System Security 2009 (I think...) w/ HJT log...

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
  
• The program will then begin downloading and installing and will also update the database.
  
• Please be patient as this can take several minutes.
  
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View scan report at the bottom.
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
  
  **Note**
  
  To optimize scanning time and produce a more sensible report for review:
  
  
• Close any open programs.
  
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
  

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Thanks for responding Origin... Below is the report from Kaspersky...


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 16, 2009 20:04:41
Records in database: 2475918
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
H:\
J:\
R:\
S:\

Scan statistics:
Files scanned: 176658
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:18:35


File name / Threat name / Threats count
C:\cleanup.exe Infected: Trojan.Win32.Zapchast.uy 1

The selected area was scanned.



Please let me know what's next... Thanks!

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :reg
  [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\UACd.sys]
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Thanks for responding Origin... Here is the OTM log...

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\UACd.sys\ deleted successfully.

OTM by OldTimer - Version 3.0.0.5 log created on 07172009_174747

Attention Moderators: I will leave my computer on, in safe mode, awaiting any further instructions after the last actions performed - (OTM)...

Run a malwarebytes full scan and post the results back here.

Malwarebytes' Anti-Malware 1.39
Database version: 2453
Windows 5.1.2600 Service Pack 3

7/18/2009 12:26:15 AM
mbam-log-2009-07-18 (00-26-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 278343
Time elapsed: 1 hour(s), 18 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\tom white\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\WinRAR\Default.SFX (Spyware.Banker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP1186\A0127086.exe (Trojan.Banker) -> Quarantined and deleted successfully.


Attention Moderators: After Malwarebytes scan, chose remove selected, then was instructed to perform a re-boot... That is the current state of my cpu...

How is the computer running?

Origin - to be honest - over the last couple of days I have kept the computer in "safe mode" just to continue running in all of these scans. As of your last statement, I will re-boot the computer into Normal Mode and use it for a day, let my AVG8.5 run it's normal scan and report back to you.

Let me know if you needed me to do something different. Thanks again.

Ok, If you find anything strange come back here so I can see what I can do

Origin... Here are the results from the latest AVG8.5 full scan...

"Scan ""Scheduled scan"" was finished."
"No infection was found during this scan"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Saturday, July 18, 2009, 10:00:01 PM"
"Scan finished:";"Sunday, July 19, 2009, 12:50:58 AM (2 hour(s) 50 minute(s) 57 second(s))"
"Total object scanned:";"965977"
"User who launched the scan:";"SYSTEM"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Tom White\Cookies\tom_white@247realmedia[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@247realmedia[2].txt:\247realmedia.com.855b46d";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@ad.yieldmanager[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@ad.yieldmanager[1].txt:\ad.yieldmanager.com.539b0606";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@ad.yieldmanager[1].txt:\ad.yieldmanager.com.b68f2b7b";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@ad.yieldmanager[1].txt:\ad.yieldmanager.com.557bf2b0";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@ad.yieldmanager[1].txt:\ad.yieldmanager.com.8a47878";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@ad.yieldmanager[1].txt:\ad.yieldmanager.com.ff92306";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@advertising[2].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@advertising[2].txt:\advertising.com.1820df7a";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@advertising[2].txt:\advertising.com.203aa218";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@advertising[2].txt:\advertising.com.525a5fb9";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@advertising[2].txt:\advertising.com.b624fa46";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@advertising[2].txt:\advertising.com.f62113d5";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@atdmt[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@atdmt[1].txt:\atdmt.com.7247c262";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@atdmt[1].txt:\atdmt.com.74c5668";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@atdmt[1].txt:\atdmt.com.9e6d7fd3";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@doubleclick[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@doubleclick[1].txt:\doubleclick.net.bf396750";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@realmedia[1].txt";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@realmedia[1].txt:\realmedia.com.855b46d";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@realmedia[1].txt:\realmedia.com.94969de2";"Found ";"Moved to Virus Vault"
"C:\Documents and Settings\Tom White\Cookies\tom_white@realmedia[1].txt:\realmedia.com.ef906bac";"Found ";"Moved to Virus Vault"

Origin... Computer is working as near normal as I can tell...I am curious as to why there were almost double the number of objects scanned this time (normal mode) as compared to last time (safe mode)... I deleted all of the files in the AVG8.5 Virus Vault folder... Can I delete the "Qoobox" folder that was created during the Combofix procedure?

Are there any additional steps I should take now to prevent additional virus/spyware/malware infections? What are your thoughts on continuing to use AVG as my virus protection (my budget is limited).

I appreciate all you guys have done over the last few days, this has been quite an ordeal on my end... I have a brand new hatred for computer viruses.

Those are leftover cookies, I would keep Qoobox since it keeps the quarantined items that were deleted by ComboFix should you need them again, but you can delete it if you wish, I will give you some recommendations right now


Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.



Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.