"Your System is Infected" is virus leeching my computer - help please! :)

[pigeonpoo9]

Hi there
I think I may have picked up this virus when a friend of mine used Skype on my computer - it's the only thing that's been different with regards to the use of my computer lately.
When I started my computer today, my desktop showed  ablue background with a message in red writing in a black box showing:
"YOUR SYSTEM IS INFECTED - System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed."
An internet webpage opened with antivirus bits and pieces, but I closed it immediately, not really thinking. I immediately ran a spyware scan trhough my anti-virus (PC Guard from Virgin Media), which found several spyware, including one that had some name about antivirus something-or-other - I must admit, I didn't take a note of the exact name. I then ran a virus scan which found nothing. I rebooted my computer, only to be confronted with the same thing. When I tried to bring up task manager, I got the erroe message  "WARNING - Application cannot be executed. The file is infected. Please activate your antivirus software." (I'm still getting this message) This doesn't look 'real', and when I press Ctrl-Alt-Del again, I can get a 'real' looking message, which tells me that the Task Manager has been disabled by my administrator. At this point, my internet wouldn't work either, so I restored my system. This seemed to work at first , and I got my old background back.  I ran another spyware scan, which found nothing. I rebooted, but this fake warning background came back. I know it's fake, because when I shut my computer down, it reverts back to my old background just as it's shutting down. I can now get on the internet, but still get an error message when I try to get task manager up.
I've followed the advice on the 'Read this before requesting malware removal help; I've attached my logs.

Help would be much, much appreciated. Many thanks






[attachment deleted by admin]

[raiever]

ok heyy hope this helps!!

Click your start button, go up to run. Type "gpedit.msc" (without the quotes) and press the enter button. When the screen comes up, look on the left side. Open User configuration>administrative templates>system>CTRL+ALT+DEL options on the right side of the screen make sure that "Remove Task Manager" is set to disabled.

If that is set correctly, or doesn't work, you need to hack your registry. Click start>run>regedit to open the editor

with "my computer" highlighted, click file then export, Save the file to your desktop. This is your registry and if you mess up, you will need this file.

When that is done, navigate to the following keys and make sure they are set like this.

[HKEY_CURRENT_USER\Software\Microsoft\…
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\… Policy Objects\LocalUser\Software\Microsoft\Win…
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft…
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft… NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

You may need to restart your computer.

DON'T DO THE REGISTRY STUFF UNLESS YOU KNOW WHAT YOU ARE DOING.

If that doesn't work, you are going to need to start your computer in safe mode and run a virus scan, cause you still have a bug.


source: my mind cause it happend to me! CAREFULL WHEN EDITING YOU REGISTRY!!!

[Karnac]

Stay out of the registry and wait for a specialists help....your logs are done, just wait.

[pigeonpoo9]

Hi both

I haven't a clue when it comes to the above registry stuff, so stayed well clear for the time being.
I can now open task manager, although I still cannot change my desk top background to what I had originally. My computer is also painfully slow when loading.
Many thanks, I look forward to specialist help

[raiever]

Question! When You try to change your background is it that the button to browse is locked? or you can not change it to any of the already given ones period? and You can select to set a pic as background but it wont change?

[pigeonpoo9]

Hiya
The browse and drop down position buttons are locked; they're grey and I can't select any of the other pictures in the list to the left either. Really annoying!!

[raiever]

Ok!
 
Download this program!

http://www.the-pc-guru.com/files/dwpfix.reg

•Run the file
•Respond Yes to the prompt to merge the file with the registry.

Thank If it works please =D

[BC_Programmer]

It won't work to simply edit the registry. the fake spyware program has ALREADY installed Change notification hooks on the registry keys, so if you change them, it instantly changes back.

[pigeonpoo9]

I haven't done anything since I followed the guidelines; although I have been running anti-spyware scans using PC Guard, which keep finding something called Kollah. Does this help?

[Karnac]

Win32/Kollah is a family of trojans that steal sensitive information.....banking info, etc......... Don't use any removal tools listed at Google since they are from rogue sites.......wait for evilfantasy.

[CBMatt]

Sorry for the long wait, pigeonpoo.  Us malware guys are extremely busy at the moment with our personal lives, so we haven't been able to spend a lot of time on here.  And unfortunately, there are only a couple of us who do this, unlike the other sections that have tons of helpers.

Anyway, the majority of your infection should be gone, but it looks like some of it is still lingering.  Run another scan with HijackThis and look for this entry:
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

If you find it, place a checkmark next to it, and click on Fix Checked.  You should then enter Safe Mode and delete this file:
C:\WINDOWS\system32\winupdate.exe

Once you have done that, simply restart your computer and scan with HijackThis again.  This time, save a new log and post it here.  I would also like for you to download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[evilfantasy]

@ raiever

You are trying to fix the symptoms which is doing no good. You need to learn how to fix the problem which has a side effect of fixing the symptoms as well... 

Also see here: http://www.computerhope.com/forum/index.php/topic,57605.0.html

[pigeonpoo9]

Hi
Thanks ever so much for getting back to me, I really, really appreciate your help with this.
I've come across one snag: I've just ran the first HijackThis scan, and cannot find O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe

Would it be under another name?

[evilfantasy]

Just continue on with CBMatts instructions please.

[pigeonpoo9]

Hiya
I completed the steps, although as stated, I couldn't find:

O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe when I ran the HikackThis scan; neither could I find:

C:\WINDOWS\system32\winupdate.exe in Safe Mode, so couldn't delete it.

I've attached both the HijackThis log and the ComboFix log; all is looking good so far, it's brilliant not having to look at the stupid background I had enforced on my computer.

Once again, many thanks; I do appreciate that you guys are really busy.

[attachment deleted by admin]

[evilfantasy]

Hope you don't mind me jumping in Chris.

@pigeonpoo9 - You have a lot going on here. Please read and follow these instructions carefully and then post the logs.

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Open HijackThis and select Do a system scan only

Vista users right click on HijackThis and select Run as Administrator. (you will receive a UAC prompt, please allow it)

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

DirLook::
c:\windows\system32\zpord32

Folder::
c:\windows\system32\xerox32

File::
c:\windows\internat.exe
c:\windows\system32\win32avs.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | internat

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

[CBMatt]

Hope you don't mind me jumping in Chris.

Not at all.  You're the one people really want to see anyway.  Heh.

[pigeonpoo9]

Thanks for this.

I got as far as downloading The Avenger - I tried several times, but every time I tried to and unzip the file after each attempt at download, Windows blocked it. When I unblocked the file and attempted to unzip again, Windows still refused to unzip it. Each time I downloaded the file, my antivirus claimed it was infecting me with "W32/Agent.HKS" and quarantined it. Eventually, my antivirus deleted the bloody folder. Nightmare.

I've posted my ComboFix latest log, as per your latest instructions, evilfantasy. Sorry to be a pain.

[attachment deleted by admin]

[evilfantasy]

Turn off your antivirus to download and unzip the Avenger.

[pigeonpoo9]

Done. Here's the log.
Told you I was a pain! I had considered turning off the antivirus, but took on a shade of cowardice and wimped out. Sorry about that.

When my computer rebooted after avenger, I got this message:

Windows - No Disk
Exception Processing Message
C0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

No clue what that means, but it didn't look good to me!

Charlene

[attachment deleted by admin]

[evilfantasy]

Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

----------

Download GMER and save it your desktop.

* Extract it to your desktop and double-click GMER.exe
* Click the rootkit tab and then scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.

[pigeonpoo9]

Done!

[attachment deleted by admin]

[evilfantasy]

* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

BitDefender Online Scanner is available only works with Internet Explorer! Click here for the latest version of Internet Explorer

* Scan with the BitDefender Online Scanner
* Click Start Scanner to begin.
* Place a check mark next to I agree with the Terms and Conditions then click Start Here
* Agree to the license and then Install the ActiveX control.
* Please DO NOT change any of the Scanning Options!
* Click Start Scan to begin updating the BitDefender Online Scanner. The scan will start once the definitions are up-to-date.

* This scan can take a while so please be patient and let it complete.

* Once BitDefender completes the scan:
* Click-on the Detected Problems tab.
* Then select Click here to export the scan report



This will save a file named bdscan.html I would suggest saving it to the desktop so you can easily find it. (take notice of where you save it so you can find it later)
 
You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

* Click Upload
* Locate the file and double click it.
* Copy the link below Share This Link: and post it back here.

----------

Also let me know how the computer is running now.

.

[pigeonpoo9]

http://www.filedropper.com/bdscan

Thanks

[pigeonpoo9]

Sorry, I forgot the last bit. It seems to be running ok - I'm going to restart it now and see how it gets on; I had a few problems after I ran TFC, as Windows claimed that my computer had recovered from a serious error after the scan.

[evilfantasy]

OK let's do the final steps and then see how everything is running.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Suggestions...

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[pigeonpoo9]

I ran Secunia Software Inspector, and updated everything, other than Adobe Reader. When I tried downloading the patch, a message popped up to say that I'd either deleted Adobe Reader, or that the patch did not match my version of Adobe. I tried to update it via Adobe Reader, which also failed, and even tried uninstalling it, which also did not work. I also tried downloading the newest version, which didn't work; each time I tried one of these actions, a message would pop up saying it could not be completed, then it would reverse all actions. No idea what that was about.

I've downloaded WOT, SpywareBlaster and Spybot - Search and Destroy. my concern is that I downloaded the versions for IE for WOT and SpywareBalster, but I use Apple Safari - will this make a difference?

I also ran an anti-spyware scan using my antivirus before I did any of this, and found the following spyware:

2 x AspackDie 1.1 (application)
1 x Bifrost (registry)
1 x WinAntiVirus Pro 2006 (registry)
7 x Kollah (registry)
1 x WinSpywareProtect (registry)

Not sure that I like that; is it a good sign that my anti-spyware programme is picking them up, or should they just not be there given all of the steps I've taken so far?

Sorry to be so utterly clueless.

[evilfantasy]

Is it Adobe Reader or Adobe Flash you are having problems with?

WOT only works with Windows (all), Mac OS X, Linux or Firefox.

I also ran an anti-spyware scan using my antivirus before I did any of this, and found the following spyware:

What antivirus?
Can you get me a log?

[pigeonpoo9]

It was Adobe Reader Version 8 that I'm having trouble updating. I tried again after I posted that last message, and I think it worked, although I had to leave my computer for a while. I'll run the scanner again and see if it comes up in the list of programmes to be updated and have another go.

Sorry, I realise how vague that was now! My anti-virius is PC Guard - it came with my Virgin Media broadband. Not sure if it's any good, but I had problems with AVG before to switched to this.

After that last message, I ran another anti-spyware with PC Guard, which found fewer anti-spyware. Here is the log:

PCguard Anti-Spyware
Spyware Report (23/07/2009 15:51:15)
Scan Target   Scanned Items   Detected Spyware Items
PRESARIO (C:)   80824   0
PRESARIO_RP (D:)   16630   0
Cookies   276   2
Registry   36051   8
Memory   50   0
Total   133831   10

Spyware   Type   Item   Action
DoubleClick   Spyware cookie   C:\Documents and Settings\Compaq_Administrator\cookies\compaq_administrator@doubleclick[1].txt   Delete
AtlasDMT.com   Spyware cookie   C:\Documents and Settings\Compaq_Administrator\cookies\compaq_administrator@atdmt[2].txt   Delete
Kollah   Registry   hkey_local_machine \software\microsoft\windows nt\currentversion\network   Quarantine
Kollah   Registry   hkey_users \S-1-5-18\software\microsoft\windows\currentversion\explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}   Quarantine
Kollah   Registry   hkey_users \S-1-5-18\software\microsoft\windows\currentversion\explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}   Quarantine
Kollah   Registry   hkey_users \S-1-5-19\software\microsoft\windows nt\currentversion\network   Quarantine
Kollah   Registry   hkey_users \S-1-5-20\software\microsoft\windows nt\currentversion\network   Quarantine
KoolyNoody   Registry   hkey_users \CAHive_S-1-5-21-1100775152-255130791-453027457-500\software\microsoft\windows\currentversion\internet settings\zonemap\domains\koolynoody.net   Quarantine
KoolyNoody   Registry   hkey_users \S-1-5-18\software\microsoft\windows\currentversion\internet settings\zonemap\domains\koolynoody.net   Quarantine
KoolyNoody   Registry   hkey_users \S-1-5-21-1100775152-255130791-453027457-1007\software\microsoft\windows\currentversion\internet settings\zonemap\domains\koolynoody.net   Quarantine

File generated by PCguard Anti-Spyware

I can't seem to access the log for the scan previous to this latest one (the one referenced in my last post); however I can get this log for the most recent scans using PC Guard:

PCguard Anti-Spyware
Spyware Report (23/07/2009 22:49:13)
Spyware   Type   Date
KoolyNoody   Registry   23/07/2009 15:51:20
KoolyNoody   Registry   23/07/2009 15:51:20
KoolyNoody   Registry   23/07/2009 15:51:20
Kollah   Registry   23/07/2009 15:51:18
Kollah   Registry   23/07/2009 15:51:18
Kollah   Registry   23/07/2009 15:51:18
Kollah   Registry   23/07/2009 15:51:18
Kollah   Registry   23/07/2009 15:51:18
DoubleClick   Spyware cookie   23/07/2009 15:51:16
AtlasDMT.com   Spyware cookie   23/07/2009 15:51:15
WinSpywareProtect   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
WinAntiVirus Pro 2006   Registry   23/07/2009 13:55:17
Bifrost   Registry   23/07/2009 13:55:17
Kollah   Registry   23/07/2009 13:55:17
DoubleClick   Spyware cookie   23/07/2009 13:55:11
DoubleClick   Spyware cookie   23/07/2009 13:55:11
AtlasDMT.com   Spyware cookie   23/07/2009 13:55:11
AtlasDMT.com   Spyware cookie   23/07/2009 13:55:11
AtlasDMT.com   Spyware cookie   23/07/2009 13:55:11
AtlasDMT.com   Spyware cookie   23/07/2009 13:55:11
AtlasDMT.com   Spyware cookie   23/07/2009 13:55:11
AspackDie 1.1   Application   23/07/2009 13:55:11
AspackDie 1.1   Application   23/07/2009 13:55:10
WinSpywareProtect   Registry   22/07/2009 19:44:45
Kollah   Registry   22/07/2009 19:44:45
Kollah   Registry   22/07/2009 19:44:45
Kollah   Registry   22/07/2009 19:44:45
Kollah   Registry   22/07/2009 19:44:45
WinAntiVirus Pro 2006   Registry   22/07/2009 19:44:45
Bifrost   Registry   22/07/2009 19:44:45
Kollah   Registry   22/07/2009 19:44:45
AtlasDMT.com   Spyware cookie   22/07/2009 19:44:41
AtlasDMT.com   Spyware cookie   22/07/2009 19:44:41
AtlasDMT.com   Spyware cookie   22/07/2009 19:44:40
AtlasDMT.com   Spyware cookie   22/07/2009 19:44:40
AtlasDMT.com   Spyware cookie   22/07/2009 19:44:40
AtlasDMT.com   Spyware cookie   22/07/2009 19:44:40
AspackDie 1.1   Application   22/07/2009 19:44:40
AspackDie 1.1   Application   22/07/2009 19:44:40
AspackDie 1.1   Application   22/07/2009 19:44:40
Bifrost   Registry   22/07/2009 10:28:37
Kollah   Registry   22/07/2009 10:28:37
Kollah   Registry   22/07/2009 10:28:37
Kollah   Registry   22/07/2009 10:28:37
Kollah   Registry   22/07/2009 10:28:37
Kollah   Registry   22/07/2009 10:28:37
WinAntiVirus Pro 2006   Registry   22/07/2009 10:28:34
WinSpywareProtect   Registry   22/07/2009 10:28:34
DoubleClick   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:34
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:33
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:33
AtlasDMT.com   Spyware cookie   22/07/2009 10:28:33
Kollah   Registry   21/07/2009 10:34:22
Kollah   Registry   21/07/2009 10:34:22
Kollah   Registry   21/07/2009 10:34:22
Kollah   Registry   21/07/2009 10:34:22
Kollah   Registry   21/07/2009 10:34:22
AtlasDMT.com   Spyware cookie   21/07/2009 10:34:18
AtlasDMT.com   Spyware cookie   21/07/2009 10:34:18
AtlasDMT.com   Spyware cookie   21/07/2009 10:34:18
Kollah   Registry   20/07/2009 10:44:02
Kollah   Registry   20/07/2009 10:44:02
Kollah   Registry   20/07/2009 10:44:02
Kollah   Registry   20/07/2009 10:44:02
Kollah   Registry   20/07/2009 10:44:02
AtlasDMT.com   Spyware cookie   20/07/2009 10:43:59
AtlasDMT.com   Spyware cookie   20/07/2009 10:43:59
AtlasDMT.com   Spyware cookie   20/07/2009 10:43:59
AtlasDMT.com   Spyware cookie   20/07/2009 10:43:59
Kollah   Registry   19/07/2009 14:43:18
Kollah   Registry   19/07/2009 14:43:18
Kollah   Registry   19/07/2009 14:43:17
Kollah   Registry   19/07/2009 14:43:17
Kollah   Registry   19/07/2009 14:43:17
AtlasDMT.com   Spyware cookie   19/07/2009 14:42:52
Kollah   Registry   18/07/2009 11:21:12
Kollah   Registry   18/07/2009 11:21:12
Kollah   Registry   18/07/2009 11:21:12
Kollah   Registry   18/07/2009 11:21:12
AtlasDMT.com   Spyware cookie   18/07/2009 11:21:08
AtlasDMT.com   Spyware cookie   18/07/2009 11:21:08
AtlasDMT.com   Spyware cookie   18/07/2009 11:21:08
AtlasDMT.com   Spyware cookie   18/07/2009 11:21:08
Kollah   Registry   17/07/2009 18:00:19
Kollah   Registry   17/07/2009 18:00:19
Kollah   Registry   17/07/2009 18:00:19
Kollah   Registry   17/07/2009 18:00:19
Kollah   Registry   17/07/2009 18:00:19
AtlasDMT.com   Spyware cookie   17/07/2009 18:00:16
AtlasDMT.com   Spyware cookie   17/07/2009 18:00:16
Kollah   Registry   16/07/2009 19:35:59
Kollah   Registry   16/07/2009 19:35:59
Kollah   Registry   16/07/2009 19:35:59
Kollah   Registry   16/07/2009 19:35:59
Kollah   Registry   16/07/2009 19:35:59
AtlasDMT.com   Spyware cookie   16/07/2009 19:35:54
AtlasDMT.com   Spyware cookie   16/07/2009 19:35:54
Kollah   Registry   15/07/2009 18:00:10
Kollah   Registry   15/07/2009 18:00:10
Kollah   Registry   15/07/2009 18:00:10
Kollah   Registry   15/07/2009 18:00:10
Kollah   Registry   15/07/2009 18:00:10
AtlasDMT.com   Spyware cookie   15/07/2009 17:59:35
Kollah   Registry   14/07/2009 22:09:21
Kollah   Registry   14/07/2009 22:09:21
Kollah   Registry   14/07/2009 22:09:21
Kollah   Registry   14/07/2009 22:09:21
Kollah   Registry   14/07/2009 22:09:21
DoubleClick   Spyware cookie   14/07/2009 22:09:17
AtlasDMT.com   Spyware cookie   14/07/2009 22:09:17
AtlasDMT.com   Spyware cookie   14/07/2009 22:09:17
AtlasDMT.com   Spyware cookie   14/07/2009 22:09:16
AtlasDMT.com   Spyware cookie   14/07/2009 22:09:16
Kollah   Registry   13/07/2009 17:26:09
Kollah   Registry   13/07/2009 17:26:09
Kollah   Registry   13/07/2009 17:26:09
Kollah   Registry   13/07/2009 17:26:09
Kollah   Registry   13/07/2009 17:26:09
AtlasDMT.com   Spyware cookie   13/07/2009 17:26:05
AtlasDMT.com   Spyware cookie   13/07/2009 17:26:05
Kollah   Registry   12/07/2009 21:41:19
Kollah   Registry   12/07/2009 21:41:19
Kollah   Registry   12/07/2009 21:41:19
Serving-Sys   Spyware cookie   12/07/2009 21:41:16
DoubleClick   Spyware cookie   12/07/2009 21:41:15
AtlasDMT.com   Spyware cookie   12/07/2009 21:41:15
Kollah   Registry   12/07/2009 20:14:58
Kollah   Registry   12/07/2009 20:14:58
Kollah   Registry   12/07/2009 20:14:58
Kollah   Registry   12/07/2009 20:14:58
Kollah   Registry   12/07/2009 20:14:58
DoubleClick   Spyware cookie   12/07/2009 20:14:55
DoubleClick   Spyware cookie   12/07/2009 20:14:55
AtlasDMT.com   Spyware cookie   12/07/2009 20:14:55
AtlasDMT.com   Spyware cookie   12/07/2009 20:14:55
AtlasDMT.com   Spyware cookie   12/07/2009 20:14:55
AtlasDMT.com   Spyware cookie   12/07/2009 20:14:55
Kollah   Registry   11/07/2009 23:31:12
Kollah   Registry   11/07/2009 23:31:12
Kollah   Registry   11/07/2009 23:31:12
Kollah   Registry   11/07/2009 23:31:12
Kollah   Registry   11/07/2009 23:31:12
Tacoda cookie   Spyware cookie   11/07/2009 23:31:08
Serving-Sys   Spyware cookie   11/07/2009 23:31:08
revsci.net   Spyware cookie   11/07/2009 23:31:08
quantserve.com   Spyware cookie   11/07/2009 23:31:08
DoubleClick   Spyware cookie   11/07/2009 23:31:08
Com.com   Spyware cookie   11/07/2009 23:31:08
BS.Serving-Sys   Spyware cookie   11/07/2009 23:31:08
AtlasDMT.com   Spyware cookie   11/07/2009 23:31:08
AtlasDMT.com   Spyware cookie   11/07/2009 23:31:07
Advertising.com   Spyware cookie   11/07/2009 23:31:07
Ad.YieldManager.com Cookie   Spyware cookie   11/07/2009 23:31:07
Kollah   Registry   11/07/2009 18:40:01
Kollah   Registry   11/07/2009 18:40:01
Disable Task Manager Reg Entry   Registry   11/07/2009 18:40:01
SillyDl NVU   Registry   11/07/2009 18:40:01
SillyDl NVU   Registry   11/07/2009 18:40:01
Kollah   Registry   11/07/2009 18:39:59
Kollah   Registry   11/07/2009 18:39:59
Kollah   Registry   11/07/2009 18:39:59
Kollah   Registry   11/07/2009 18:39:59
Tacoda cookie   Spyware cookie   11/07/2009 18:39:54
Serving-Sys   Spyware cookie   11/07/2009 18:39:54
Serving-Sys   Spyware cookie   11/07/2009 18:39:54
sageanalyst.net   Spyware cookie   11/07/2009 18:39:54
DoubleClick   Spyware cookie   11/07/2009 18:39:54
DoubleClick   Spyware cookie   11/07/2009 18:39:54
DoubleClick   Spyware cookie   11/07/2009 18:39:54
DoubleClick   Spyware cookie   11/07/2009 18:39:54
AtlasDMT.com   Spyware cookie   11/07/2009 18:39:54
AtlasDMT.com   Spyware cookie   11/07/2009 18:39:54
AtlasDMT.com   Spyware cookie   11/07/2009 18:39:54
AtlasDMT.com   Spyware cookie   11/07/2009 18:39:54
Advertising.com   Spyware cookie   11/07/2009 18:39:54
Ad.YieldManager.com Cookie   Spyware cookie   11/07/2009 18:39:54
247RealMedia.com   Spyware cookie   11/07/2009 18:39:54
Advanced Virus Remover   Registry   10/07/2009 17:00:40
Kollah   Registry   10/07/2009 17:00:40
Kollah   Registry   10/07/2009 17:00:40
Advanced Virus Remover   Registry   10/07/2009 17:00:40
Advanced Virus Remover   Registry   10/07/2009 17:00:40
SillyDl NVU   Registry   10/07/2009 17:00:40
SillyDl NVU   Registry   10/07/2009 17:00:39
Advanced Virus Remover   Registry   10/07/2009 17:00:37
Disable Task Manager Reg Entry   Registry   10/07/2009 17:00:37
Disable Task Manager Reg Entry   Registry   10/07/2009 17:00:37
CMJSpy 0.5   Registry   10/07/2009 17:00:37

File generated by PCguard Anti-Spyware

I've put both of these logs into a notepad, just in case this is unreadable.

Thanks

[attachment deleted by admin]

[evilfantasy]

Is PCguard paid and updated?

Would you mind switching to another very good FREE antivirus/antispyware? The Virgin Media PCguard is not the best and there are free solutions, not AVG, that will offer much better protection.

Update Malwarebytes' Anti-Malware and run a Full scan.
 
* Open Malwarebytes' Anti-Malware
* Select the Update tab
* Click Check for Updates
* After the update have been completed, Select the Scanner tab.
* Select Perform full scan, then click on Scan
* Leave the default options as it is and click on Start Scan
* When done, you will be prompted. Click OK, then click on Show Results
* Checked (ticked) all items and click on Remove Selected
* After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the newest.

[pigeonpoo9]

I'm not sure what you mean by 'paid' - the PC Guard I was using was 'free' with my broadband, but I was paying for the Broadband... so I guess it's paid? It was also updated. However, I've since changed to avast, which has thrown up a few viruses. The file names are:

A0088169.exe - Win32: Trojan - gen
A0088444.exe - "
A0088763.exe - "
A0095249.exe - Win32: Rootkit - gen
Win32avs.exe.vir

I've deleted the above, but the following system files remain in the avast 'chest', as I didn't know what to do with them:

kernel32.dll
winsock.dll
wsock32.dll

My computer has also developed an annoying habit of opening the My Documents folder on start up. This has only started occuring since I deleted PC Guard and downloaded avast.

I've attached my latest Malwarebytes log

[attachment deleted by admin]

[evilfantasy]

I've deleted the above, but the following system files remain in the avast 'chest', as I didn't know what to do with them:

kernel32.dll
winsock.dll
wsock32.dll

Leave them there.

Run a new HijackThis scan and post the log please.

[pigeonpoo9]

Thanks

[attachment deleted by admin]

[evilfantasy]

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until we are done.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,C:\WINDOWS\system32\word64main.exe,

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[pigeonpoo9]

I performed the Malwarebytes scan, and checked and fixed
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,C:\WINDOWS\system32\word64main.exe,

However, it seemed to fix it so quickly, that I wasn't sure that I done done it properly. I pressed scan again, and found:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\word64main.exe,

Is this right?

I've also attached the latest ComboFix log.

[attachment deleted by admin]

[pigeonpoo9]

 

[attachment deleted by admin]

[evilfantasy]

That's the same log you posted earlier.Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg

:files

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

[pigeonpoo9]

Oh dear....

After I copied that information into OTM and clicked Moveit!, the program did its thing, then asked to reboot. I couldn't select any of the information in the Results section, so couldn't copy it.

When the computer rebooted, all I got was my background. I managed to get task manager up, and rebooted several times, but still, just the background. I rebooted in Safe Mode, but all I got was a black screen, so had to restart.

I've managed to get my internet connected and an internet browser window up using Task Manager, but do not have a Task bar or start button, and there's nothing on my desktop. I tried to run OTM, and it brought up a log, so I've posted that.

I must have done something wrong, but followed the instructions exactly. I was sure that I only highlighted the text on the previous Code box; would it have made a difference if there was an extra space in it??

With regards to the previous Combo Fix log - I definately attached a log that was different to the previous one - unless I failed to follow previous instructions properly....

[attachment deleted by admin]

[evilfantasy]

Start the computer in Safe Mode. Getting into Windows Safe Mode.

From the options choose Last Known Good Configuration.

Let me know how that goes.

Do you have your Windows install CD?

[pigeonpoo9]

I'll do that now.

I don't have the Windows Install CD - I have recovery discs, though. Will this do any good?

 - Had a go at starting in Last Known Good Configuration... no luck. I'll get the recovery discs ready!

-  Sorry to modify my post yet again, but something strange has happened. I tried to open just any old folder in desperation using Task Manager (I think it was shared documents or something), and a Windows message came up:

/idlist.:992:3832,C:\Documents
Windows cannot find '/idlist.:992:3832,C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

My start menu, task bar and Desktop came back at this. When I restarted my computer, they were gone again, but when I opened another folder, I got the Windows message and they came back again, although my computer is slowing down at odd moments, then picking up in speed again. Hummm... is this no longer a malware problem? Should I post this in another forum?

Thanks

[Acomber]

Edited.

[sunnysky]

I had a similar-looking virus wreak havoc on my comp a few weeks ago. I had norton antvirus, which, apparently, proved to be useless. The virus simply messed it up. The virus prevented me from opening any antivirus programs...so I restarted in safe-mode and ran Malwarebytes. MB picked up the virus and squashed it flat against the wall, like a disgusting bug. I know this method doesn't work for everyone...but it's worth a try.

[SuperDave]

Due to no further response from the OP, this thread is locked. If the OP wants it re-opened, please pm me.