Hi:
I just completed the last step of "viruses / Spyware / Malware, Prelimnary Removal Instructions" Here are my Log files. From HJT, combofix, & SAS.
Every thing seams to work better then it has been in a long time. the only Problem I see is the clock is now on 24 hour time.
But I will check tomarrow.
Couple of Questions.
1. Should I Remove the old Update files from Microsoft? How?
2. When all this started I had problems with my Browser and could not Sign into my Yahoo accoount cause my Browser was not excepting Cookies. is there a setting I should cheak?
3. Should I set a new restore point?
4. Should I unstall all or some of the programs I used to clean the PC ?

Thanks In Advance. Turk

Attached Files

	combofix-log.txt (18.2 KB, 2 views)
	hijackthis 08-16-08_01-49am.txt (13.3 KB, 5 views)
	SUPERAntiSpyware Scan Log - 08-16-2008 - 00-25-30.log (789 Bytes, 1 views)

OK your HJT log looks clean. Havent looked through combofix and other one yet.
Reply to number 3- You should always set a restore point after major updates or at least once every 2-3 months. This will let you rewind time back to the point where you saved the point. It may take up a pit of space but hey, its worth it.
Also, somewhere there should be a setting to turn on cookies, probably in internet options (not sure because i have never had to turn them on) but you should find that setting and turn it on.

That's not a clean hijackthis log it still shows vundo

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from Here or Here
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

=======================================================

Afterwards attach the MBAM log with a fresh Hijackthis

Ok , I ran Mbam heres the log. thanks in advance
Turk

Attached Files

	hijackthis.log (13.3 KB, 3 views)
	mbam-log-8-16-2008 (15-19-29).txt (4.8 KB, 4 views)

Still there

Follow this and post the logs back here for me...

http://www.techspot.com/vb/post645589-1.html

Hi :
The only 3 problems i see is

1. When i ran Mcafee it found 1 Item "Rem adm-proclaunch 171" it was for Combofix

2. When I ran mabam I lost the log the screen said 1 item detected.

3. one left over from the start of this. When i click on "Install Update Manger" it says "Agent Not found".

Thanks In Advance
Turk

Attached Files

	hijackthis.log (12.9 KB, 1 views)
	SUPERAntiSpyware Scan Log - 08-19-2008 - 20-30-01.log (465 Bytes, 2 views)

1) Combofix quarantined a lot - I am surprised it didn't find more
2) The instructions state how to find the MBAM log - but either way we can fix you up

3) What update manager are you installing?

===========================================================

Backup your regsitry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

• regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


Making a .reg file
Open notepad and copy and paste the text in the quotebox below in it:

Name the file as Fix.reg

Change the "Save As" type to "All Files" and save it on the desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

=======================================================

OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  [kill explorer]
  C:\WINDOWS\system32\vrpgfp.dll
  C:\WINDOWS\system32\hsxolm.dll
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=======================================================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

while kaspinsky was scanning an error popup the title was MIM has encountered a problem it belongs to Musicmatch.
other then that Move it found no files and kaspinsky found 2 infected files, but i found no way in the program to remove them.

Thanks In advance
Turk
I noticed that the JAVA icon was on the task bar. I did some snooping around and found a Trace file. You mite be intrested in the bottom of the file where it says Virus. so here is a copy don't know if it helps

Attached Files

	08202008_165345.log (536 Bytes, 1 views)
	Kaspersky 08-20-08.txt (1.1 KB, 2 views)
	java 08-20-08.txt (7.7 KB, 1 views)

That's clean -1 is in quarantine, the other is a false positive - we will remove both now

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------

Launch OTMoveit2! and click the green Cleanup!

---------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Set correct settings for files
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please check Hide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   clear system restore points
   • This is a good time to clear your existing system restore points and establish a new clean restore point:
     • Go to Start > All Programs > Accessories > System Tools > System Restore
     • Select Create a restore point, and Ok it.
     • Next, go to Start > Run and type in cleanmgr
     • Select the More options tab
     • Choose the option to clean up system restore and OK it.
     This will remove all restore points except the new one you just created.
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.This is done in Vista through control panel -> windows updates.
   
   
7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Hi :

1. When Moveti Rebooted me and i sign in Windows told me it could not load my profile and started me a new one like Day 1. After every thing calmed down I rebooted and signed in again and everything was back to normal.

Thank You very much!
Turk

HI :
1 More thing Should I delete the Reg file we made?
Thanks

yes you can delete the reg file - it did its job