Help please Daughter's laptop infected while doing homework

[worried mom]

My Daughter was doing her homework when all of a sudden windows defender came up (she did have Norton's) advising her of the following

Attacker ID 101.123.34.123
Attacker type RCPT exploit
These threats include the following:
BrowserModifier : win32/BaiduSobar
PWS: Win32/Freethog.gen!B
Worm:Win32/Sality.AM
BrowserModifier: Win32 BaiduSobar
PWS:Win32/Yahoopass.A
virus: Win32/mabezat.B
trojan: win32/FakeXPA
Spammer: win32/ Tedroo.AA
Trojan: Win32/ Alureon.gen!U
Adware: Win32/Hotbar
trojandownloader: win32/Renos.JI
Adware: Win32/CnsMin
BrowserModifier: Win32/Zwang1
worm: win32/Taterf.gen!A
worm: win32/Confiker.B
Trojan: Win32/Yektel.A
Trojan: Win32/Hiloyi.gen!A

messages pop up with the following

"Spyware.IEMonster is going to send passwords from internet browsers to third parties."
"Suspicious activity in your registry system space was detected. rogue Malware detected in your system.  Data leaks and system damage are possible. please use a deep scan option."
"Keylogger activity detected! Your account in socail network is under attack"

It keeps trying to get her to go to Internet Defender website to buy something for $75.00 as her 'key is invalid"

So I have it running in safe mode, opened in different browser and downloading MW Malicious software removal tool (still running but showing nothing infected so far)

I I also changed her over to Kaspersky (which is what I run on mine)  as it appears Norton's did nothing she is petrified as she has three assignments she was working on..and too afraid to do anything.

She runs Win 7 had all updates done,  and we are running Wifi from our home so are all three of our computers infected?

I am NO techy, no clue how to help her, dear Heaven's the most I know about computers are going to my favourites on the internet

what is this "thing' that got into her computer and how do we get it out??

thank you for ANY hand all help and advice

[Allan]

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[worried mom]

sorry I am NOt computer literate at all..what are logs?

[Allan]

Just click on the link in my post and follow the instructions please.

[worried mom]

Sorry I am an idiot..do I have to do this all from her laptop and take it out of safe mode?  Is it safe to access the internet out of safe mode?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
***********************************************
I have bad news if it is actually the Sality infection. Please read below.
We can try to run two scans that will verify if it's Sality.

Read about the Sality virus infection: This is the malware that exploits the .lnk vulnerability.

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web

It then creates and starts a service to load the driver. The driver blocks access to a variety of security software vendor web sites.The virus then disables security software services and ends security software processes. It also disables registry editing and the task manager.

Sality

Additional information about Sality:
Windows fails to correctly parse shortcut files, identified by the ".lnk" extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that's necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

Tests showed that the exploit works even when AutoRun and AutoPlay -- two functions that have previously been used by attackers to commandeer PCs using infected flash drives -- are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7, ...
Worm is named Win32/Stuxnet.A.

Because of these actions, We recommend you do a reformat/reinstall. Attempts to clean this virus to include the backdoor capability usually fail.
*********************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*******************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[worried mom]

thank you Dave. I am currently logged on my Daughters computer and Malwarebytes is running..how long does it usually take to scan?  I am so sorry I am so clueless with all of this, i feel like an idiot

[worried mom]

results of Malware\bytes

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6113

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

21/03/2011 6:46:25 AM
mbam-log-2011-03-21 (06-46-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 392751
Time elapsed: 2 hour(s), 30 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\8c8f1c28-f053-4fd6-98c9-fd05d858aba9_39 (Trojan.FakeAlert) -> Value: 8c8f1c28-f053-4fd6-98c9-fd05d858aba9_39 -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\8c8f1c28-f053-4fd6-98c9-fd05d858aba9_.mkv (Trojan.FakeAlert) -> No action taken.
c:\programdata\8c8f1c28-f053-4fd6-98c9-fd05d858aba9_39.avi (Trojan.FakeAlert) -> No action taken.
c:\programdata\8c8f1c28-f053-4fd6-98c9-fd05d858aba9_39.ico (Trojan.FakeAlert) -> No action taken.
c:\Users\shannon leblanc\Desktop\system defender.lnk (Rogue.SystemDefender) -> No action taken.
c:\Users\shannon leblanc\AppData\Roaming\microsoft\internet explorer\quick launch\system defender.lnk (Rogue.SystemDefender) -> No action taken.

I then ran the
ESET as requested after and this came up

C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe   a variant of Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe   Win32/RegistryBooster application

[SuperDave]

Well, that looks encouraging. Please run MBAM again and this time fix the infections and post the log. Let's continue with more scans.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
***********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

[worried mom]

Ran the Malware again..is this a good thing?

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6113

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

21/03/2011 4:33:01 PM
mbam-log-2011-03-21 (16-33-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 393148
Time elapsed: 49 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[worried mom]

spoke too soon I think the ESET is running and found new Trojan and is still running

[SuperDave]

Just forget about ESET for now and run the SAS and DDS scans and post the logs.