Posts by PhilliePhan

I also tried to copy & paste explorer as you instructed and was once again unsuccessful. I got a similar message to the one before, "Cannot copy explorer: Access is denied.

In the I386 folder? It wouldn't let you copy that?

Try in Safe Mode and let me know.

Also, please disable SpybotSD's Tea Timer:
http://russelltexas.com/malware/teatimer.htm

Then Reboot and run a HJT scan and post me the log. Linky below:
http://free.antivirus.com/hijackthis/

This is odd - the logs all look normal to me - perhaps I am missing something. Let's see if we can get that explorer.exe copied and then I can try to rule some things out.....

-- Before you posted here, did you attempt any other fixes or post in another forum. I saw that C:\logevent.dll where somebody might instruct you to copy it, so I'm curious.

PP :)

In addition to the step in Post #30, please do the following:

-- Run Explorer (NOT explorer.exe) and Navigate to C:\WINDOWS\ServicePackFiles\I386
-- RightClick on Explorer.exe and Copy it. Then, paste it back into the I386 folder.
You should now have a file reading Copy of explorer.exe along with explorer.exe.
Rename the Copy of explorer.exe to Kenney.exe and then Cut&Paste Kenney.exe into the C:\Windows folder.

Just leave it there for now along with the current explorer.exe in the Windows folder.
Let me know if you had any problems with this.

Lastly:
Download this new Kenney.bat

Run it and post the log for me along with the silentrunners log.

Cheers :)
PP

Please let me know what you think.

Well..... I did not see what I was looking for.

Let's try this:
Post me a log from SilentRunners. Instructions in linky below:
http://www.silentrunners.org/sr_scriptuse.html

My gut feeling is that this is probably something simple and I am missing it.....

PP :)

Overall it seems as though the computer is mostly clean. I just hope we can get the desktop icons and start menu back so I can stop using the task manager for everything. But overall everything you have done has worked. You've saved me a great deal of heart ache and trouble.

If you have any other things you would like for me to check, please let me know.

Hi Kenney,

I am going to be here infrequently over the weekend - so don't worry that I deserted you or anything like that..... :)

I think we can fix the Desktop & explorer issue with a little registry hacking, but I'd like you to do a few things first, just to be thorough and make sure all the proper files are present and intact after your malware battle:

1) Please run System File Checker and let me know the results. Here is an excellent linky on how to do that:
http://www.updatexp.com/scannow-sfc.html

2) Navigate to C:\Windows\explorer.exe and RENAME it to explorer.old
Now try to run that via task manager and see if it works.

3) Download Kenney.bat
-- DoubleClick on it to run it and post me the log (peek.txt) that pops up.

Let me know the results of the above and I'll try to check back as time permits.

Cheers :)
PP

Please let me what you think.

Hi Kenney,

TGIF :)

That looks good, although you didn't have MBAM remove the baddies it found.
-- Run the Quick Scan again and REMOVE all that it finds and post the log for me. There is a backdoor trojan detected that I want to make sure gets removed.

Everything else looks OK - How are things running now?

I will say that you have altogether too many anti-malware apps on the machine now. We can thin those down a bit.

After you run MBAM and remove those last remnants, please do this:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Then, please run HijackThis in Normal windows boot and post the scanlog for me along with that last MBAM Log.

Also, you can DELETE these:
C:\Win32kDiag.exe
C:\PKBTEMP

Also - I would like to check these:

C:\windows\install.dat
C:\logevent.dll

Go here ---> and use the Browse Button at the top of the page …

Ooops, I'm sorry, I did the full system scan. And as you can tell, it took a long time. Anyway, the logs are attached. Two logs popped up and I didn't know which would be the most useful. Please let me know what you think.

Hi Kenney,

Looking better.... Let's do this and see if we can get all the logs to show clean:

First:
REBOOT and Update MBAM and run one more Quick Scan and have it remove what it finds.

Then:
DELETE your current copy of Combofix and Download a fresh one to the Desktop. You don't need to rename it this time.
Run it in Normal Windows Boot and post me that log along with MBAM log and we'll see if we can't wrap this up.....

Be sure to do the MBAM first and then follow up with Combofix.

I'll be able to check in briefly Friday evening EST.

Cheers :)
PP

Happy Thursday.....
Anyway please see the attached log and let me know what you think...

Agreed! So Happy It's Thursday! ;) That's my favorite . . . Right up there with TGIF!

Anyhoo, that log looks great! A ton of nasty crap was removed.
We still have a bunch to do, though.....

Let's do this next:
Update your MBAM and run the Quick Scan in Normal Windows boot and have it remove what it finds and then post the log for me.

PP :)

I thought the Thread title says, Infected computer Please Help....huhhh

Did you see anything in the HJT or MBAM logs that warrants running Combofix?

I once had a poster tell me that a virus had turned his cursor into a dinosaur......LOL! Can't always take things at face value :)

I think Brian is on point here.

Cheers :)
PP

Give Malwarebytes some credit - they got this corrected fairly quickly.

What bothers me is that so much of their detections and removal seems to rely on heuristics and I am seeing a ton of questionable items being removed ( read: Deleted) by this tool in many forums and the volunteers are ignoring these items.
I realize that all forums are overwhelmed and it is not worth taking the time to question these - the time is just not there + MBAM is such a valuable asset in the fight against malware.....

So, a lot of legit programs get borked or have components removed and it all gets classified as "collateral damage" to the malware infection.....

-- I should say that I have been volunteering in various forums long enough to remember when there were no such (effective) tools as MBAM - The folks at malwarebytes do a tremendous job keeping up with the latest threats and it is great to have a tool such as MBAM in the fight against malware. I am just saying that everybody should keep a keener eye on what is being removed and perhaps be a bit more selective.....

/end mini rant

Cheers :)
PP

I am fairly certain at this stage that its a F.P.

It is.

Update your MBAM to database version 2886 or later and you should have no more issues with this.

Cheers :)
PP

It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!

Look for the log at C:\Combofix.txt and post it if it exists.
-- Try doing a search of the machine for Combofix / Combo-fix / Qoobox and let me know if anything shows up.

If you can't find any of those, go ahead and try to run Combofix again. Do it in Safe Mode this time and see if it saves a log...
To boot to Safe Mode, tap F8 on reboot to get the Safe Boot options. Do not use MSConfig to boot to safe mode!

Best Luck :)
PP

Please see the attached log. Please let me know what you think.

Well. . . . Part of what we were trying to do got done. Let's go ahead and try this next step:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me. Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

If it runs, post me the log.

Cheers :)
PP

I hope you're having a wonderful Wednesday.

It's a dank and dreary Wednesday in my neck of the woods...

We really need to get this step done before we can try any removal tools, so let's do this:

Please Download a fresh copy of Win32kDiag from a linky below and save it to your C:\Drive. (C:\Win32kDiag.exe)
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Then, try the following command and post me the log:
"C:\win32kdiag.exe" -f –r

And we'll go from there.

PP :)

Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.

I am generally around in the evening (EST). We can pick this up then.
You should probably keep this computer offline as much as possible until we finish. This baddie comes in varying degrees of difficulty and I'd hate to see it call for reinforcements.

-- I do want to see the Avenger log. Try looking at C:\avenger.txt and see if it is there.

-- Also, run that second step with win32kdiag.exe
exactly as I wrote it and post that log.

What we are attempting to do is to get you machine to a point where we can run some tools and have them complete their runs.....

Be back Wednesday evening.
PP :)

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.

You have to copy ALL the text in red . .. Including the part that says "Files to move" or you'll get that error.

Be sure to do everything carefully and exactly as I have spelled it out. That includes putting the downloaded files where I specify, etc... Otherwise, we'll just get bogged down.
Feel free to ask any questions or let me know if I need to clarify anything - A forum setting is not the easiest for malware removal....

Try again and let me know. I'll be back on in an hour or so - need to head out for a bit.

PP :)

It finished running. It should be attached to this message. Please let me know what you think...

OK - Now we are getting somewhere.

First, please move Win32kDiag.exe to the Desktop.

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know how that works and we'll go to the next step.

PP :)

Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!

Well . . . I don't think everything was extracted properly to the FindWPP folder. Either that, or it ran from the zip. Either way, it didn't run properly . . . But, no worries. I still see enough.

Let's try this:

Please Download Win32kDiag from a linky below and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

It should run - let me know if it doesn't.
Be sure to let it run until is says "Finished" before posting the log!

PP :)

But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...

Happy to try to help :)

-- That is odd.
Can you get a command prompt?
Start > Run > cmd Enter
or
Start > Run > command.com Enter?

If you can get a command prompt and the FindWPP folder is on your Desktop as it should be, do this:
At the command prompt, copy&paste or type "%userprofile%\desktop\FindWPP\RunThis.bat" and hit enter.
See if it runs that way.

PP :)

Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.

Well . .. That's odd. You posted the contents of the batch file rather than the log. How did you manage that? All you need to do is DoubleClick on RunThis.bat.....

Try running it again. If using Vista, try RightClicking and Run as Administrator....

PP:)

If someone knows of any possible solutions, I would greatly appreciate it if you let me know.

Hi Kenney,

If you are able, please follow step 8 in the linky below to run MBA-M and have it Remove what it finds. If it runs, post the log.
http://www.daniweb.com/forums/thread134865.html

Should that fail:
Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Best Luck :)
PP

FindWPP log below SP to follow

Hi Jodi,

Let's keep our fingers crossed, but that does not look nearly as bad as some of the other infections I have seen. Granted, a lot can hide from my simple batch tool, but a couple key items are not showing.

It would be best to keep this compy offline as much as we can until it is clean.

--- After running Spyware Doctor, see if you are able to install and run MalwareBytes' Anti-Malware.
Update it and do the Quick Scan and have it REMOVE all that it finds and then post that log along with the SD log.

With any luck, it will remove most of this baddie.

Let me know how you fare and any problems that crop up along the way.

PP:)

After running the SpywareDoctor do I "Fix" the files found or is there an option to remove them?

I haven't used SD in years - Whatever option it gives you to remove them, go for it. Let me know.

If you have an empty flash drive (chances are that it will get infected) I'll give you a list of tools to download and have handy. A couple will require special steps to "rename" them before you DL them:

-- http://ad13.geekstogo.com/Win32kDiag.exe

-- http://swandog46.geekstogo.com/avenger.zip

-- Go to this linky and Download Combofix (Just DL - Don't worry about anything else):
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your flash drive as that.

-- DDS by sUBs

-- http://download.sysinternals.com/Files/Junction.zip

-- http://download.bleepingcomputer.com/sUBs/Beta/fr33.exe

-- http://www.malwarebytes.org/mbam-download.php

Hopefully those will be all we will need. . . . Also, please keep the ill computer offline as much as possible to prevent re-infection.

Let me know when you are ready to start - I'm generally available in the evenings EST.

PP :)

Tried the instructions.. ComboFix keeps saying "Rootkit is present, reboot computer"...

Did you reboot?
Reboot and see if combofix runs. It may start on its own.

Some of these tough malware can make it grind to a halt, and you just need to give it some time. 'Course, sometimes it just grinds to a halt. Period.

You have MBA-M installed, right?
Download and extract and run a fresh FindWPP.zip and post the log.

I'd like to try a few other things, too....

PP :)

I did run FindWPP and the log is posted below. I appreciate your help.
Please note that my mother thinks she may have run spyware doctor at some point recently and it detected 30 or so issues.

Happy to try to help :)
I have to say, though, that the success rate for repairing this is not great.

-- Are you able to run Spyware Doctor? If so, have it remaove all it finds. Post the log.
-- Are you able to find the log from Spyware Doctor's previous run?

-- I need you to run FindWPP again. You need RightClick on FindWPP.zip and EXTRACT the FindWPP folder from the ZIP to your desktop. Otherwise it will not run properly. Please post the new log.

-- Do you have a flash drive that you can use to transfer tools to the ill computer in the event we cannot download what we need?

PP :)

I cannot however disable system restore because the properties link is not highlighted even when logged in as administrator.
What should my next step be?

Hi Jodi,

You don't want to disable system restore before your machine has been cleaned. We usually do it After the cleaning process.

As far as WPP is concerned, it is very nasty and often the easiest and least stressful method to deal with it is a re-format and re-install of Windows.

--- If you'd like to try to clean this, please download and install MBA-M as per the sticky post (if you are able), but DO NOT RUN IT YET. If you are unable to install it, please go on to the next step.

--- Then, please download FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

I will try to check back as time permits.

PP :)

I ran SuperAntiSpyware since that is what I had on my comp already.
Now what? Please help

This WPP has so many different variations that it is difficult to pin down. Plus, it tends to leave your system very unstable.
Honestly, the best thing to do is Reformat and Re-install Windows.

However, if you would like to try to clean it, please do the following:
--- Post the log from SAS, if you have it.

--- Also, please download FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

I am a bit overextended these days - will check back as time permits.

PP:)

Here it is:

Well . . .Looks like eventlog.dll has been compromised again.....

Let's do this:

Click START > RUN > type cmd and hit OK
At the prompt Copy&Paste the complete text in Red below and hit ENTER:

Copy C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll C:\

Next, we need to repeat this step:
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\eventlog.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

Then, please try this:
If you already have Combofix on your machine, DELETEit.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your Desktop as that …

Don't forget the Win32kDiag log after removing the mountpoints.....

PP:)

Ok..... If you still have Combofix on your computer, DELETE it.

THEN:
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

PP :)

Still letting it sit there though, is that normal?

Let it run overnight if you need to. Wait until you get the "Finished" message.

Your legit eventlog.dll has been replaced by malware and we'll need to address that. I think you have some others as well. So I really need to see a full log.

PP :)

This is what I got:
Running from: C:\Documents and Settings\Doug.BISIGNANO\My Documents\Downloads\Win32kDiag.exe

That log is incomplete - are you sure it ran until it said "finished?"
Look again and make sure you pasted the whole log.

Better yet, upload it as an attachment.

If what you posted is the entire log, I'll need you to run it again and make sure it says Finished before you post the log. There should be much more to it....

Also, you need to move Win32kDiag to the Desktop - makes it easier for me when we run it again....

Hang in there :)
PP

Oh, and ComboFix was just downloaded on my computer. No log recorded, I searched for it. I tried to run ComboFix and an error came up saying I had to restart Windows and retry installation. Should I do this?

I think you have one of the nastier variations of this malware...

Let's try this first and see where we are:

Please Download Win32kDiag from a linky below and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

Be sure to wait until it says "finished."

PP :)

Thanks for your help so far! I get this error when I followed your instructions in the previous post:

My fault - I whipped that together a bit quickly.

Try again with this one: FindWPP.zip

Post the log.

Also - When did you run Combofix? If you can find a log at C:\combofix.txt, please post that as well.

PP :)

I don't know what to do.. Any help would be appreciated.

Try this:

Please download FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

-- As with any program that somebody on the web tells you to run, this is a "run at your own risk" proposition...

PP :)

Being that windows only boots to wallpaper (error in explorer) etc.

-- Is this an assumption, or do you get an error message?

-- Do you have a flash drive handy? Or, better yet - are you able to burn some tools onto a CD for use on the ill computer. If so, I'll give you a list and we can go from there.

You will still need a flash drive to post the logs. Are you set up to communicate quickly - another compy handy?

PP :)

What is it primarily used for?

It is used for downloading cracks, keygens and even more malicious crap such as USBThief . . . .

Frankly, it is poetic justice that he got infected..... ;)

PP

The server is MOST DEFINITELY infected, 7 out of 11 say so. But jotti uses 22 scanners, why are there only 11 showing?

They are all showing, Judy - look more closely :)

That rules out any sort of false-positive.
Frankly, MBA-M should remove this, so something is restoring it: either the drive is infected or you have an infected pen drive(s).

There are a number of different ways to attack this - I'm sure Judy or tiger86 can help you on that front.

Best Luck :)
PP

See if you can upload S:\autorun.inf for analysis here: http://virusscan.jotti.org/en

Please post back with the results.

PP :)

Once again thank you so much for your help. It is greatly appreciated

You're welcome, Monica :)

If all is working properly, please mark this one as solved.

Cheers :)
PP

You are welcome - Happy to help :)

Everything looks OK to me. I think you are good to go - How are things working now?

--- I am still a bit worried about those files you scanned, but if they came back clean it would be best to err an the side of caution and leave them alone.

Let's remove Combofix and the files/folders it created:

-- First, change the name of Combofix back to Combofix.exe

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know how things are working and if Combofix was successfully removed.

Cheers :)
PP

When I went to install the malwarebytes fix a alert popped up and said that the windows Installer service could not be accessed.

I am not in safe mode so im not sure what the deal is with that.

Ok . . . Try this:
Download Inherit.exe and put it on the Desktop. Now, drag the MBA-M installer into inherit.exe and wait for a message that pops up and says “OK” - Then try to run it again.

If that fails, try to resolve this via the steps in the linky below and let me know how you fare:
http://support.microsoft.com/kb/315353

I'll be back Wednesday night.

PP:)

I still need to go through and delete all the WPP files, what all should I look for when deleting the files? Any ideas?

It is difficult to remove this file by file due to the rootkit components and protected registry keys.

The first step would be to try to get MBA-M to run as per the linky I posted. If it can run, do a Full Scan and have it remove all that it finds. Post the log.

If you are unable to run MBA-M, please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

Ok I am on....not sure for how long though because the whole family is sick.

Hey - there's no rush. as long as this computer is not online, then you can take as long as you want. Doesn't bother me at all.

In fact, I am heading out the door for a bit as we speak. Let me know how those steps fared and I'll post back as soon as I can.

PP :)

but take a close look at some of the files it found....

Let's take an even closer look ;) (sorry Judy, couldn't resist....)
C:\Program Files\Windows Police Pro\tmp\images\i1.gif

And . . .If I am not mistaken, the rootkit component is a bit different this time.
I do not remember what firewall is installed, but you should make sure it monitors outgoing traffic and will alert you if malware is trying to "phone home" for reinforcements....

At his point, I think a format is called for - that way you can be sure there is nothing lingering on the machine....

PP :)

I've learned that one option is to reformat windows. I would hope this would wipe the virus away and in turn it would wipe all of my information. If I do that, would my email be clean? Or would it still be infected?

A format is always the best and easiest option in cases like these with rootkit components.

Infected emails not stored on your computer would not be affected by a format.

There are ways to attack and clean this baddie, but they would not guarantee 100% that your machine is clean, again due to rootkits...

If you want to have a go at cleaning your machine, I'm sure a volunteer would be happy to help you.

Best Luck :)
PP

Also, I posted on the end of another thread earlier. Most boards I usually post on encourage people to look for similar threads before starting a new one.

Most security forums prefer that you start a fresh thread - less confusion.

-- Do you have a viable System Restore point from before this infection?
If so, use it and then see if you can run MBA-M as per the step in this linky:

http://www.daniweb.com/forums/thread134865.html

PP :)

Combo Fix Log

Ok - You are making good progress.

Now:
-- Download the attached file CFScript.txt to your Desktop
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

Then:
Please download JavaRa.zipto your Desktop and Extract it to its own folder.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

NEXT:
Check and see if MBA-M can be updated and will run now (in Normal Windows Boot) and, if it does, do a Full Scan and have it remove what it finds and post that log too....

Also - I do not know what these are:
c:\program files\Common Files\qyroj.dat
c:\windows\puguk.dat
c:\windows\anolod.dat
c:\windows\ewopoho.dat
c:\windows\carupy.com
c:\windows\ydaqi.dat
c:\windows\system32\ezivufely.dat
c:\program files\Common Files\potup.lib
c:\program files\Common Files\sakefifo._sy
c:\program files\Common Files\xipywixe.lib
c:\program files\Common Files\ewaloc._sy
c:\program files\Common Files\yjur.db

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items …

here are the logs I was given

AllRightyThen! Let's now do this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.

PP :)

this is the log that popped up...

OK - Let's do this next:

Please Download Win32kDiag from a linky below and save it to your Desktop. Leave it there for now.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

PP :)

I cannot get Hijack this to run and am stuck at this point...I need a little help!!

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)