Antivirus 2009

I am having to assume that you did have MBAM fix what it found as the log you attached indicates that no action was taken.

I also need to caution you about allowing all users to have admin, privileges!!

Why are you running in safe mode? Can you not boot into normal mode?

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
c:\windows\f5087.dat
c:\windows\instsp2.exe
c:\windows\t55ft2667f44.dat
c:\windows\t55ft2692f44.dat
c:\windows\t55ft2633f44.dat
c:\windows\t55ft2688f44.dat
c:\windows\t55ft2803f44.dat
c:\windows\t55ft2772f44.dat
c:\windows\t55ft2829f44.dat
c:\windows\system32\rirupage.exe
c:\windows\system32\jilehobe.dll.vir
c:\windows\system32\wukodovu.exe
c:\windows\t55ft2659f44.dat
C:\pch.bat
c:\windows\t55ft2655f44.dat
c:\windows\t55ft3021f44.dat
c:\windows\t55ft2582f44.dat
c:\windows\t55ft2608f44.dat
c:\windows\t55ft3242f44.dat
c:\windows\t55ft2824f44.dat
c:\windows\system32\jonusosi.dll.tmp
c:\windows\system32\dipamiba.dll.vir
c:\windows\system32\dehabuhe.dll.tmp
c:\windows\9g2234wesdf3dfgjf23
C:\Documents and Settings\user13\Local Settings\Application Data\Xxeyaqiqamal.dll
C:\Program Files\Mozilla Firefox\extensions\{018E0A75-97C7-488E-B9A9-A8C538AB6216}\chrome\content\overlay.xul
C:\WINDOWS\system32\179223 
C:\WINDOWS\system32\219198    
c:\windows\system32\jopotuwe 

Folder::
C:\WINDOWS\system32\179223 
C:\WINDOWS\system32\219198    
c:\windows\system32\jopotuwe 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now download and install:
Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

Yes....because once malware enters the system if has free reign to infect everything.

Since you are running Kaspersky antivirus, it may popup warnings about combofix.exe and catchme.exe being infected as Heur.Invader. These are false indications. You must tell Kaspersky to Skip or Ignore these and let ComboFix run.

Now:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
websrvx
ucmg

File::
c:\program files\websrvx\websrvx.exe
c:\windows\system32\drivers\lojaorf.sys
C:\kis8.0.0.506ru.rar
C:\WINDOWS\system32\bf141e13-.txt

Folder::
c:\program files\websrvx
C:\kis8.0.0.506ru.rar

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DL32"=-

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

I want you to run SAS and MBAM on each user account....attach any logs that show malware and be sure to label them with the user name.

Now:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

File::
C:\WINDOWS\system32\temp_0000_85-22.aok
C:\WINDOWS\system32\test.aok      
C:\WINDOWS\system32\tmp.log
C:\WINDOWS\system32\tmp1.log 

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip