Trojan.Obfuscated.en & LOP etc.

Welcome to Major Geeks!

Do you have the log from AVG Antispyware as requested?

Also it appears that you skipped step 2 of the READ ME. Please do that step now.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.azjfxewopztullerwrtexpgr...JZubPUwypMSBgzBEO/jtOGgZTRbATwQtMBdeqTls.html
O2 - BHO: (no name) - {75BFB461-1AD5-4F89-511D-8414FFF867CB} - C:\DOCUME~1\Samantha\APPLIC~1\SECOND~1\bookoption.exe (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bat Wave Base Dale] C:\Documents and Settings\All Users\Application Data\Link Axis Bat Wave\Okay Nurb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [FORKCAST] C:\DOCUME~1\Papa\APPLIC~1\SITESE~1\Inter Mess Corn.exe

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Not on this one for the user account that you are using. Check the instructions in step 2 again. There are multiple things to do. You only did one of them. You are still hiding system files and also extensions.

All of the logs (for both user account) are clean. If you are still having problems you will have to give more specifice details of them and possibly attach a snapshot of the messages you are referring too. It is possible that this it not a malware issue?

 

The Task Manager list does not show any problems. The error message is not legible. You need to capture only the error message window not the full desktop. Also it would be better to capture the snapshots to a JPG not a Word document which will always be way to larger. Programs like FastStone Capture 5.8 are great for doing this.

I'm still not sure this is malware. You will have to be much more specific and provide the EXACT names of processes that you think you are seeing.

imapi.exe is a process associated with CD burning software

hvideo.exe is unknown but could be malware related. You need be sure of the file names and also there location which Task Manager is totally useless for. You would be better off using the below procedure with Process Explorer to capture a detail running process list to a file that you can attach.

Download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on explorer.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.
• Also, from now on if you have to kill any processes and you cannot kill them with Task Manager, use Process Explorer instead. Sometimes ProcessExplorer can kill things that Task Manager cannot. And Task Manager will not always show all running processes.

Also please run the below from your daughter's account.

Using Silent Runners and attach the log.

 

There is nothing of interest in your logs! I tend to doubt these popups are related to malware. Please get a better snapshot of the error message popup only using the tools I gave a link too and save it as a JPG file. Then attach the JPG. ALSO, do not close the popup window.. While it is still open, run the same procedure I gave you with Process Explorer again and attach a new log.

Is you daughter's account the only one this happens on? If you boot into safe mode and login to your daughters account do these still occur.

 

Please answer my questions asked in message # 13

 

Sounds like you are trying to run things that require administrator priviledges and that is the reason for access denied. Try changing either your account or your daughters account to be and admin account and then see what happens.

 

You will have to experiment with using the Startup and Services tab on MSconfig. You can disable various startups from loading and by process of elimination may be able to determine what processes are causing this. This is what MSconfig was designed for. That is to do temporary debugging.

As a quick test to see what happens, you can run MSconfig and choose Selective Startup, then uncheck the Load Startup Items checkbox. Then click Apply, OK. And then reboot and see if the error windows either go away or are reduced in number.