Help with popups malware please.

[vwguy78]

Hi I seem to be suffering with the same popup/ malware problem that everyone else is. McAfee doesn't seem to pick anything up during a virus scan. I think I got infected through an activeX control. Can some one talk me through what I need to do? Thanks!

 

[kritius]

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[vwguy78]

Here's the Logs.

Here are the two requested logs attached.

 

[vwguy78]

RE: Logs

The problems does seem to have gone away. Am I safe now?

 

[kritius]

No, I still need to finish up looking at the logs. Hang tight.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  KILL ALL::
  
  File::
  C:\WINDOWS\system32\lvxmayey.ini
  C:\WINDOWS\system32\kbsrehar.exe
  C:\WINDOWS\system32\yxafiris.dll
  
  Folder::
  C:\Documents and Settings\All Users\Application Data\qfwzijov
  C:\Documents and Settings\All Users\Application Data\Less Knob Balm Bait
  C:\Documents and Settings\All Users\Application Data\Bait cake roam slow
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "hcsagyrw"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "roam slow curb balm"=-
  "burn dvd mags balm"=-
  "5c53e714"=

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ATF Cleaner

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

After this run HijackThis again and post a fresh log for me.

 

[vwguy78]

RE:

I have dragged the txt file across but no log file is produced. Should i skip forward to running ATF?

 

[kritius]

Reboot and see if its there, maybe in the c:\ drive, if not try this again.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\lvxmayey.ini
  C:\WINDOWS\system32\kbsrehar.exe
  C:\WINDOWS\system32\yxafiris.dll
  
  Folder::
  C:\Documents and Settings\All Users\Application Data\qfwzijov
  C:\Documents and Settings\All Users\Application Data\Less Knob Balm Bait
  C:\Documents and Settings\All Users\Application Data\Bait cake roam slow
  
  Registry::
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "hcsagyrw"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "roam slow curb balm"=-
  "burn dvd mags balm"=-
  "5c53e714"=

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Then run ATF and HijackThis again.

 

[vwguy78]

Here are the logs.