200   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-10 15:08 . 2009-12-08 20:52   897624   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-02-10 15:06 . 2009-12-28 12:35   1314816   ----a-w-   c:\windows\system32\quartz.dll
2010-02-10 15:06 . 2009-12-28 12:32   22528   ----a-w-   c:\windows\system32\msyuv.dll
2010-02-10 15:06 . 2009-12-28 12:32   31744   ----a-w-   c:\windows\system32\msvidc32.dll
2010-02-10 15:06 . 2009-12-28 12:32   13312   ----a-w-   c:\windows\system32\msrle32.dll
2010-02-10 15:06 . 2009-12-28 12:31   50176   ----a-w-   c:\windows\system32\iyuv_32.dll
2010-02-10 15:06 . 2009-12-28 12:35   11776   ----a-w-   c:\windows\system32\tsbyuv.dll
2010-02-10 15:06 . 2009-12-28 12:31   82944   ----a-w-   c:\windows\system32\mciavi32.dll
2010-02-10 15:06 . 2009-12-28 12:28   65024   ----a-w-   c:\windows\system32\avicap32.dll
2010-02-10 15:06 . 2009-12-28 12:32   123904   ----a-w-   c:\windows\system32\msvfw32.dll
2010-02-10 15:06 . 2009-12-28 12:28   91136   ----a-w-   c:\windows\system32\avifil32.dll
2010-02-10 15:05 . 2009-12-04 16:12   105472   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 15:05 . 2009-12-04 16:12   212992   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2010-02-03 03:01 . 2010-02-03 03:01   --------   d-----w-   c:\programdata\EA Core
2010-02-03 03:00 . 2010-02-03 03:00   --------   d-----w-   c:\programdata\Electronic Arts
2010-01-28 00:36 . 2009-10-28 22:37   329592   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSXpx86.sys
2010-01-28 00:36 . 2009-10-28 22:37   811896   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\Scxpx86.dll
2010-01-28 00:36 . 2009-10-28 22:37   488312   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSxpx86.dll
2010-01-28 00:36 . 2009-10-28 22:37   343088   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSvix86.sys
2010-01-28 00:36 . 2009-10-28 22:37   466992   ----a-w-   c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100125.001\IDSviA64.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 07:56 . 2009-08-15 06:26   --------   d-----w-   c:\users\Cynthia\AppData\Roaming\LimeWire
2010-02-23 07:00 . 2009-10-12 02:54   --------   d-----w-   c:\users\Cynthia\AppData\Roaming\Corel
2010-02-23 06:58 . 2009-10-12 02:54   952   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2010-02-23 02:35 . 2009-08-11 10:25   6080   ----a-w-   c:\users\Cynthia\AppData\Local\d3d9caps.dat
2010-02-18 08:23 . 2009-06-26 09:20   --------   d-----w-   c:\program files\iTunes
2010-02-18 08:22 . 2009-06-26 09:16   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-14 08:21 . 2010-01-22 23:21   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-02-14 08:20 . 2010-01-22 23:22   38784   ----a-w-   c:\users\Cynthia\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-11 15:09 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-02-03 02:59 . 2009-06-09 22:48   --------   d-----w-   c:\program files\Electronic Arts
2010-02-02 06:33 . 2009-06-24 00:23   --------   d-----w-   c:\program files\Flock
2010-01-21 23:48 . 2008-10-23 10:52   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-01-17 06:06 . 2009-06-26 09:21   --------   d-----w-   c:\users\Cynthia\AppData\Roaming\Apple Computer
2010-01-17 06:04 . 2009-06-26 09:16   --------   d-----w-   c:\programdata\Apple
2010-01-02 06:38 . 2010-01-22 00:09   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 00:09   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-22 00:09   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-22 00:09   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2008-10-23 10:05 . 2008-10-23 09:55   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-21 148888]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-25 175128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-25 153112]
"AMTDeviceService"="c:\program files\AMT Media Manager\AMTDeviceService.exe" [2009-01-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-20 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1008000.029\SymEFA.sys [2/2/2010 2:25 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1008000.029\BHDrvx86.sys [2/2/2010 2:25 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1008000.029\cchpx86.sys [2/2/2010 2:24 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys [2/19/2010 5:35 PM 343088]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 2:24 PM 117640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [10/23/2008 2:56 AM 365952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/31/2009 12:22 AM 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [10/23/2008 1:55 AM 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/29/2009 11:09 PM 102448]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [12/5/2008 1:25 AM 112640]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1008000.029\symndisv.sys [2/2/2010 2:25 PM 48688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\HPCeeScheduleForCynthia.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]

2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{6585B70F-EAFB-4C96-9643-B24DA9996293}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-SR Splash - c:\program files\SR\SRSplash.exe
HKLM-Run-SRLogon - c:\program files\SR\srlogon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 19:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-24  19:33:40
ComboFix-quarantined-files.txt  2010-02-25 03:33

Pre-Run: 196,952,645,632 bytes free
Post-Run: 197,864,738,816 bytes free

- - End Of File - - 05ABAF7A4FBFE45B6A7DCB493E95630F

[Dr Jay]

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

5. Post the following in your next reply:

• MBAM log
• SAS log
• ESET log

And, please tell me how your computer is doing.

[cyncity]

I'm so sorry it's taken so long. I've been meaning to get to this but I've been working on projects and I couldn't finish the second scan in one night so it took me a couple nights. I'm doing the last scan tonight, but I'm not sure if I'll have a steady internet connection for it, that might set me back a night. Again, I'm so sorry. I understand you're a volunteer and I really appreciate you help.

I'll post the first two logs now in case the last one doesn't finish tonight.

MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3835
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/8/2010 5:32:00 AM
mbam-log-2010-03-08 (05-32-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 331828
Time elapsed: 4 hour(s), 13 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




SAS LOG:
well now I can't seem to find it but it caught nothing at all.
should i redo this scan?

[Dr Jay]

Not for SAS, but try ESET, please.

[cyncity]

I ran ESET twice but I can't pull up a log for it. I copied and pasted C:\Program Files\EsetOnlineScanner\log.txt into the address bar and I searched through my program files but there is no ESET folder. It says it found no threats, infected files, and it didn't clean anything. It also gives me the option to uninstall the program on my computer.

[Dr Jay]

Ok. Seems clean.

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.