Malware & Critical System Alert - Niobis, I Require Help Please

Am getting pop-ups showing "Critical System Alert", "Malware Alert." etc and also Indecent Pop-ups showing up intermittently when on the net. Can someone help me please. I cannot let my kids use the system for the time being.
Is there a way out of this?

 

Please do not double post. You were receiving help here. Since you can't wait, do the following:

Read and follow instructions here.

Then, please turn off [bold]TeaTimer[/bold] because it may interfere with these fixes.
* Right-click Spybot in the [bold]System Tray[/bold].
* Choose [bold]Exit Spybot S&D Resident[/bold].
* Open [bold]Spybot S&D[/bold].
* Click [bold]Mode[/bold], check [bold]Advanced Mode[/bold].
* Go to left panel, click [bold]Tools[/bold] then, click [bold]Resident[/bold].
* If your firewall raises a question, say [bold]OK[/bold].
* Uncheck the box labeled [bold]Resident Tea-Timer[/bold] and [bold]OK[/bold] any prompts.
* Use [bold]File[/bold] > [bold]Exit[/bold] to terminate Spybot
* Restart your computer for the changes to take effect.

Run a scan only with HijackThis and check these(if there):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: (no name) - {3FDE0CB5-619F-4227-8961-F2D7ED15B88E} - (no file)
O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - C:\Program Files\Brain Codec\isaddon.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O15 - Trusted Zone: http://linktrader.cyberspacehq.com
O15 - Trusted Zone: http://*.symantec.com

Close all windows except HijackThis, then click "Fix checked".

Re-enable Tea Timer.

Java is out of date.
Go here and download [bold]Java Runtime Environment 5.0 Update 10[/bold].
Uninstall all previous version and updates of JRE via [bold]Add/Remove Programs[/bold].
Restart and install [bold]Update 10[/bold].

Any more problems?

 

So sorry for the double post. What is Tea Timer & how do I turn it off?

 

TeaTimer is a resident shield for IE that came with Spybot Search and Destroy. Turn it off by following the instructions I posted.

Edit: by the way, I was just joking when I said "Since you can't wait". Sorry if that sounded smart...

 

Its ok, I understand. I do appreciate all you are doing for us with little knowledge in these matters. I have downloded all the s/w & now I need to follow your instructioncs to clean out my system. I truly hope this works.

Thanks

 

During my online scan using Activescan, there was stuff found. What happens in that instance. By the way I continued despite that and completed the rest of the instrustions. I am now in the processing of downloading JAVA for the windows platform.

Any other advice to get rid of the stuff from the Activescan?

Please recommend me the most effecient firewall, antivirus and spam s/w please?

God Bless you and thank you.

 

Post the ActiveScan log here along with a new HijackThis log and I will help you remove what was found.

I will recommend some firewalls and some AVs when you're clean.

 

Where will I find the ActiveScan log? Here is the HijackThis log. I did run AVG Scan after and found & deleted some more. Reran AVG a second time and it was clean. But how can I be sure?

Logfile of HijackThis v1.99.1
Scan saved at 8:04:37 PM, on 12/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Special Utilities\HijackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131015494414
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Internet Security 2004 (BackWeb Client - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\fswsclds.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

Disable TeaTimer, instructions above ^^. If you don't disable TeaTimer, it will not allow HijackThis to fix entires.

Then, run a scan only with HijackThis and check these:

O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -

Close all windows except HijackThis before clicking "Fix checked".


Then, you'll need to run ActiveScan again since you didn't save the log.
Go here to run [bold]ActiveScan[/bold].
Click "[bold]Panda ActiveScan[/bold].
Fill in the form with your information.
After downloading, click [bold]My Computer[/bold] to scan.
When it finishes, click "[bold]See Report[/bold]".
Click "[bold]Save report[/bold]" and save it to the desktop.

Post back with the ActiveScan log and a new HijackThis log.

 

Here goes, I hope you can help me clear my system please.

HijacThis log report:

Logfile of HijackThis v1.99.1
Scan saved at 1:51:37 AM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\fswsclds.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Special Utilities\HijackThis\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:9095
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60D3AAEB-AA39-4AE0-B2F9-E4AF0613A2A3} - C:\PROGRA~1\Cosmi\SPYWAR~1\pop\ABG_PL~1.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131015494414
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure Internet Security 2004 (BackWeb Client - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\fswsclds.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


ActiveScan Report:


Incident Status Location

Adware:adware/webattaker Not disinfected c:\windows\uniq
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jessa\Application Data\Mozilla\Firefox\Profiles\dvcnrmjk.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jessa\Application Data\Mozilla\Firefox\Profiles\dvcnrmjk.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Virusbursters Not disinfected C:\Documents and Settings\Jessa\Application Data\Mozilla\Firefox\Profiles\dvcnrmjk.default\cookies.txt[www.virusbursters.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jessa\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jessa\Local Settings\Application Data\Mozilla\Firefox\Profiles\dvcnrmjk.default\Cache\633285D9d01[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jessa\My Documents\Downloaded Files\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Jessa\My Documents\Downloaded Files\ssmda4aj.exe[run.exe][²ÜÇ\isecur.dll]
Possible Virus. Not disinfected C:\Documents and Settings\Jessa\My Documents\Downloaded Files\ssvg7b06.exe[run.exe][²ÜÇ\isecur.dll]
Spyware:Cookie/Qsrch Not disinfected C:\RECYCLER\NPROTECT\00000072.MOZ[.qsrch.com/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000474.MOZ[.maxserving.com/]
Spyware:Cookie/Peel Not disinfected C:\RECYCLER\NPROTECT\00000474.MOZ[.peel.com/]
Spyware:Cookie/Toplist Not disinfected C:\RECYCLER\NPROTECT\00000474.MOZ[.toplist.cz/]
Spyware:Cookie/Maxserving Not disinfected C:\RECYCLER\NPROTECT\00000477.MOZ[.maxserving.com/]
Spyware:Cookie/Peel Not disinfected C:\RECYCLER\NPROTECT\00000477.MOZ[.peel.com/]
Spyware:Cookie/Toplist Not disinfected C:\RECYCLER\NPROTECT\00000477.MOZ[.toplist.cz/]
Spyware:Cookie/Belnk Not disinfected C:\RECYCLER\NPROTECT\00000478.MOZ[.belnk.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000512.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000513.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000514.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000515.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000523.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000524.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000525.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000526.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000527.MOZ[.did-it.com/]
Spyware:Cookie/did-it Not disinfected C:\RECYCLER\NPROTECT\00000528.MOZ[.did-it.com/]


What next? Can you help??

Thanks

 

Go here and download [bold]CCleaner[/bold].
[bold]Note[/bold]: If you do not want [bold]Yahoo! Toolbar[/bold] uncheck the option when installing.
Open [bold]CCleaner[/bold].
Click [bold]Options[/bold] > [bold]Advance[/bold] > uncheck "Only delete files in Windows Temp folders older than 48 hours".
Close all windows.
Click Cleaner > [bold]Run Cleaner[/bold].
Exit CCleaner.


Delete these(if access is denied, delete them in safe mode):
C:\WINDOWS\uniq <--folder
C:\Documents and Settings\Jessa\My Documents\Downloaded Files\ssmda4aj.exe[run.exe][²ÜÇ\isecur.dll] <--file
C:\Documents and Settings\Jessa\My Documents\Downloaded Files\ssvg7b06.exe[run.exe][²ÜÇ\isecur.dll] <--file

Empty the Recycle Bin.

Turn off [bold]System Restore[/bold].
Right click [bold]My Computer[/bold] > [bold]Properties[/bold] > [bold]System Restore tab[/bold] > check "[bold]Turn off System Restore[/bold]".
Click [bold]Apply[/bold], then [bold]OK[/bold].
Restart and turn System Restore back on.


Should be fine after that. Any problems or symptoms?


Edit: recommended firewalls and anti-programs.

Firewallschoose only one)
Zone Alarm Free
Agnitum Outpost Firewall
Kerio Personal Firewall

Remember to turn off Windows firewall if it is running.

Anti-spyware: (you've already got Spybot so that's good, but you need one that has real-time protection)
AVG Anti-spyware 7.5
SpySweeper

Anti-viruschoose only one)
AVG Free(or Pro)
NOD32
Kaspersky
Panda

"Anti-Adware":
Ad-Aware SE Personal 1.06.

Edit 2:
Other things to keep you safe.

McAfee Site Advisor <--must have!
Read rav009's Free Windows' Security Guide for more free security programs.

 

Can't find c:\windows\uniq

Edit: Is it a file called uniq in the windows folder that I am suppose to delete?

Am going to try the others. Edit: Have done everything else. guess I should do the restore thing agin after deleting the uniq file?

 

Sorry, should have posted this...it's probably hidden.

Show hidden files and folders.
Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
Click Apply, then OK.

Make sure you hide them again after removing the files and folders.

 

Its the Uniq file in the windows folder that I am supposed to delete right? Its 0 bytes. (I cannot find a Uniq folder in the windows folder)

Then empty recyle bin.

Change uncheck Restore option

Reboot

Check restore option.

All should be ok

Correct???

 

Well, ActiveScan names it as a folder, but if it is a file, then yes delete the file.

Empty the Recycle Bin normally or you can also right-click and choose "Run Cleaner" which will overwrite all the files 7 times with CCleaner. I always 'shred' my files with CCleaner when emptying the Recycle Bin, it's just an extra security step-they can't be recovered, ever.

Yes to all the others...

 

Sir Niobis:

My hats off to you, many thanks.

How to check for a clean bill of health? I hope I have done all the checking & unchecking on my system.

The symptoms and pop-ups that appeared since 2 days ago are no longer. I feel ok to let my young ones on the system again.

I owe a deep gratitude to you and of course afterdawn.com for helping me in this crisis. Your knowledge is awesome, wow how can I learn this stuff?

Out of curiosity, what happened here? can you give me a breif synopsis?

God Bless You. There is not enough I can say to thank you.

 

Not sure I understand what you're asking here.

A strong will to learn, a lot of free time and train at an online malware removing university.

Well, to tell you the truth, a fake codec was your main problem. These fake codecs are known as the Myzor trojan or Zlob, it's part of the Smitfraud family. They come from porn sites-when you try to watch a clip, a message pops up saying you need this codec to watch the clip. When the fake codec is downloaded the files are added to the computer, therefore, prompting you the "critical system alerts". There are a lot of variants to Myzor. It seems like there is a new one made every 2-3 days. That is the reason I wrote the guide. We have a new case almost everyday here. Actually, Myzor is the number one most common infection going around right now.


You're very welcome.

Good luck!

 

What I meant is How do I check to make sure we are clean?

Strangely enough I never visited any porn sites (I am not into that).

Which malware online univesity are you talking about? I do have the desire to learn, time is another issue.

On a serious note how can I get good at this?

By using the softwares you have recommended it reduces the risk.

You do this just to see the joy you bring us amateurs and of course its your battle against evil.

 

Well, you could run another online scan to get a second opinion. You could run a rootkit scan, but I don't think that's necessary. You could use WinPFind...it will show us a lot more than HijackThis, but you'll need someone to look over your log. And trust me, no one like to look over WinPFind logs, they're very long and take a long time to look over.

I think your best bet is to run another online scan. Run Kaspersky.
Go here to run [bold]Kaspersky Online Scanner[/bold].
After downloading, click "[bold]My Computer[/bold]" to scan.
After scanning, click "[bold]Save report as[/bold]".
Save as a text file on the desktop.

If you need me to look over it, just post it here and I will.

I'll PM you with a link.

You mean you want to learn quickly? If so, sorry to say, but that won't happen. Any universty keeps you in training a long time. Learning how to remove malware properly takes many months. I've been at this for almost a year now and I still learn something new almost everyday.

Just takes time, just with like anything else. A HjT log to you probably looks like rubbish, well at first they did me too. But now, I can look over the average log in under 2 minutes and tell if there is malware or not. Just takes time and a lot, I mean a lot of researching. That's what you'll spend most of your time doing for the first 4-5 months. Searching here, searching there, searching everywhere for file after file, after file.

If you really want to learn the first thing you need to do is learn ab out HijackThis and how to read the log. I'll include a tutorial in the PM I send you.

Exactly!


Check your PM(top of page) for the links.

 

With time I meant I have to make it. I have a fairly busy schedule. I realize good things take time to learn. You are only as good as the amount of time and effort you put into something.

Can I ask you about windows firewall issue I have or should I go to another forum? I have posted it in another forum. I cannot change the firewall settings on windows.