MalWareAlarm and others attacking my computer!!

[Hepburn]

SOMEONE PLEASE HELP!!

Yesterday my computer went haywire.  It all started with popups about malwarealarm saying that my computer was running slowly and click here to find problems and fix them. Of course I knew this was a fake, but even if I clicked the cancel button, it still opened a webpage where it proceeded to scan something before I was able to close the window as quickly as I could.  I began to run my spysweeper antivirus, which took about 2 hours longer than usual and froze my computer, but found and supposedly deleted 50 items, but all the while, the MalWareAlarm message kept popping up periodically.  It was at this point I googled, found this was an issue with others, but couldnt find the solution, so I came here, followed the directions of things to do before posting and as I ran all these scans, different problems arose:

When my computer was restarted, it opened a blue screen saying there was an error in memory and to open in last known configuration. This only happend a few times before it stopped.

After I log in to my user account, an error message pops up reading: Error loading c:\windows\system32\kxynemtw.dll  the specified module could not be found.  This message is still popping up each time I restart my computer.

Also, a pop up baloon has occured a few times on the bottom right task bar saying that: windows-virtual memory minimum is too low. your system is low on virtual memory. windows is increasing the size of your virtual memory paging file. Durining this process, memory requests for some applications may be denied. for more info see help.

Thats pretty much it, except another file download warning that keeps poping up giving me the option to deny it. It isnt always the same name.

Can someone please help me??  I need to access my computer daily for school and my fiancee for his own business with files on our computer!!
Attached are the various scan logs as requested:


[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Open Hijackthis and select Do a system scan only then place a check mark next to:

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - {05039447-5F58-4B2F-AEA5-303EC6AACEA2} - C:\WINDOWS\system32\nnnon.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [40252847] "rundll32.exe" "C:\WINDOWS\system32\kxynemtw.dll",b
O20 - Winlogon Notify: fccdcba - fccdcba.dll (file missing)
O20 - Winlogon Notify: gwlhqpsu - gwlhqpsu.dll (file missing)

Close all windows except for Hijackthis and click Fix checked.

----------

Download OTMoveIt2 by OldTimer.

• Save it to your desktop.
  
• Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code: [Select]
  C:\WINDOWS\system32\kxynemtw.dll

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.

• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• 
  
  • From the keyboard select 1 and press Enter[/COLOR]
  • When finished, it will produce a log for you.
  • Post that log in your next reply.
  Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall
  
  • If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
    
  • Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.
  ----------
  
  Next post add
  Combofix log
  NEW Hijackthis log

[Hepburn]

Ok,
I have followed your instructions, and attached below are the new hijack log, the OTmoveit2 pasted, and the combofix log(s)
(about the combo fix log: I ran it twice, because the first time, I thought that I had disabled everything I needed to, but I missed the firewall, so I disabeled the firewall and ran a second time. I have attached both logs though, but the second one is the 'combofix log 2' in case that saves you from reading both)
Thanks for helping me!!

[file cleanup - saving space - attachment deleted by admin]

[patio]

Welcome Aboard Audrey...

Just letting you know you did a great job reading and following The Help Guide before posting your question...

This is quite refreshing as EF and Chris put alot of effort into this over time.
If more people started there first as you did problems would be resolved much quicker.
Good Job and again Welcome !

[evilfantasy]

Do you have your antivirus turned off or is this a result of the malware?


Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

Next post
Combofix log
Let me know about the Norton

[Hepburn]

Alright, I've followed your instructions and here is the new Combo fix log.

As far as the virus protection being off, I no longer use norton, so perhaps that is why is appears to be 'off.'  I never resubscribed this fall and instead use spy sweeper and firewall (in addition to the applications that Ive downloaded as per your recommendations on the "please read before posting" post).  Ive double checked and they are on, but a few times, after rebooting the computer, there was a "at risk" balloon popping up from the bottom right task bar, but when I clicked it, it showed all green checks, so I dont know why it was coming up as there being a risk.  However, after just turning them off again to run the combo fix and resetting them back on, the pop up didnt occur after restart.

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

The reason the security center shows all green is because Norton is still running as a service, but it is providing no protection. Antispyware and antivirus are two different things and you need to install an antivirus ASAP.

Please run the Norton Removal Tool and then download one of the antivirus in the read this first thread. AVG or Avast! are among the best. Then run a full system scan with which ever one you choose to install.

----------

Go to add remove programs and look for any of these and uninstall them if found.
AskSBar
Ask Toolbar
Search bar
Search Assistant

Post a new HJT log please.

[Hepburn]

Well, I should have been more clear: my spy sweeper is actually Webroot Antivirus with Antisweeper by spy sweeper, so I thought I was covered. 
No matter, I was in the process of downloading AVG anyways, but it stopped and said that there was another antivirus on the computer and to cancel setup until it is removed.  Im guessing the Webroot spy sweeper (sorry for the confusion, the name on the icon on my desktop and during start up is spy sweeper so thats what I refer to it as). 
Do you suggest uninstalling this and using AVG or Avast instead?

Only the Ask toolbar was on my add remove programs.  I removed it.

Attached is my new hijack this log.

Thanks again for your help!

[file cleanup - saving space - attachment deleted by admin]

[Hepburn]

Oh, I forgot to ask,
Do I fix the things that come up in the hijack this?

[evilfantasy]

Did you try installing AVG after running the Norton Removal Tool? You might also try turning off Spy Sweeper prior to installing AVG.

Spy Sweeper Antivirus provides only on-demand antivirus protection, doesn't guard against active e-mail and IM viruses and worms. There is no active protection, only after the fact removal capabilities. AVG will be a much better choice.

[Hepburn]

Yes, I turned off all spy sweeper shields and antivirus and tried to install AVG and it said another antivirus was running and it advises stopping installation and unistalling the antivirus before resuming installation of AVG. 
Should I uninstall spy sweeper?

[evilfantasy]

Is SpySweeper a paid version?

[Hepburn]

Yes, my employer bought it for their home computer (she got it from the guys at geek squad who recommended it to her) and then gave it to me to use on mine.

[evilfantasy]

Lets make sure you are shutting it down properly to start with. If this doesn't work then uninstalling it may be the next option because ultimately you need to get an AV installed.

SPY SWEEPER

    * Open Spy Sweeper and click on Options > Program Options and uncheck "load at windows startup".
    * On the left click "shields" and then uncheck everything there.
    * Uncheck "home page shield".
    * Uncheck "automatically restore default without notification".
    * Exit the program.
    * (When we are done, you can re-enable it using the same steps but this time reverse them.)


Also, the Hijackthis log is now clean. Besides the AVG problem how is the computer now?

[Hepburn]

The only problem Im having now is the alarm balloon upon startup stating that some protection may be off, but as it loads during start up, it decides everythings cool and goes away.  By the way, this just started happened, so Im hoping switching to an AV will stop it. 
I turned spy sweeper off correctly, so I guess Im just going to go ahead and uninstall it and get the AVG.  Other than that I think its running smoothly!
Thanks for all of your time and help!!