is2010virus

[evilfantasy]

Okay hold on a second while I look it over. Wait till I give the go-ahead on the above instructions.

[blacksheep555]

I'm so stupid. I'm sorry guys, you're dealing with a GREENHORN for sure.

[evilfantasy]

It's not your fault. This shouldn't have happened. Your one of the unlucky few who ran CF while it had this bug.

Go ahead with the instructions from post # 28 now. http://www.computerhope.com/forum/index.php/topic,98595.msg669868.html#msg669868

[blacksheep555]

Ok, be back soon (I hope)

[evilfantasy]

It might take a while since it will be restoring files. Just give it time to finish.

[blacksheep555]

No, I don't have it back.

[evilfantasy]

Okay go back into the Quarantine folder and right click on ComboFix.exe.vir. The file path is C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\ComboFix.exe.vir

Right click ComboFix.exe.vir and rename it to ComboFix.exe

Then right click combofix.exe and choose choose Cut.

Right click on your desktop and choose Paste.

You should now have ComboFix back on your desktop.

[blacksheep555]

Ok, got it now. Continuing with instructions...

[evilfantasy]

Okay. 

[blacksheep555]

Ok, I think I have everything back. Attaching quarantine log.

[Saving space, attachment deleted by admin]

[evilfantasy]

Good job.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

[evilfantasy]

There is another issue that has come to light.

Please do this after (or before) the Panda scan. Just don't do it while running any scans.

Open notepad and copy/paste the text in the Codeebox below into  it (but not the word quote):

Code: [Select]

attrib +h "c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Start Menu\Programs\Startup\desktop.ini"
atrrib +h "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini"
attrib +h "c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini"
attrib +h "c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini"Save this as fix.bat Choose to "Save type as  - All Files"

Double click on fix.bat & allow it to run.

A reboot should confirm that the fix is complete.

[blacksheep555]

Here are the ActiveScan log you requested. For as long as it took, I figured it would be bigger.
;**********************************************************************************
ANALYSIS: 2010-01-25 00:19:25
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 2
;*****************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;==============================================================================
AVG Anti-Virus Free                          9.0                           Yes       Yes
;==============================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===========================================================================
00167642  Cookie/Com.com                     TrackingCookie      No        0         Yes            No           c:\documents and settings\hp_administrator.your-4dacd0ea75\cookies\hp_administrator@com[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           c:\documents and settings\hp_administrator.your-4dacd0ea75\cookies\[email protected][1].txt
00377802  Spyware/PeoplePC                   Spyware             No        0         Yes            No           c:\program files\online services\peoplepc\isp5900\dll\ras.dll
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp29\a0012153.sys
03983016  Generic Malware                    Virus/Trojan        No        0         Yes            No           c:\program files\updates from hp\9972322\program\interop.shdocvw.dll
05898765  Trj/Nabload.DPS                    Virus/Trojan        No        0         No             No           c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp29\a0012093.exe[32788r22fwjfw\catchme.cfxxe]
05898765  Trj/Nabload.DPS                    Virus/Trojan        No        0         No             No           c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\rp29\a0011508.exe[32788r22fwjfw\catchme.cfxxe]
05898765  Trj/Nabload.DPS                    Virus/Trojan        No        0         No             No           c:\documents and settings\hp_administrator.your-4dacd0ea75\desktop\combofix.exe[32788r22fwjfw\catchme.cfxxe]
;===========================================================================
SUSPECTS
Sent      Location
;==========================================================================
No        c:\hp\recovery\wizard\swr_wizard.exe
No        c:\program files\online services\msn90\pkgs\en\us\msncli.exe[c:\program files\online services\msn90\pkgs\en\us\msncli.exe][mailares.dll]
;===========================================================================
VULNERABILITIES
Id        Severity       Description
;===========================================================================

[evilfantasy]

That looks good. We will take care of those files now.

Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

----------

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[blacksheep555]

I will get on this. Didn't know if you needed this log from reboot:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787