Similar Malware problem as a few others

I am running Microsoft Windows XP Professional SP2. I am currently using Zone Alarm Firewall, AVG and Spybot S&D. I have read through the read & run me and just about everything else pertaining to this topic in the forums, although this post may ramble a bit. I've been battling this for about 12 hours straight.

So I too have the issue where I open up IE it would redirect to the safeiepage that said I had W32.Myzor.Fk@yf and numerous system warning messages would pop up through the yellow triangle sign at the bottom right hand corner and porn popups. There were also warnings via my taskbar claiming Trojan-Spy.Win32@mx was on my machine. I have noticed a VideoKeyCodec and other monitoring programs.

Like the TheBlackClap I have a blinking ! inside a yellow triangle. There is a balloon message that pops up above it too:

"System Alert: Malware threats

Your computer is infected with a back door Trojan that allows the remote attacker to perform various malicious actions. Click this Baloon to download malware removal software" However now that the scans are done, that is gone?

The second item in the task bar is blinking X and ? that reads Critical System Errors! on mouseover. If I click on that one, it sends me to Virusbuster.com.

So I:

1. Used the Symantec safe mode boot instructions. Either my admin password did not work (I had it written down) or it was the wrong password. It has been over a year, since I created it.

2. Ran CCleaner.

3. Unplugged CAT 5 cable.

4. Ran MS Windows Malicious Software Removal Tool -- no malicious programs found.

5. Ran Search and Destroy -- 3 PestTrap and 1 Zlob.HomepageMonitor entries were listed. All were in registry. Clicked S&D to "fix" 4 problems.

6. Ran Windows Defender -- nothing detected. Defender ran in safe mode so I did not download and run CounterSpy.

7. Rebooted into safe mode with networking.

8. Ran Bitdefender -- Nothing found. log exported.

9. Ran Panda Active Scan -- scanned local disks, 3 spyware, 1 hacking tool, 3 suspicious files found.

10. Rebooted into normal mode and double clicked getrunkey.bat and shownew.bat. Text files below.

 

Follow post with other attachments. I also ran the avanger.exe and fixmwipe.reg in attempts to solve this problem.

 

So my question is what do I do next? The malware is still on my machine and I do not understand chaslang's post near the end of TBCs thread, with the deletion of the two files (which I believe I have), and the Pocket Killbox etc. instructions. I did not use any of those.

One bad click on Myspace.com when I was tired and braindead. I just want my computer back to normal.

 

Also ran HJT per instructions and attached log.

 

Kept reading and downloaded Smitfraudfix and ran step one. Text file attached.

 

Ok I keep reading and reading, hoping something will click so I know what to do. However I'm confused on what to do next. Do I . . .

1. Run step two of Smitfradufix? I saw a similar situation chaslang responded to earlier, suggesting a 2-step process. So I did step one and posted the log.

or 2. killbox.exe per the information in RicerX's thread? RicerX seems to have the same problem as I do, but the copy and paste instructions Matt posted won't match up with the file paths on my machine. I want to make sure I get it right and get this machine clean.

Someone please help. I think I'm close to fixing this, but I need some guidance on what tools to use to remove the malware and then how to go about double checking that the machine is clean. Sorry to keep on this thread, I just don't know what else to do. I've been at this for hours and could really use a hand.

 

I ran the SmitFraudFix step two last night. That log is attached.

Just ran HJT and selected fix for all the 018 entries and attached that log.

 

For some reason the attachements for runkey and newfile are stuck at sending request on upload.

 

Ok runkey and newfiles txts finally attached. Thanks in advance Chaslang.

 

Thanks for your help Chaslang. I uninstalled the J2SE Runtime Environment 5.0 Update 5 and J2SE Runtime Environment 5.0 Update 6 via control panel and installed the version from the link you posted.

While the other entries are gone, I still see a listing for isamonitor.exe in Windows Defender Software Explorer under Startup Programs. Startup value is the same as the File path: C:\Program Files\VideoKeyCodec\isamonitor.exe. Startup type: Registry: Local Machine. Location Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run. Can I just click remove in Windows Defender to get rid of it? The enable button is also an option and Disable is greyed out.

Also how am I sure I am clean? I thought Panda Scan had other things it found? Should I run more scans? And for all the stuff I downloaded to fix this situation, can I just delete them?

 

Thank you very much Caslang. Everything appears clean and it is good to be back to a normal running state. Very much appreciated.