[andrewuk]

Should I open this forum on that computer to follow the link for the norton removal program and avast? I have been avoiding opening a browser.

yes, go ahead and open a browser - should be ok here and on the norton page and then installing the free avast.

[Advertisements]

. . . . and post the malwarebytes log also.

[andrewuk]

. . . . and post the malwarebytes log also.

[TmlGuy]

Ok, Norton removal has been ran.
Avast Installed.
Here is the MalwareBytes report.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4718

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

9/29/2010 5:00:49 PM
mbam-log-2010-09-29 (17-00-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 290574
Time elapsed: 52 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP796\A0033555.dll (Trojan.Alureon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP809\A0036038.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\TmlStore1\My Download Files\bugdoctor\PCBugDoctor_newsetup.exe (Rogue.PCBugDoctor) -> Quarantined and deleted successfully.

[TmlGuy]

I ran Avast, it found 5 more threats that I removed. Couldn't find a log to post. Will wait for your next instructions.

Thank you so much, I see light at the end of the tunnel now. You and Geeks to go are AWESOME!

[TmlGuy]

Well, I ran a boot scan with Avast also, and it found 17 infected file. Still no report file that I can find.

[andrewuk]

i suspect the Avast is clearing stuff out of the System Restore - much like Malwarebytes found a couple of items there, we will flush that out at the end.

in this post, we will do a final online scan as a final check.

we will also update your java


====STEP 1====
Upgrading Java

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
• Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
• Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

====STEP 2====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java if required:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
• Click the JDK 6 Update 20 (JDK or JRE) "Download JRE" button to the right.
• Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

if the Kaspersky scan fails to work then let me know (with a brief line of why) and please go HERE to run Panda's TotalScan

• Select the bubble for Scan now
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• Then the scan will begin
• When the scan completes, click the Save button on the right of Scan details
• Save it to a convenient location. Post the contents of the TotalScan report

In your next reply could i see:
1. the kaspersky log or Totalscan log
2. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

[TmlGuy]

Kaspersky would not run. It said my computer did not meet the requirements

[andrewuk]

try the PandaTotal Scan then (instructions are below the Kaspersky ones in Step 2)

andrewuk

[TmlGuy]

Computer seems to be doing fine. Haven't accessed anything other than what you have directed though. I'll go wonder around the web and facebook if that's okay and let you know if I notice anything. Here is the log from ActiveScan:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-09-30 12:11:41
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 6
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! Antivirus 5.0.83886757 No Yes
No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\denise\cookies\denise@doubleclick[2].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\denise\desktop\drainage\virus\2008\mbam\mbam-setup.exe
No c:\documents and settings\denise\desktop\tmlstore\tm 10.50\fsplash.exe
No c:\documents and settings\denise\desktop\tmlstore\tm 10.50.zip[fsplash.exe]
No c:\documents and settings\denise\desktop\virus\2008\mbam\mbam-setup.exe
No c:\downloads\vx2cleaner_inst.exe
No c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp812\a0041327.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
108742 MEDIUM MS06-006
;===================================================================================================================================================================================

[andrewuk]

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page (you may have to use the browse button):
  
  
  • c:\documents and settings\denise\desktop\tmlstore\tm 10.50\fsplash.exe
    
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard. . . . . if the copy function does not work then copy the url link in your reply.
• Paste the contents of the Clipboard in your next reply (you will need to paste the link onto a notepad before you do the other scans below, else the contents of your clipboard will be written over with the new links).

[TmlGuy]

So is it safe for me to go to facebook and youtube to take it for a test run?

Should I turn on my Windows Firewall, or download a new one?

Here is the report:VirSCAN.org Scanned Report :

Scanned time : 2010/09/30 12:24:26 (PDT)
Scanner results: 26% Scanner(s) (9/35) found malware!
File Name : fsplash.exe
File Size : 2681420 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7028b776165da83f0e86da6d4d459591
SHA1 : 37dabba0b069e4fd8499ecc4573116281ab05670
Online report : http://virscan.org/r...fce8c9d7d5.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.20 20100930220801 2010-09-30 0.38 Trojan.Win32.Vilsel!IK
AhnLab V3 2010.10.01.00 2010.10.01 2010-10-01 1.39 Win-Trojan/Vilsel.2681420
AntiVir 8.2.4.66 7.10.12.92 2010-09-30 0.26 TR/Vilsel.aofv
Antiy 2.0.18 20101001.5260901 2010-10-01 0.02 -
Authentium 5.1.1 201009301525 2010-09-30 8.75 -
AVAST! 4.7.4 100930-0 2010-09-30 0.79 -
AVG 8.5.850 271.1.1/3168 2010-09-30 1.97 -
BitDefender 7.90123.6211991 7.34094 2010-10-01 4.92 -
ClamAV 0.96.1 12055 2010-09-30 2.17 -
Comodo 4.0 6224 2010-09-28 1.90 -
CP Secure 1.3.0.5 2010.09.30 2010-09-30 1.27 Troj.W32.Vilsel.aofv
Dr.Web 5.0.2.3300 2010.10.01 2010-10-01 12.10 -
F-Prot 4.4.4.56 20100930 2010-09-30 8.56 -
F-Secure 7.02.73807 2010.09.30.08 2010-09-30 11.62 Trojan.Win32.Vilsel.aofv [AVP]
Fortinet 4.1.143 12.406 2010-09-30 0.65 -
GData 21.924/21.371 20100930 2010-09-30 7.13 Trojan.Win32.Vilsel.aofv [Engine:A]
ViRobot 20100930 2010.09.30 2010-09-30 0.38 -
Ikarus T3.1.32.15.0 2010.09.30.76849 2010-09-30 4.75 Trojan.Win32.Vilsel
JiangMin 13.0.900 2010.09.29 2010-09-29 1.51 -
Kaspersky 5.5.10 2010.09.28 2010-09-28 0.14 Trojan.Win32.Vilsel.aofv
KingSoft 2009.2.5.15 2010.9.30.18 2010-09-30 1.04 -
McAfee 5400.1158 6122 2010-09-30 22.54 -
Microsoft 1.6201 2010.09.30 2010-09-30 9.19 -
Norman 6.05.11 6.05.00 2010-09-02 8.02 -
Panda 9.05.01 2010.09.29 2010-09-29 2.96 -
Trend Micro 9.120-1004 7.504.10 2010-09-30 1.35 -
Quick Heal 11.00 2010.09.30 2010-09-30 2.98 -
Rising 20.0 22.67.02.07 2010-09-29 2.93 -
Sophos 3.12.1 4.58 2010-10-01 5.00 -
Sunbelt 3.9.2453.2 6949 2010-09-30 25.18 -
Symantec 1.3.0.24 20100930.004 2010-09-30 2.13 -
nProtect 20100927.03 9236033 2010-09-27 9.74 -
The Hacker 6.7.0.1 v00041 2010-09-30 0.64 Trojan/Vilsel.aquq
VBA32 3.12.14.1 20100929.1020 2010-09-29 5.47 -
VirusBuster 4.5.11.10 10.129.3/1948945 2010-09-30 17.85 -

[andrewuk]

So is it safe for me to go to facebook and youtube to take it for a test run?

Should I turn on my Windows Firewall, or download a new one?

run the fix below and you should be ok from there on in. we are 10 minutes from finishing up here anyway.

im guessing Avast does not have a firewall, if not, then sure switch on the windows firewall.


the below files which were indicated as suspicious by the Pandatotal scan look infected - unless you are sure otherwise:

Run OTL.exe by double clicking the icon on your desktop

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :Files
  c:\documents and settings\denise\desktop\tmlstore\tm 10.50\fsplash.exe
  c:\documents and settings\denise\desktop\tmlstore\tm 10.50.zip[fsplash.exe]
  c:\documents and settings\denise\desktop\tmlstore\tm 10.50.zip
  
  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [CREATERESTOREPOINT]
  [EMPTYFLASH]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the log that it produces

[TmlGuy]

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\documents and settings\denise\desktop\tmlstore\tm 10.50\Fsplash.exe moved successfully.
File\Folder c:\documents and settings\denise\desktop\tmlstore\tm 10.50.zip[fsplash.exe] not found.
c:\documents and settings\denise\desktop\tmlstore\TM 10.50.zip moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Denise
->Temp folder emptied: 19694986 bytes
->Temporary Internet Files folder emptied: 2878935 bytes
->Java cache emptied: 10533 bytes
->Google Chrome cache emptied: 25633029 bytes
->Flash cache emptied: 497 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Tim
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: TmlGuy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3736 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 46.00 mb

Restore point Set: OTL Restore Point (0)

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Denise
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService

User: Tim
->Flash cache emptied: 0 bytes

User: TmlGuy

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 09302010_130428

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[andrewuk]

Hello TmlGuy

congratulations, your logs are clean and another fix is in the can

in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix, some of the tools used in the removal of malware and to flush your system restore points

• Click START then RUN
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between ComboFix and the /Uninstall, it needs to be there.
  
• You will be notified if combofix has been successfully removed

====STEP 2====
Double-click OTL to run it. (Vista users, please right click on OTListIt.exe and select "Run as an Administrator")

• Click the Clean up button and let the program run
• when prompted, click Yes to the reboot.

you can also clear away any other tools we used.



====STEP 3====
A better firewall than the windows firewall is the comodo firewall, it is free.

go to Comodo Firewall + AntiVirus and hit the button to download.

During the setup process you will be given the choice to:

• Install the Firewall as a standalone <<< select this one
• Install the AntiVirus as a standalone
• Install both Firewall and AntiVirus (Comodo Internet Security)

only select the Firewall as a standalone, having more than one antivirus program on your machine will cause conflict, use more system resources and give less protection, not more.

remember to turn off the windows firewall once the comodo firewall is up and running


====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help you further.


====AND FINALLY====
The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• MBAM - Malware Bytes Anti Malware is an excellent tool for anyone's antimalware arsenal. This program should be updated and run often.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Digsby or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
• Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  
• FireFox - Alternate web browser. Open source and quick, Firefox is usually the first thing I install on a new system.
  
• NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk

[TmlGuy]

Thank you so much. I know that multiple antivirus programs can conflict. Should I use multiple Spyware tools, or just pick one? In other words, should I install all the apps you listed above?

I also purchased PcTools Internet Security for 3 computers. Would it be any better than avast, or should I stay with Avast? On other computers that I have should I use Avast instead of PcTools?

Again, thank you for taking the time to help me out. You are doing a wonderful thing for people. I recommend GeeksToGo to anyone that asks.

Do you want to see the final combofix or otl logs?